No data in Auditbeat events when using include_fields processor

Elastic Stack Beats
1

Hey, I'm trying to run auditbeat for the first time on debian jessie. I've downloaded the current .deb (6.2) and configured auditbeat to log everything that it can (using the auditbeat.reference.yaml).

It's also exporting the elasticsearch template and kibana dashboards. However, if i run auditbeat, it does not ship any data... if i configure the file output than i can see only those type of lines showing up frequently:

{"@timestamp":"2018-02-07T10:14:01.853Z","@metadata":{"beat":"auditbeat","type":"doc","version":"6.2.0"}}
{"@timestamp":"2018-02-07T10:14:02.026Z","@metadata":{"beat":"auditbeat","type":"doc","version":"6.2.0"}}
{"@timestamp":"2018-02-07T10:14:01.857Z","@metadata":{"beat":"auditbeat","type":"doc","version":"6.2.0"}}
{"@timestamp":"2018-02-07T10:14:01.857Z","@metadata":{"beat":"auditbeat","type":"doc","version":"6.2.0"}}
{"@timestamp":"2018-02-07T10:14:01.857Z","@metadata":{"beat":"auditbeat","type":"doc","version":"6.2.0"}}
{"@timestamp":"2018-02-07T10:14:01.857Z","@metadata":{"beat":"auditbeat","type":"doc","version":"6.2.0"}}

This is the same kind of data which is also shipped via elasticsearch output. Any ideas whats wrong here?

2

Could you share your config and the output of auditbeat -e -d "*"?

3

Sure: https://pastebin.com/raw/4sExQG1U

/edit
Sorry, forgot the config: ########################## Auditbeat Configuration ############################# - Pastebin.com

4

The curprit here is the processor you have added which says to drop all fields except for cpu. @timestamp and @metadata are exempt from deletion b/c they are special fields.

processors:
- include_fields:
    fields: ["cpu"]

BTW, using auditbeat export config produces a more concise and easier to read (IMO) version of the config.

5

Ah, thank you! :slight_smile:

And thanks for the export config hint!