1.Enviroment:
CentOS7、ELK 8.6、Auditbeat 8.6;
Two computers,ELK 8.6 in one,auditbeat in the other;
Elasticsearch and Kibana installed by docker, auditbeat 8.6 installed by yum;
2. Use the default configure:
[root@localhost ~]# cat /etc/auditbeat/auditbeat.yml #change like this
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["10.23.13.3:9200"]
# Protocol - either `http` (default) or `https`.
protocol: "https"
# Authentication credentials - either API key or username/password.
#api_key: "id:api_key"
username: "xxxxxxxxxxx"
password: "xxxxxxxxxxxxxxxxxx"
ssl.ca_trusted_fingerprint: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
[root@localhost ~]# cat /etc/auditbeat/audit.rules.d/sample-rules.conf
## If you are on a 64 bit platform, everything should be running
## in 64 bit mode. This rule will detect any use of the 32 bit syscalls
## because this might be a sign of someone exploiting a hole in the 32
## bit API.
-a always,exit -F arch=b32 -S all -F key=32bit-abi
## Executions.
-a always,exit -F arch=b64 -S execve,execveat -k exec
## Identity changes.
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
## Unauthorized access attempts.
-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
[root@localhost ~]#
3. problem
I use ansible to perform command in ELK computer,like this:
[root@elk ~]# ansible all -m shell -a 'cat /etc/redhat-release'
10.23.13.17 | CHANGED | rc=0 >>
CentOS Linux release 7.9.2009 (Core)
[root@elk ~]#
then i found the log in the Auditbeat computer,like this:
[root@localhost ~]# less /var/log/audit/audit.log|grep redhat
type=EXECVE msg=audit(1677565991.006:107601): argc=2 a0="cat" a1="/etc/redhat-release"
type=EXECVE msg=audit(1677565993.870:107737): argc=2 a0="cat" a1="/etc/redhat-release"
found 43 lines...
The problem is ,i can‘t find the command “cat, /etc/redhat-release” in the elk's dataview of web browse ;
If i login the Auditbeat computer by using ssh, i perform some command in the ssh terminal, i can find those commands in the elk's dataview of web browse ;
How can i solve this problem;