Hello,
Not sure what to think of the following auditbeat events originating from our ml node:
{
"_index": "auditbeat-7.3.2-2019.10.02",
"_type": "_doc",
"_id": "7H-Di20Bk8gLhUqu1B6e",
"_version": 1,
"_score": null,
"_source": {
"@timestamp": "2019-10-02T08:08:52.221Z",
"service": {
"type": "auditd"
},
"host": {
"containerized": false,
"ip": [
],
"mac": [
],
"architecture": "x86_64",
"os": {
"kernel": "3.10.0-957.27.2.el7.x86_64",
"codename": "Core",
"platform": "centos",
"version": "7 (Core)",
"family": "redhat",
"name": "CentOS Linux"
},
"id": "926dcc530cb84e5f991c17455be1ffac"
},
"agent": {
"version": "7.3.2",
"type": "auditbeat",
},
"ecs": {
"version": "1.0.1"
},
"event": {
"outcome": "unknown",
"module": "auditd",
"category": "dac-decision",
"action": "violated-seccomp-policy"
},
"user": {
"group": {
"id": "992",
"name": "elasticsearch"
},
"selinux": {
"domain": "unconfined_service_t",
"level": "s0",
"role": "system_r",
"user": "system_u"
},
"id": "996",
"name": "elasticsearch"
},
"process": {
"pid": 107132,
"name": "autodetect"
},
"auditd": {
"summary": {
"object": {
"primary": "25",
"type": "process"
},
"how": "autodetect",
"actor": {
"secondary": "elasticsearch",
"primary": "unset"
}
},
"message_type": "seccomp",
"sequence": 7016762,
"result": "unknown",
"data": {
"sig": "0",
"code": "0x50000",
"ip": "0x7fd5bec607ba",
"syscall": "25",
"arch": "c000003e",
"compat": "0"
}
}
}
}
Grtz