Filebeat auditd module

Vijayakumar_Kannan · September 11, 2018, 1:52pm

Filebeat auditd module

Enabled the filebeat auditd module but the events are not parsing .

Provided Grok expressions do not match field value: [node=cro04 type=SYSCALL msg=audit(1536673014.739:52297): arch=c000003e syscall=264 success=yes exit=0 a0=ffffffffffffff9c a1=c420074040 a2=ffffffffffffff9c a3=c420074060 items=5 ppid=26177 pid=26188 auid=1037893 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=156 comm=\"filebeat\" exe=\"/usr/share/filebeat/bin/filebeat\" key=\"watch-delete-file\"]

What is the expected patterns then ? None of the patterns recognized in /var/log/audit/audit.log file

pierhugues · September 11, 2018, 2:26pm

What version of Filebeat are you running and which OS/version you are running?

andrewkroh · September 11, 2018, 2:39pm

I think the auditd module does not expect the leading node=X.

It expects to find the logs beginning at type=. With auditd you can control the behavior by setting name_format in your auditd.conf. The default is None IIRC and this causes auditd not to include node=.

Vijayakumar_Kannan · September 12, 2018, 4:58am

Thanks andrew. That's worked . Replaced the name_format=hostname to name_format=none worked.

system · October 10, 2018, 4:59am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat Auditd module: Failed to Parse field [error] of type [keyword] Beats beats-module , filebeat	8	2230	March 11, 2021
Auditd module \| No results found Beats filebeat	2	880	January 17, 2018
Problems with Filebeat's auditd module Beats filebeat	2	557	June 19, 2020
Filebeat module - auditd Beats filebeat	3	1018	July 19, 2018
Filebeat 5.4 module system and audit not work Beats filebeat	8	4414	June 15, 2017

Filebeat auditd module

Filebeat auditd module

Related topics