How to log failure of start/stop of a service?

I want to track whether a normal user attempted to run a service. The command for starting/stopping service is given as below:

service filebeat start

I wrote an auditd rule like below in Auditbeat's auditd rules section

-w /usr/sbin/service -p warx -k service_attempt

For each time I start/stop the service, it is logging the tag (service_attempt), but the audit is not failing. Because of this I am not able to differentiate between a successful attempt and an unsuccessful attempt to start/stop a service.

A sample document for the start operation is given as below:
The below document was generated when a normal user with no sudo permissions, attempted the above command to start a service

        "_index": "auditbeat-6.5.4-2019.03.01",
        "_type": "doc",
        "_id": "AWk5O1GeBD5hM625ACu_",
        "_score": null,
        "_source": {
          "process": {
            "cwd": "/home/jenkins",
            "exe": "/bin/dash",
            "name": "service",
            "pid": "97353",
            "title": "/bin/sh /usr/sbin/service filebeat start",
            "ppid": "97121"
          "auditd": {
            "summary": {
              "actor": {
                "secondary": "test-user-arun-03",
                "primary": "jenkins"
              "how": "/bin/dash",
              "object": {
                "type": "file",
                "primary": "/usr/sbin/service"
            "result": "success",
            "sequence": 17078666,
            "data": {
              "a1": "0",
              "exit": "3",
              "syscall": "open",
              "a2": "7fff2afd77c0",
              "a3": "1f8",
              "tty": "pts1",
              "arch": "x86_64",
              "a0": "7fff2afd77c0"
            "session": "146204",
            "paths": [
                "item": "0",
                "nametype": "NORMAL",
                "ogid": "0",
                "cap_fi": "0000000000000000",
                "cap_fp": "0000000000000000",
                "cap_fver": "0",
                "mode": "0100755",
                "inode": "23890",
                "dev": "08:01",
                "ouid": "0",
                "rdev": "00:00",
                "cap_fe": "0",
                "name": "/usr/sbin/service"
            "messages": [
              """type=SYSCALL msg=audit(1551443326.760:17078666): arch=c000003e syscall=2 success=yes exit=3 a0=7fff2afd77c0 a1=0 a2=7fff2afd77c0 a3=1f8 items=1 ppid=97121 pid=97353 auid=1000 uid=1002 gid=1002 euid=1002 suid=1002 fsuid=1002 egid=1002 sgid=1002 fsgid=1002 tty=pts1 ses=146204 comm="service" exe="/bin/dash" key="service_attempt"""",
              """type=CWD msg=audit(1551443326.760:17078666): cwd="/home/jenkins"""",
              """type=PATH msg=audit(1551443326.760:17078666): item=0 name="/usr/sbin/service" inode=23890 dev=08:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0""",
              "type=PROCTITLE msg=audit(1551443326.760:17078666): proctitle=2F62696E2F7368002F7573722F7362696E2F736572766963650066696C6562656174007374617274"
          "osName": "ubuntu",
          "tags": [
          "osCategory": "linux",
          "@timestamp": "2019-03-01T12:28:46.760Z",
          "file": {
            "owner": "root",
            "inode": "23890",
            "mode": "0755",
            "path": "/usr/sbin/service",
            "uid": "0",
            "gid": "0",
            "device": "00:00",
            "group": "root"
          "osVersion": 16,
          "beatName": "auditbeat",
          "@version": "1",
          "host": {
            "name": "k8s-master-14290583-0"
          "beat": {
            "name": "k8s-master-14290583-0",
            "hostname": "k8s-master-14290583-0",
            "version": "6.5.4"
          "event": {
            "action": "opened-file",
            "category": "audit-rule",
            "type": "syscall",
            "module": "auditd"
          "user": {
            "fsuid": "1002",
            "uid": "1002",
            "name_map": {
              "fsuid": "test-user-arun-03",
              "uid": "test-user-arun-03",
              "auid": "jenkins",
              "egid": "test-user-arun-03",
              "gid": "test-user-arun-03",
              "euid": "test-user-arun-03",
              "fsgid": "test-user-arun-03",
              "sgid": "test-user-arun-03",
              "suid": "test-user-arun-03"
            "egid": "1002",
            "auid": "1000",
            "gid": "1002",
            "euid": "1002",
            "fsgid": "1002",
            "sgid": "1002",
            "suid": "1002"
          "device": [
        "sort": [

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.