Using the auditbeat how to write the audit logs to the local disk ( for internal company requirements ) and logstash . Currently i get error message one outputs is allowed ie., either local or logstash .. The Dashboards,message parsing flexibility is not in Kibana available while using the filebeat for auditlogs.
All of the Beats support configuring a single output.
If you are are on a kernel that supports multicast then one option that might meet your requirement would be to use auditd to simply write the audit logs to disk. Then run Auditbeat along side to receive the multicast broadcast of the messages and forward them to ES. Read the socket_type docs here for details.
Thanks Andrew Kroh , for your response. Kernel ver : 3.10 CentOS 6.9 and explicitly defined the socket_type: multicast .yml file and still while starting the auditbeat its returning below error.
To use this multicast option need to get subscription/license ?
===================
2019-01-19T11:48:10.239+0800 INFO instance/beat.go:278 Setup Beat: auditbeat; Version: 6.5.1
2019-01-19T11:48:13.244+0800 INFO add_cloud_metadata/add_cloud_metadata.go:319 add_cloud_metadata: hosting provider type not detected.
2019-01-19T11:48:13.245+0800 INFO [publisher] pipeline/module.go:110 Beat name: e9.test.com
2019-01-19T11:48:13.245+0800 INFO [auditd] auditd/audit_linux.go:104 auditd module is running as euid=0 on kernel=3.10.0-957.el7.x86_64
2019-01-19T11:48:13.245+0800 ERROR [auditd] auditd/audit_linux.go:810 socket_type is set to multicast but based on the kernel version, multicast audit subscriptions are not supported. Remove the socket_type option to have auditbeat select the most suitable subscription method.
2019-01-19T11:48:13.246+0800 INFO instance/beat.go:357 auditbeat stopped.
2019-01-19T11:48:13.246+0800 ERROR instance/beat.go:800 Exiting: 1 error: 1 error: failed to create audit client: multicast socket_type not available
Exiting: 1 error: 1 error: failed to create audit client: multicast socket_type not available
From github , i see the source code trying to validate 3 conditions and i believe 2 conditions is met and one condition i am not sure how to check it .. The first condition ..
To check that you can use the auditbeat show auditd-status command to make Auditbeat list the kernel status info that contains the enabled state (0=disabled, 1=enabled, 2=locked).
Just notice your other github ticket ( #8382) on this same issue and tried the suggestions as well ..
But not working for my case .. To meet internal compliance i need to store the audit logs in local servers as well ..
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.