Ubuntu system log parsing


I’m new to Elastic and trying to explore it’s security capabilities. For the testing purpose I set up some VMs and installed elastic agent to collect logs. I then tried to generate some successful and some unsuccessful login attempts to Ubuntu VM (locally, not with ash), unfortunately info from auth log or system log is not getting parsed. In elastic security event section I see message for failed logins but it’s not getting divided into separate fields (normalised) and because of that authentication rules are not firing also.
I then uninstalled elastic agent and installed filebeat, because I thought it could be due to agents being still in beta, but same situation.

Try auditbeat, it may have more of the events that you're looking for.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.