I'm trying to get auditbeat to translate my TTY. I have the basics set up properly and I'm, for now, using the default rules that come out of the box with auditbeat.
/etc/pam.d/common-session file ends with
session required pam_tty_audit.so enable=*
What I'd like to see is something along the lines of what
/var/log/audit.log spits out:
type=TTY msg=audit(1563826068.496:30191): tty pid=22321 uid=0 auid=1059801645 ses=17 major=136 minor=1 comm="vim" data=1B5B323B32521B5B3E303B39353B30636A6A6A6A6A6A6A6A6A6A6A6A6A6A6A6A6A6A6A6A6A6A6A6A6A6A6A6A6A6A6B6B6B6B6B6B6B6B6B6B6B6B3A710D
It seems like this is do-able as another user had a somewhat-related question last year:
Specifically this line:
"data": "y\n", # <- KEYSTROKES HERE
I cannot seem to get this in any of my fields. I'm happy to post my rules but they are simply the default ones that come with Auditbeat.
Would love any help/suggestions.
FWIW I'm using AWS Elasticsearch 6.7