Time host.hostname user.name event.outcome message
Jul 31, 2020 @ 23:27:13.465 - mainalih - Logout by user mainalih (UID: 832203832) on pts/1 (PID: 17481) from 1x.2xx.xx.xx (IP: 1x.2xx.xx.xx)
Jul 31, 2020 @ 23:27:13.465 - mainalih - Logout by user mainalih (UID: 832203832) on pts/1 (PID: 17481) from 1x.2xx.xx.xx (IP: 1x.2xx.xx.xx)
Jul 31, 2020 @ 23:27:13.465 - mainalih - Logout by user mainalih (UID: 832203832) on pts/1 (PID: 17481) from 1x.2xx.xx.xx (IP: 1x.2xx.xx.xx)
Jul 31, 2020 @ 23:27:13.465 - mainalih - Logout by user mainalih (UID: 832203832) on pts/1 (PID: 17481) from 1x.2xx.xx.xx (IP: 1x.2xx.xx.xx)
Jul 31, 2020 @ 23:27:13.465 - mainalih - Logout by user mainalih (UID: 832203832) on pts/1 (PID: 17481) from 1x.2xx.xx.xx (IP: 1x.2xx.xx.xx)
Jul 31, 2020 @ 23:27:13.465 - mainalih - Logout by user mainalih (UID: 832203832) on pts/1 (PID: 17481) from 1x.2xx.xx.xx (IP: 1x.2xx.xx.xx)
Jul 31, 2020 @ 23:27:13.465 - mainalih - Logout by user mainalih (UID: 832203832) on pts/1 (PID: 17481) from 1x.2xx.xx.xx (IP: 1x.2xx.xx.xx)
Jul 31, 2020 @ 23:27:13.465 - mainalih - Logout by user mainalih (UID: 832203832) on pts/1 (PID: 17481) from 1x.2xx.xx.xx (IP: 1x.2xx.xx.xx)
Jul 31, 2020 @ 23:27:13.465 - mainalih - Logout by user mainalih (UID: 832203832) on pts/1 (PID: 17481) from 1x.2xx.xx.xx (IP: 1x.2xx.xx.xx)
Jul 31, 2020 @ 23:27:13.465 - mainalih - Logout by user mainalih (UID: 832203832) on pts/1 (PID: 17481) from 1x.2xx.xx.xx (IP: 1x.2xx.xx.xx)
Jul 31, 2020 @ 23:27:13.465 - mainalih - Logout by user mainalih (UID: 832203832) on pts/1 (PID: 17481) from 1x.2xx.xx.xx (IP: 1x.2xx.xx.xx)
Jul 31, 2020 @ 23:27:13.465 - mainalih - Logout by user mainalih (UID: 832203832) on pts/1 (PID: 17481) from 1x.2xx.xx.xx (IP: 1x.2xx.xx.xx)
Jul 31, 2020 @ 23:27:13.465 - mainalih - Logout by user mainalih (UID: 832203832) on pts/1 (PID: 17481) from 1x.2xx.xx.xx (IP: 1x.2xx.xx.xx)
Jul 31, 2020 @ 23:27:13.465 - mainalih - Logout by user mainalih (UID: 832203832) on pts/1 (PID: 17481) from 1x.2xx.xx.xx (IP: 1x.2xx.xx.xx)
auditbeat.yml
auditbeat.config.modules:
Glob pattern for configuration reloading
path: ${path.config}/modules.d/*.yml
Period on which files under path should be checked for changes
reload.period: 3m
Set to true to enable config reloading
reload.enabled: false
Maximum amount of time to randomly delay the start of a dataset. Use 0 to
disable startup delay.
auditbeat.max_start_delay: 10s
Average scan rate. This throttles the amount of CPU and I/O that Auditbeat
scan_rate_per_sec: 2 MiB
##################################################################
auditbeat.modules:
-
module: auditd
audit_rule_files: [ '${path.config}/audit.rules.d/*.conf' ]
resolve_ids: true
failure_mode: silent
backlog_limit: 8196
rate_limit: 0
include_raw_message: false
include_warnings: falseSet to true to publish fields with null values in events.
keep_null: true
Load audit rules from separate files. Same format as audit.rules(7).
audit_rule_files: [ '${path.config}/audit.rules.d/*.conf' ]
#audit_rules: | -
module: file_integrity
paths:- /usr/bin
- /sbin
- /usr/sbin
- /etc
- /bin
- /usr/local/lib
- /usr/local/bin
- /usr/local/sbin
- /opt
- /lib
- /lib64
- /usr/lib
- /usr/lib64
- /root
-
module: system
datasets: [host,login]
period: 5mHow often datasets send state updates with the
current state of the system (e.g. all currently
running processes, all open sockets).
#state.period: 1h
Enabled by default. Auditbeat will read password fields in
/etc/passwd and /etc/shadow and store a hash locally to
detect any changes.
user.detect_password_changes: true
File patterns of the login record files.
login.wtmp_file_pattern: /var/log/wtmp*
login.btmp_file_pattern: /var/log/btmp*
#----------------------------- Logstash output --------------------------------
output.logstash: