Filebeat module to see system logins

I have to keep track of system logins with filebeat. Filebeat has a default dashboard called [Filebeat System] SSH login attempts ECS which seems perfect. So to use that, I went to one of the machines, stopped filebeat, ran filebeat modules enable system, and then started filebeat again.

The only problem is that I can't see the data in the dashboard, it's empty, even though other data from that machine is visible in kibana. The flow is remote-machine > logstash > ES < kibana. If it matters, this is my logstash config.

Does anyone happen to know why it's not showing up?

Thanks ahead.

EDIT: Found this in logstash log:

[2020-11-16T15:28:40,864][WARN ][logstash.outputs.elasticsearch][main][273fbeeaf4d005660ef3730f09d3f76b92894ab8b1d7f2e60e9468d752981a3a] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"filebeat-7.9.0-2020.11.16", :routing=>nil, :_type=>"_doc", :pipeline=>"filebeat-7.9.0-system-auth-pipeline"}, #<LogStash::Event:0x31949971>], :response=>{"index"=>{"_index"=>"filebeat-7.9.0-2020.11.16", "_type"=>"_doc", "_id"=>nil, "status"=>400, "error"=>{"type"=>"illegal_argument_exception", "reason"=>"pipeline with id [filebeat-7.9.0-system-auth-pipeline] does not exist"}}}}

What is your machine OS? because the system module is not supported on windows. accourding to filebeat docs:

This module is not available for Windows.

Thanks for the response,

It's CentOS 7

So why don't you use auditbeat? I'm not sure but I think it supports system logins.
There's also auditd module for filebeat.

Thanks for the response.

I'm testing it now on a CentOS 7 machine, if I get that to work, I'll test on a CentOS 5 machine which can only run filebeat (auditbeat is not working on CentOS 5). I'm just not quite sure what to enable with auditd to see the same data.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.