Hi,
I’m trying to collect package installation/removal events using the system_audit.package stream on Rocky Linux 9.6.
I’m running Elastic Agent 9.1.3 (elastic-agent-complete) in a Podman container.
image: ``docker.elastic.co/elastic-agent/elastic-agent-complete:9.1.3
I am using Kibana System Audit Integration v1.11.0.
A relevant part of my elastic-agent.yml input configuration looks like this:
- id: system_audit-audit/system
type: audit/system
streams:
- id: audit/system-system_audit.package
type: audit/system
data_stream:
dataset: system_audit.package
type: logs
datasets:
- package
period: 2m
state.period: 12h
tags:
- audit-system-package
processors:
- add_host_metadata: null
The Elastic Agent container is running via Podman with the following mounts:
- /etc/machine-id:/hostfs/etc/machine-id:ro
- /var/lib/rpm:/hostfs/var/lib/rpm:ro
- /var/lib/dnf:/hostfs/var/lib/dnf:ro
- /var/log/dnf.log:/hostfs/var/log/dnf.log:ro,z
- /var/log/dnf.rpm.log:/hostfs/var/log/dnf.rpm.log:ro,z
In Kibana, I can see the following:
Test sequence (waited >15 min; period: 2m):
dnf install -y telnet vim
dnf remove -y telnet vim
dnf install -y telnet vim
The Elastic Agent logs show no errors — everything looks normal, but no package install/remove events are being collected.
I verified all DNF/RPM mounts inside the Elastic Agent container:
podman exec -it elastic-agent bash -lc '
echo "=== /etc/machine-id ===" &&
cat /hostfs/etc/machine-id 2>/dev/null || echo "missing or unreadable"
echo -e "\n=== /var/lib/rpm ===" &&
ls -lh /hostfs/var/lib/rpm || echo "missing"
echo -e "\n=== /var/lib/dnf ===" &&
ls -lh /hostfs/var/lib/dnf || echo "missing"
echo -e "\n=== /var/log/dnf.log ===" &&
tail -n 5 /hostfs/var/log/dnf.log 2>/dev/null || echo "missing"
echo -e "\n=== /var/log/dnf.rpm.log ===" &&
tail -n 5 /hostfs/var/log/dnf.rpm.log 2>/dev/null || echo "missing"
There is output:
=== /etc/machine-id ===
e8ae9f280dd64481a75b6ae279c36f8c
=== /var/lib/rpm ===
total 86M
-rw-r--r--. 1 root root 86M Nov 7 11:21 rpmdb.sqlite
-rw-r--r--. 1 root root 32K Nov 7 11:44 rpmdb.sqlite-shm
-rw-r--r--. 1 root root 0 Nov 7 11:21 rpmdb.sqlite-wal
=== /var/lib/dnf ===
total 4.4M
-rw-r--r--. 1 root root 380K Nov 7 11:21 history.sqlite
-rw-r--r--. 1 root root 32K Nov 7 11:21 history.sqlite-shm
-rw-r--r--. 1 root root 4.0M Nov 7 11:21 history.sqlite-wal
drwxr-xr-x. 7 root root 4.0K Sep 1 11:25 repos
=== /var/log/dnf.log ===
2025-11-07T12:44:33+0100 DEBUG cachedir: /var/cache/dnf
2025-11-07T12:44:33+0100 CRITICAL No such command: %{_dbpath}. Please use /usr/bin/dnf --help
2025-11-07T12:44:33+0100 CRITICAL It could be a DNF plugin command, try: "dnf install 'dnf-command(%{_dbpath})'"
2025-11-07T12:44:33+0100 DDEBUG Cleaning up.
2025-11-07T12:44:33+0100 DDEBUG Plugins were unloaded.
=== /var/log/dnf.rpm.log ===
2025-11-07T12:21:02+0100 INFO --- logging initialized ---
2025-11-07T12:21:07+0100 INFO --- logging initialized ---
2025-11-07T12:21:22+0100 SUBDEBUG Installed: telnet-1:0.17-85.el9.x86_64
2025-11-07T12:41:06+0100 INFO --- logging initialized ---
2025-11-07T12:44:33+0100 INFO --- logging initialized ---
Question:
I don’t see any DNF install/remove events — does the system_audit.package stream actually support collecting them on Rocky Linux 9.6, or does it only report the current package state?