While testing Elastic SIEM and different shippers I discovered that both filebeat and elastic agent is not parsing Ubuntu auth log completely, there are some events where user and some other fields not getting populated. I managed to edit filebeat grok configuration to get those fields out, but I’m stuck with event fields, those are not getting populated too, but can’t find anywhere how to add some description for them.
If exactly then Ubuntu gdm auth and some sudo events are those not getting parsed. And because of this no failed authorisations are shown under security, hosts.
Tried to use auditbeat, instead, but have noticed that it’s not logging user switching with sudo (sudo -u), at least not all those events.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.