I've got a running filebeat ECK cluster. However, I've got a new requirement to incorporate VM commands and processes from another GCP project for analysis.
I've looked into the GCP Ops Agent and Auditbeat but neither seem to be advertising command logging.
I've already got Put/Sub integration. Is there a way to get the VM commands logged and output to Pub/Sub?
Is there a solution I can look into that already does this in a similar manner to my filebeat deployment?
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
Hello @_bugc4t, sorry for the late reply. I checked internally and it is possible to monitor shell activity through Osquery, in particular with the shell_history table. Filebeat has an osquery module that would allow to collect log results.
Using a query like select * from users join shell_history using (uid)) would retrieve a history of commands run per user.
Would this fulfil your use case?
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.