Process auditd log to elasticsearch by using Filebeat

rpuserh · December 22, 2015, 4:37pm

Hi,
We are using auditd to monitor all user actions on all machines (Now we are using rsyslog auditd and syslog-ng). I would like to switch to Filebeat, elasticsearch and kibana.
But auditd has output for 3 lines for one action and you need to use auditd tools to get data with usernames etc .....
So how I can combine all into one line to see all actions of users.
I tried to use logstash and send all audit log via rsyslog to logstash and then put in elasticsearch. But monitor this data in kibana is a night mere.
Please help me. do you have solution to store auditd data and monitor it in kibana?
If you have other solution to monitor all executed commands by not using auditd please suggest me any.

Thanks in advance.

steffens · December 23, 2015, 4:37pm

sounds like multiline codec + grok filter in logstash might help for processing your logs. We're also working on multiline support (based on regexes) in filebeat. See this pull request and ticket for tracking process. Sounds like multiline in filebeat (better to collect related lines near source) + grok filter in logstash will be a good match for your use-case.

Topic		Replies	Views
Audit log Logstash	10	2721	March 26, 2019
Filebeat module - auditd Beats filebeat	3	1018	July 19, 2018
Auditbeat with Redis Beats auditbeat	3	625	November 4, 2022
How to track the user commands in Kibana? Kibana	3	277	February 14, 2023
Logstash config for using filebeat auditd module Logstash	2	1975	June 26, 2017

Process auditd log to elasticsearch by using Filebeat

Related topics