To detect SSH access, I'm using the rule below:
## External access (warning: these can be expensive to audit).
-a always,exit -F arch=b64 -S accept,bind,connect -F key=external-access
This is generating a lot of events so I'm interested to fine tune the rule to catch the SSH events only. Ideally, this can be done without dropping the events via the auditbeat processor to make it less expensive on the host to monitor. Any guidance on how that can be done?
Thanks!
Are you asking a question here? It's not really clear given you have only posted two lines of text from somewhere.
sorry, I accidentally posted before finishing typing. I've updated my original post.
Solved by using Filebeat system module which collects logs from /var/log/auth.log
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.