How to write auditlogs output to local and logstash


(Rajendran Thanigasalam) #1

Using the auditbeat how to write the audit logs to the local disk ( for internal company requirements ) and logstash . Currently i get error message one outputs is allowed ie., either local or logstash .. The Dashboards,message parsing flexibility is not in Kibana available while using the filebeat for auditlogs.

Can anyone help !!

Thanks //T.R


(Andrew Kroh) #2

All of the Beats support configuring a single output.

If you are are on a kernel that supports multicast then one option that might meet your requirement would be to use auditd to simply write the audit logs to disk. Then run Auditbeat along side to receive the multicast broadcast of the messages and forward them to ES. Read the socket_type docs here for details.


(Rajendran Thanigasalam) #3

Thanks Andrew Kroh , for your response. Kernel ver : 3.10 CentOS 6.9 and explicitly defined the socket_type: multicast .yml file and still while starting the auditbeat its returning below error.

To use this multicast option need to get subscription/license ?

===================
2019-01-19T11:48:10.239+0800 INFO instance/beat.go:278 Setup Beat: auditbeat; Version: 6.5.1
2019-01-19T11:48:13.244+0800 INFO add_cloud_metadata/add_cloud_metadata.go:319 add_cloud_metadata: hosting provider type not detected.
2019-01-19T11:48:13.245+0800 INFO [publisher] pipeline/module.go:110 Beat name: e9.test.com
2019-01-19T11:48:13.245+0800 INFO [auditd] auditd/audit_linux.go:104 auditd module is running as euid=0 on kernel=3.10.0-957.el7.x86_64
2019-01-19T11:48:13.245+0800 ERROR [auditd] auditd/audit_linux.go:810 socket_type is set to multicast but based on the kernel version, multicast audit subscriptions are not supported. Remove the socket_type option to have auditbeat select the most suitable subscription method.
2019-01-19T11:48:13.246+0800 INFO instance/beat.go:357 auditbeat stopped.
2019-01-19T11:48:13.246+0800 ERROR instance/beat.go:800 Exiting: 1 error: 1 error: failed to create audit client: multicast socket_type not available
Exiting: 1 error: 1 error: failed to create audit client: multicast socket_type not available

============================


(Andrew Kroh) #4

The docs state:

multicast can be used in kernel versions 3.16 and newer.

So unfortunately you won't be able to use the multicast option to receive traffic on CentOS 6.9.


(Rajendran Thanigasalam) #5

From github , i see the source code trying to validate 3 conditions and i believe 2 conditions is met and one condition i am not sure how to check it .. The first condition ..

isLocked := status.Enabled == auditLocked
hasMulticast := hasMulticastSupport()
hasRules := len(rules) > 0


(Andrew Kroh) #6

To check that you can use the auditbeat show auditd-status command to make Auditbeat list the kernel status info that contains the enabled state (0=disabled, 1=enabled, 2=locked).


(Rajendran Thanigasalam) #7

Yes, i checked and noticed its not locked . Not sure why still having the above errors..
All the 3 conditions ruled out.. :frowning:

[root@edge09 auditbeat-6.5.1-linux-x86_64]# ./auditbeat show auditd-status
enabled 1
failure 1
pid 14248
rate_limit 5000
backlog_limit 8192
lost 121139
backlog 0
backlog_wait_time 0
features 0x3d


(Rajendran Thanigasalam) #8

Just notice your other github ticket ( #8382) on this same issue and tried the suggestions as well ..
But not working for my case .. To meet internal compliance i need to store the audit logs in local servers as well ..

"https://github.com/elastic/beats/issues/8382"