"existing_package" spam


Earlier today from the server I'm testing Auditbeat on, I got a spam of several hundred "existing_package" events. (For reference, RHEL)
I get the exact same spam every day.

Considering it was around 5AM, I don't think anyone was working on that server, at the time.
So, what could cause this spam?

I don't see any automatic update mechanism active... Though maybe it's one I don't know about?
Or is this just normal?...

Additional information:

  • Auditbeat version: 7.2.0 (ELK version)
  • event.action: "existing_package"
  • event.dataset: "package"
  • event.kind: "state"
  • event.module: "system"
  • (Example) message: "Package selinux-policy (3.13.1) is already installed"
  • service.type: "system"

ServerFault post: redhat - RHEL Auditbeat - "existing_package" spam - Server Fault

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.