I use auditbeat 8.6.2, can't find no login shell command

chengzhangzuji · February 28, 2023, 7:12am

1.Enviroment:
CentOS7、ELK 8.6、Auditbeat 8.6；
Two computers，ELK 8.6 in one，auditbeat in the other；
Elasticsearch and Kibana installed by docker, auditbeat 8.6 installed by yum;

2. Use the default configure:

[root@localhost ~]# cat /etc/auditbeat/auditbeat.yml #change like this
output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["10.23.13.3:9200"]

  # Protocol - either `http` (default) or `https`.
  protocol: "https"

  # Authentication credentials - either API key or username/password.
  #api_key: "id:api_key"
  username: "xxxxxxxxxxx"
  password: "xxxxxxxxxxxxxxxxxx"
  ssl.ca_trusted_fingerprint: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

[root@localhost ~]# cat /etc/auditbeat/audit.rules.d/sample-rules.conf
## If you are on a 64 bit platform, everything should be running
## in 64 bit mode. This rule will detect any use of the 32 bit syscalls
## because this might be a sign of someone exploiting a hole in the 32
## bit API.
-a always,exit -F arch=b32 -S all -F key=32bit-abi

## Executions.
-a always,exit -F arch=b64 -S execve,execveat -k exec

## Identity changes.
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity

## Unauthorized access attempts.
-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
[root@localhost ~]#

3. problem
I use ansible to perform command in ELK computer，like this：

[root@elk ~]# ansible all -m shell -a 'cat /etc/redhat-release'
10.23.13.17 | CHANGED | rc=0 >>
CentOS Linux release 7.9.2009 (Core)
[root@elk ~]#

then i found the log in the Auditbeat computer，like this：

[root@localhost ~]# less /var/log/audit/audit.log|grep redhat
type=EXECVE msg=audit(1677565991.006:107601): argc=2 a0="cat" a1="/etc/redhat-release"
type=EXECVE msg=audit(1677565993.870:107737): argc=2 a0="cat" a1="/etc/redhat-release"
found 43 lines...

The problem is ，i can‘t find the command “cat, /etc/redhat-release” in the elk's dataview of web browse ;
If i login the Auditbeat computer by using ssh, i perform some command in the ssh terminal, i can find those commands in the elk's dataview of web browse ;
How can i solve this problem;

system · March 28, 2023, 9:12am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.