Hello,
I am trying to run auditbeat on minikube, but kubernetes metadata are not added to events.
Do you please know what should be correct configuration ?
here is my config:
---
apiVersion: v1
kind: ConfigMap
metadata:
name: auditbeat-config
namespace: kube-system
labels:
k8s-app: auditbeat
data:
auditbeat.yml: |-
auditbeat.modules:
- module: auditd
audit_rules: |
-w /etc/passwd -p wa -k identity
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
-a always,exit -F arch=b64 -S execve,execveat -k exec
processors:
- add_kubernetes_metadata:
host: ${NODE_NAME}
output.file:
path: "/var/auditbeat/logs"
filename: auditbeat
rotate_every_kb: 20000
number_of_files: 2
permissions: 0644
---
# Deploy a auditbeat instance per node for node metrics retrieval
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: auditbeat
namespace: kube-system
labels:
k8s-app: auditbeat
spec:
selector:
matchLabels:
k8s-app: auditbeat
template:
metadata:
labels:
k8s-app: auditbeat
spec:
serviceAccountName: auditbeat
terminationGracePeriodSeconds: 30
hostNetwork: true
dnsPolicy: ClusterFirstWithHostNet
hostPID: true
containers:
- name: auditbeat
image: docker.elastic.co/beats/auditbeat:7.5.1
args: [
"-c", "/etc/auditbeat.yml",
"-e",
"-d", "*",
]
env:
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
securityContext:
runAsUser: 0
capabilities:
add: ["AUDIT_CONTROL", "AUDIT_READ"]
resources:
limits:
memory: 200Mi
requests:
cpu: 100m
memory: 100Mi
volumeMounts:
- name: config
mountPath: /etc/auditbeat.yml
readOnly: true
subPath: auditbeat.yml
volumes:
- name: config
configMap:
defaultMode: 0600
name: auditbeat-config
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: auditbeat
subjects:
- kind: ServiceAccount
name: auditbeat
namespace: kube-system
roleRef:
kind: ClusterRole
name: auditbeat
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: auditbeat
labels:
k8s-app: auditbeat
rules:
- apiGroups: [""]
resources:
- nodes
- namespaces
- pods
- events
verbs: ["get", "list", "watch"]
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: auditbeat
namespace: kube-system
labels:
k8s-app: auditbeat
---
in debug log I can see that add_kubernetes_metadata processor is generated, pods are discovered and than no metadata added
2020-01-07T10:11:02.593Z INFO add_kubernetes_metadata/kubernetes.go:68 add_kubernetes_metadata: kubernetes env detected, with version: v1.17.0
2020-01-07T10:11:02.593Z INFO kubernetes/util.go:79 kubernetes: Using node minikube provided in the config
2020-01-07T10:11:02.593Z DEBUG [kubernetes] add_kubernetes_metadata/kubernetes.go:138 Initializing a new Kubernetes watcher using host: minikube
2020-01-07T10:11:02.696Z DEBUG [kubernetes] kubernetes/watcher.go:241 cache sync done
2020-01-07T10:11:02.697Z DEBUG [processors] processors/processor.go:101 Generated new processors: add_kubernetes_metadata
2020-01-07T10:11:02.703Z DEBUG [kubernetes] add_kubernetes_metadata/kubernetes.go:156 add_kubernetes_metadata: adding pod: kube-system/storage-provisioner
2020-01-07T10:11:02.704Z DEBUG [kubernetes] add_kubernetes_metadata/kubernetes.go:156 add_kubernetes_metadata: adding pod: kube-system/coredns-6955765f44-2dpv8
2020-01-07T10:11:02.706Z DEBUG [kubernetes] add_kubernetes_metadata/kubernetes.go:156 add_kubernetes_metadata: adding pod: kube-system/etcd-minikube
2020-01-07T10:11:02.717Z DEBUG [kubernetes] add_kubernetes_metadata/kubernetes.go:156 add_kubernetes_metadata: adding pod: kube-system/kube-addon-manager-minikube
2020-01-07T10:11:02.717Z DEBUG [kubernetes] add_kubernetes_metadata/kubernetes.go:156 add_kubernetes_metadata: adding pod: kube-system/kube-controller-manager-minikube
2020-01-07T10:11:02.718Z DEBUG [kubernetes] add_kubernetes_metadata/kubernetes.go:156 add_kubernetes_metadata: adding pod: kube-system/kube-scheduler-minikube
2020-01-07T10:11:02.718Z DEBUG [kubernetes] add_kubernetes_metadata/kubernetes.go:156 add_kubernetes_metadata: adding pod: kube-system/auditbeat-zflhb
2020-01-07T10:11:34.841Z DEBUG [processors] processing/processors.go:186 Publish event: {
"@timestamp": "2020-01-07T10:11:34.833Z",
"@metadata": {
"beat": "auditbeat",
"type": "_doc",
"version": "7.5.1"
},
"service": {
"type": "auditd"
},
"ecs": {
"version": "1.1.0"
},
"host": {
"name": "auditbeat-zflhb"
},
"user": {
"saved": {
"id": "0",
"name": "root",
"group": {
"id": "0",
"name": "root"
}
},
"name": "root",
"effective": {
"name": "root",
"id": "0",
"group": {
"id": "0",
"name": "root"
}
},
"selinux": {
"user": "kernel"
},
"filesystem": {
"group": {
"id": "0",
"name": "root"
},
"id": "0",
"name": "root"
},
"id": "0",
"group": {
"id": "0",
"name": "root"
}
},
"tags": [
"exec"
],
"file": {
"path": "/usr/bin/cat",
"gid": "0",
"device": "00:00",
"owner": "root",
"selinux": {
"user": "unlabeled"
},
"group": "root",
"inode": "5759839",
"mode": "0755",
"uid": "0"
},
"auditd": {
"paths": [
{
"dev": "00:e4",
"nametype": "NORMAL",
"ogid": "0",
"ouid": "0",
"rdev": "00:00",
"cap_fi": "0000000000000000",
"name": "/usr/bin/cat",
"cap_fe": "0",
"mode": "0100755",
"obj_user": "unlabeled",
"cap_fver": "0",
"inode": "5759839",
"item": "0",
"cap_fp": "0000000000000000"
},
{
"dev": "00:e4",
"item": "1",
"ogid": "0",
"inode": "5761686",
"name": "/lib64/ld-linux-x86-64.so.2",
"nametype": "NORMAL",
"obj_user": "unlabeled",
"mode": "0100755",
"rdev": "00:00",
"cap_fe": "0",
"cap_fi": "0000000000000000",
"cap_fp": "0000000000000000",
"cap_fver": "0",
"ouid": "0"
}
],
"message_type": "syscall",
"sequence": 180,
"result": "success",
"data": {
"pi": "00000020e80425fb",
"old_pp": "00000020e80425fb",
"fe": "0",
"old_pe": "00000020e80425fb",
"arch": "x86_64",
"pe": "00000020e80425fb",
"syscall": "execve",
"tty": "pts0",
"old_pa": "0000000000000000",
"old_pi": "00000020e80425fb",
"argc": "2",
"exit": "0",
"a3": "0",
"a1": "c00000dd60",
"a0": "c00007af10",
"a2": "c0000e27e0",
"pp": "00000020e80425fb",
"pa": "0000000000000000",
"fi": "0000000000000000",
"fp": "0000000000000000",
"fver": "0"
},
"summary": {
"actor": {
"secondary": "root",
"primary": "unset"
},
"object": {
"primary": "/usr/bin/cat",
"type": "file"
},
"how": "/usr/bin/cat"
}
},
"agent": {
"ephemeral_id": "a30166dd-3759-4f24-ad74-7680ded60640",
"hostname": "auditbeat-zflhb",
"id": "9113ca40-a989-4bda-99fa-974d37fad1e3",
"version": "7.5.1",
"type": "auditbeat"
},
"event": {
"category": "audit-rule",
"action": "executed",
"outcome": "success",
"module": "auditd"
},
"process": {
"name": "cat",
"executable": "/usr/bin/cat",
"working_directory": "/usr/share/auditbeat",
"args": [
"cat",
"fffff"
],
"pid": 16629,
"ppid": 16620,
"title": "cat fffff"
}
}
there are only add_cloud_metadata in auditbeat deployment for kubernetes
https://github.com/elastic/beats/blob/master/deploy/kubernetes/auditbeat-kubernetes.yaml
thank you