Filebeat auditd module


(vijay kannan) #1

Filebeat auditd module

Enabled the filebeat auditd module but the events are not parsing .

Provided Grok expressions do not match field value: [node=cro04 type=SYSCALL msg=audit(1536673014.739:52297): arch=c000003e syscall=264 success=yes exit=0 a0=ffffffffffffff9c a1=c420074040 a2=ffffffffffffff9c a3=c420074060 items=5 ppid=26177 pid=26188 auid=1037893 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=156 comm=\"filebeat\" exe=\"/usr/share/filebeat/bin/filebeat\" key=\"watch-delete-file\"]

What is the expected patterns then ? None of the patterns recognized in /var/log/audit/audit.log file


(Pier-Hugues Pellerin) #2

What version of Filebeat are you running and which OS/version you are running?


(Andrew Kroh) #3

I think the auditd module does not expect the leading node=X.

It expects to find the logs beginning at type=. With auditd you can control the behavior by setting name_format in your auditd.conf. The default is None IIRC and this causes auditd not to include node=.


(vijay kannan) #4

Thanks andrew. That's worked . Replaced the name_format=hostname to name_format=none worked.


(system) #5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.