Each login/logout and failure event is populated 14 times in auditbeat index / dashboard

Time host.hostname user.name event.outcome message
Jul 31, 2020 @ 23:27:13.465 - mainalih - Logout by user mainalih (UID: 832203832) on pts/1 (PID: 17481) from 1x.2xx.xx.xx (IP: 1x.2xx.xx.xx)
Jul 31, 2020 @ 23:27:13.465 - mainalih - Logout by user mainalih (UID: 832203832) on pts/1 (PID: 17481) from 1x.2xx.xx.xx (IP: 1x.2xx.xx.xx)
Jul 31, 2020 @ 23:27:13.465 - mainalih - Logout by user mainalih (UID: 832203832) on pts/1 (PID: 17481) from 1x.2xx.xx.xx (IP: 1x.2xx.xx.xx)
Jul 31, 2020 @ 23:27:13.465 - mainalih - Logout by user mainalih (UID: 832203832) on pts/1 (PID: 17481) from 1x.2xx.xx.xx (IP: 1x.2xx.xx.xx)
Jul 31, 2020 @ 23:27:13.465 - mainalih - Logout by user mainalih (UID: 832203832) on pts/1 (PID: 17481) from 1x.2xx.xx.xx (IP: 1x.2xx.xx.xx)
Jul 31, 2020 @ 23:27:13.465 - mainalih - Logout by user mainalih (UID: 832203832) on pts/1 (PID: 17481) from 1x.2xx.xx.xx (IP: 1x.2xx.xx.xx)
Jul 31, 2020 @ 23:27:13.465 - mainalih - Logout by user mainalih (UID: 832203832) on pts/1 (PID: 17481) from 1x.2xx.xx.xx (IP: 1x.2xx.xx.xx)
Jul 31, 2020 @ 23:27:13.465 - mainalih - Logout by user mainalih (UID: 832203832) on pts/1 (PID: 17481) from 1x.2xx.xx.xx (IP: 1x.2xx.xx.xx)
Jul 31, 2020 @ 23:27:13.465 - mainalih - Logout by user mainalih (UID: 832203832) on pts/1 (PID: 17481) from 1x.2xx.xx.xx (IP: 1x.2xx.xx.xx)
Jul 31, 2020 @ 23:27:13.465 - mainalih - Logout by user mainalih (UID: 832203832) on pts/1 (PID: 17481) from 1x.2xx.xx.xx (IP: 1x.2xx.xx.xx)
Jul 31, 2020 @ 23:27:13.465 - mainalih - Logout by user mainalih (UID: 832203832) on pts/1 (PID: 17481) from 1x.2xx.xx.xx (IP: 1x.2xx.xx.xx)
Jul 31, 2020 @ 23:27:13.465 - mainalih - Logout by user mainalih (UID: 832203832) on pts/1 (PID: 17481) from 1x.2xx.xx.xx (IP: 1x.2xx.xx.xx)
Jul 31, 2020 @ 23:27:13.465 - mainalih - Logout by user mainalih (UID: 832203832) on pts/1 (PID: 17481) from 1x.2xx.xx.xx (IP: 1x.2xx.xx.xx)
Jul 31, 2020 @ 23:27:13.465 - mainalih - Logout by user mainalih (UID: 832203832) on pts/1 (PID: 17481) from 1x.2xx.xx.xx (IP: 1x.2xx.xx.xx)

auditbeat.yml

auditbeat.config.modules:

Glob pattern for configuration reloading

path: ${path.config}/modules.d/*.yml

Period on which files under path should be checked for changes

reload.period: 3m

Set to true to enable config reloading

reload.enabled: false

Maximum amount of time to randomly delay the start of a dataset. Use 0 to

disable startup delay.

auditbeat.max_start_delay: 10s

Average scan rate. This throttles the amount of CPU and I/O that Auditbeat

scan_rate_per_sec: 2 MiB
##################################################################
auditbeat.modules:

  • module: auditd
    audit_rule_files: [ '${path.config}/audit.rules.d/*.conf' ]
    resolve_ids: true
    failure_mode: silent
    backlog_limit: 8196
    rate_limit: 0
    include_raw_message: false
    include_warnings: false

    Set to true to publish fields with null values in events.

    keep_null: true

    Load audit rules from separate files. Same format as audit.rules(7).

    audit_rule_files: [ '${path.config}/audit.rules.d/*.conf' ]
    #audit_rules: |

  • module: file_integrity
    paths:

    • /usr/bin
    • /sbin
    • /usr/sbin
    • /etc
    • /bin
    • /usr/local/lib
    • /usr/local/bin
    • /usr/local/sbin
    • /opt
    • /lib
    • /lib64
    • /usr/lib
    • /usr/lib64
    • /root
  • module: system
    datasets: [host,login]
    period: 5m

    How often datasets send state updates with the

    current state of the system (e.g. all currently

    running processes, all open sockets).

    #state.period: 1h

    Enabled by default. Auditbeat will read password fields in

    /etc/passwd and /etc/shadow and store a hash locally to

    detect any changes.

    user.detect_password_changes: true

    File patterns of the login record files.

    login.wtmp_file_pattern: /var/log/wtmp*
    login.btmp_file_pattern: /var/log/btmp*

#----------------------------- Logstash output --------------------------------
output.logstash:

The Logstash hosts

hosts: ["10.xx.xx.xx:5050"]

version used: auditbeat-7.7.0-1.x86_64