We are using auditd to monitor all user actions on all machines (Now we are using rsyslog auditd and syslog-ng). I would like to switch to Filebeat, elasticsearch and kibana.
But auditd has output for 3 lines for one action and you need to use auditd tools to get data with usernames etc .....
So how I can combine all into one line to see all actions of users.
I tried to use logstash and send all audit log via rsyslog to logstash and then put in elasticsearch. But monitor this data in kibana is a night mere.
Please help me. do you have solution to store auditd data and monitor it in kibana?
If you have other solution to monitor all executed commands by not using auditd please suggest me any.
Thanks in advance.