Process auditd log to elasticsearch by using Filebeat


(Ruben Papovyan) #1

Hi,
We are using auditd to monitor all user actions on all machines (Now we are using rsyslog auditd and syslog-ng). I would like to switch to Filebeat, elasticsearch and kibana.
But auditd has output for 3 lines for one action and you need to use auditd tools to get data with usernames etc .....
So how I can combine all into one line to see all actions of users.
I tried to use logstash and send all audit log via rsyslog to logstash and then put in elasticsearch. But monitor this data in kibana is a night mere.
Please help me. do you have solution to store auditd data and monitor it in kibana?
If you have other solution to monitor all executed commands by not using auditd please suggest me any.

Thanks in advance.


(Steffen Siering) #2

sounds like multiline codec + grok filter in logstash might help for processing your logs. We're also working on multiline support (based on regexes) in filebeat. See this pull request and ticket for tracking process. Sounds like multiline in filebeat (better to collect related lines near source) + grok filter in logstash will be a good match for your use-case.


(system) #3