Ship login history

headtea · November 15, 2020, 1:12pm

On all servers, I use Filebeat and Auditbeat. While I use filebeat for all sorts of things - I only use auditbeat to ship system logins (who attempted to log-on, from where, successful or not). It comes with Auditbeat's default dashboard "Login Dashboard ECS".

Problem is, I have about 10 CentOS 5 machines that can only run Filebeat (Auditbeat is not working on it).

Is it possible to ship the same data with Filebeat? This is an example of what a login entry looks like from Auditbeat:

Login by user root (UID: 0) on pts/0 (PID: 1715) from 172.19.14.55 (IP: 172.19.14.55)

Also, is it possible to have the data end up in the same Auditbeat dashboard?

Thanks ahead.

headtea · November 15, 2020, 2:57pm

I thought about /var/log/secure and while I'll definitely try it as an alternative, it has a different format than the one from the snippet code which is from /var/log/wtmp. One obstacle is that it's a binary file. Is possible to have filebeat read from that? And is it possible to have the data shipped into the auditbeat dashboard?

Topic		Replies	Views
Filebeat module to see system logins Beats filebeat	5	441	December 14, 2020
Best Beats for Security Analytics and login checks Beats	2	285	June 29, 2018
Tailing /var/log/secure Beats auditbeat	1	518	June 10, 2020
Auditbeat or Filebeat Beats filebeat , auditbeat	4	876	September 23, 2020
Using Filebeat for logging ssh log in Beats filebeat	13	13823	August 5, 2018

Ship login history

Related topics