We have a small Elastic Stack used for security-relevant event collection in a standalone Red Hat Enterprise Linux 7.4 & 7.6 modeling & simulation enclave. The Stack is just four Elasticsearch nodes, a Kibana node, and a Logstash node (everything version 7.3). Events are collected from enclave systems by Auditbeat and shipped to Logstash.
We have a requirement to, if at all possible, configure systems to halt if they are unable to log auditable events, or in this case send those events to a central auditing system (our Elastic Stack). I was thinking configuring a test machine's (RHEL 7.6) Auditbeat's auditd module with "failure_mode: panic" would do so, but I turned off Logstash yesterday afternoon and my test box is still running. I believe the relevant lines from my auditbeat.yml are:
auditbeat.modules: - module: auditd failure_mode: panic backlog_limit: 2 backpressure_strategy: none
The backlog_limit is ridiculously low because I'm deliberately trying to trigger a kernel panic to test, but as noted above so far that hasn't happened. My questions, then:
Can I actually configure Auditbeat 7.3 to panic a RHEL 7.6 kernel and halt the system?
If so, am I on the right track with the configuration settings noted above, or am I missing something?