Hello Team,
We are in testing phase of ELK 7.4.0. Our architecture is Filebeat->Logstash->Elasticserach->Kibana.
We have used system module of filebeat with logstash pipeline for parsingand getting the logs on kibana dashboard as well as syslog logs are available over syslog dashboard.
We created a user on our filebeat machine and get the logs for same in auth.log which is visible in kibana dashboard also under /var/log/auth.log.
But auth.log are not avialable over SSH Login filebeat dashboard.
But when i checked New users and groups filebeat dashboard its not showing any information.
Even we are not found any field under Discover->Filebeat index data which show any new user is created. But full logs is available for new user created as shown below:
message Oct 15 15:22:29 elkclient useradd[3453]: new user: name=tek, UID=1001, GID=1001, home=/home/tek, shell=/bin/bash
I am expecting when a new user add a filed should be there system.auth.useradd but its not available.
Earlier in version 6.4.0 when we used Logstash pipeline for parsing without Filebeat module
we are getting below fields on the dashboard:
But now we are not getting any such fileds. Logs are showing over kibana that logs are coming via filebeat module because we are getting filed like event.dataset: system and event.module: system etc.
We checked the New users and groups ECS Dashboard also but no data is there.
Can you please help me how we can get this data in dashboard so we can easily track if any new user or group is created on any machine.
Any help will be appreciated.
Thanks.