Ship login history

On all servers, I use Filebeat and Auditbeat. While I use filebeat for all sorts of things - I only use auditbeat to ship system logins (who attempted to log-on, from where, successful or not). It comes with Auditbeat's default dashboard "Login Dashboard ECS".

Problem is, I have about 10 CentOS 5 machines that can only run Filebeat (Auditbeat is not working on it).

Is it possible to ship the same data with Filebeat? This is an example of what a login entry looks like from Auditbeat:

Login by user root (UID: 0) on pts/0 (PID: 1715) from 172.19.14.55 (IP: 172.19.14.55)

Also, is it possible to have the data end up in the same Auditbeat dashboard?

Thanks ahead.

I thought about /var/log/secure and while I'll definitely try it as an alternative, it has a different format than the one from the snippet code which is from /var/log/wtmp. One obstacle is that it's a binary file. Is possible to have filebeat read from that? And is it possible to have the data shipped into the auditbeat dashboard?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.