We are currently ingesting syslog, auditlog, authlog from our ubuntu systems via filebeat to Elasticsearch 7.4.2 as a part of build our SIEM. We are planning to add auditbeat with auditd, system and file integrity modules. By doing this are we double ingesting something now (such as auditlog) or are these two independent things?
There certainly is overlap with auditlog and auditd. If you look at just the auditlog, you will find it's rather hard to consume and make use of in a forensic investigation. The enriched version of audit with auditbeat, is the way to go. Depending on your rules, you may see overlap with secure, and auth as well. You need to identify if those logs are actually useful to an analyst, many of them have UID's. Depending on your auth, those UID's could be common (ldap) or different on each host.
Thanks a lot for the reply. Appreciate it.
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.