Earlier today from the server I'm testing Auditbeat on, I got a spam of several hundred "existing_package" events. (For reference, RHEL)
I get the exact same spam every day.
Considering it was around 5AM, I don't think anyone was working on that server, at the time.
So, what could cause this spam?
I don't see any automatic update mechanism active... Though maybe it's one I don't know about?
Or is this just normal?...
- Auditbeat version: 7.2.0 (ELK version)
- event.action: "existing_package"
- event.dataset: "package"
- event.kind: "state"
- event.module: "system"
- (Example) message: "Package selinux-policy (3.13.1) is already installed"
- service.type: "system"
ServerFault post: redhat - RHEL Auditbeat - "existing_package" spam - Server Fault