On RHEL when starting auditbeat I get this errormessage via journalctl -u auditbeat:
WARN [process] process/process.go:234 failed to hash executable /usr/sbin/agetty;5e46b406 (deleted) for PID 1140: failed to stat file /usr/sbin/agetty;5e46b406 (deleted): stat /usr/sbin/agetty;5e46b406 (deleted): no such file or directory
Result is that SIEM module does not detect when I e.g. use "whoami" in bash.
cat /usr/sbin/agetty gives me letters...so it exists.
ps -ef|grep tty
root 1140 1 0 2019 tty1 00:00:00 /sbin/agetty --noclear tty1 linux
so do I need to change some config from /usr/sbin/agetty to /sbin/agetty ?
I don't find "agetty" in auditbeat.yml. Where would I change this?