File and kernel metricsets does not work together

zozo6015 · November 16, 2017, 10:38pm

Hello,

I am trying to setup auditbeat to monitor both logins to the systems and filechanges but if I enable the file metricset the kernel one stop sending data into elasticsearch.

I have the following configuration:

auditbeat.modules:

- module: audit
  metricsets: [kernel]
  kernel.audit_rules: |
    -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
    -w /etc/group -p wa -k identity
    -w /etc/passwd -p wa -k identity
    -w /etc/gshadow -p wa -k identity
    -w /etc/shadow -p wa -k identity
 
  module: audit
  metricsets: [file]
  file.paths:
  - /bin
  - /usr/bin
  - /sbin
  - /usr/sbin
  - /etc
  file.max_file_size: 100 MiB
  file.hash_types: [sha1]

I really hope this is a configuration issue while I am aware that it is not yet a stable version.

Thanks in advance.

Christian_Dahlqvist · November 17, 2017, 7:39am

I think you are missing - in front of the second module declaration, as shown in this example.

zozo6015 · November 17, 2017, 2:33pm

Right, tanks.