I am using Auditbeat on a standalone system in a closed area with no internet access. I set up Elasticsearch, Kibana, and Auditbeat to audit the system. This was easy enough. I Would like to get the Login Dashboard to show failed GDM logins. Does anyone have a suggestion accomplish this? The dashboard will only show failed SSH logins.
What's GDM?
GDM is the GNOME Display Manager. It provides the login environment for logging into the system. The module for Auditbeat gets the login information for logins from /var/log/wtmp (good logins, logouts, and system boot information) and /var/log/btmp (bad logins). The login success table reports all information as expected. The login failures table will only show bad logins for ssh.
After a little digging I think that the auditbeat module works as intended. When I enter the last command, the output is the information that goes in the login success table. When enter the lastb commnad, I only get failed SSH logins. /var/log/btmp only records bad ssh logins. Since the module only looks in /var/log/btmp (not auth.log or the auditd log). The tables in the dashboard are working as expected.
Unless their is a way to send bad GDM logins to /var/log/btmp (maybe with PAM Module configuration?) I might need another solution. I would need a dashboard or table for authentications. I can search for and find everything I want with discover under analytics in Kibana. Is there a dashboard template available for authentications? I'm not sure the best way to go about creating a table or dashboard for authentications. Any suggestions would be helpful.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.