Hi, just loving yaml at the moment (Grr) after a lot of experimentation, I managed to get the audit module working with the following:
##################################################
auditbeat.modules:
# The kernel metricset collects events from the audit framework in the Linux
# kernel. You need to specify audit rules for the events that you want to audit.
# Sadly this yaml file is fussy so separate each rule by a blank line
- module: audit
metricsets: [kernel]
kernel.resolve_ids: true
kernel.failure_mode: log
kernel.backlog_limit: 8192
kernel.rate_limit: 0
kernel.include_raw_message: false
kernel.include_warnings: false
kernel.audit_rules:
-w /PTC/ -p wr -k ptc_dir_access
-w /home/ -p wr -k home_dir_access
-w /etc/auditbeat/auditbeat.yml -p wa -k elks_issue
-w /etc/passwd -p wa -k passwd_changes
-a exit,always -F arch=b64 -k b64_call
-a exit,always -F arch=b32 -k b32_call
##################################################
And yes I needed a blank space between each rule. Tried the | after kernel.audit_rules: and even " |" (as in a blank before the |) after kernel.audit_rules:, on the above would not work. Trouble is I would prefer the auditd module running so that it groups the sys calls together.
So I have tried variations of the following:
##################################################
auditbeat.modules:
# The kernel metricset collects events from the audit framework in the Linux
# kernel. You need to specify audit rules for the events that you want to audit.
# Sadly this yaml file is fussy so separate each rule by a blank line
- module: auditd
resolve_ids: true
failure_mode: log
backlog_limit: 8196
rate_limit: 0
include_raw_message: false
include_warnings: false
audit_rules:
-w /PTC/ -p wr -k ptc_dir_access
-w /home/ -p wr -k home_dir_access
-w /etc/auditbeat/auditbeat.yml -p wa -k elks_issue
-w /etc/passwd -p wa -k passwd_changes
-a exit,always -F arch=b64 -k b64_call
-a exit,always -F arch=b32 -k b32_call
###############################################
But get various messages such as:
The above config -
Exiting: 1 error: missing required field accessing 'auditbeat.modules.0.metricsets' (source:'/etc/auditbeat/auditbeat.yml')
With " audit_rules:|"
Exiting: error loading config file: yaml: line 52: could not find expected ':'
With " audit_rules: |"
Exiting: 1 error: missing required field accessing 'auditbeat.modules.0.metricsets' (source:'/etc/auditbeat/auditbeat.yml')
The same with removing all the blank lines.
I have checked and their are no trailing spaces and no tabs.
In the example above you are showing config for two different version of Auditbeat. The last one uses the correct config keys for Auditbeat 6.2. There were some breaking changes in 6.2.
Regarding the audit_rules, what I have below works fine for in Auditbeat 6.2. Multi-line strings in YAML can be complicated because there are so many options. Make sure you have the | and make sure the indentation is correct (no tabs). Blank lines and comments (#) are ignored by Auditbeat when parsing the audit_rules.
Exiting: 1 error: missing required field accessing 'auditbeat.modules.0.metricsets' (source:'/etc/auditbeat/auditbeat.yml')
If I put the output line in I get
auditbeat2018/02/28 10:03:54.721848 beat.go:635: CRIT Exiting: error unpacking config data: more then one namespace configured accessing 'output' (source:'/etc/auditbeat/auditbeat.yml')
Exiting: error unpacking config data: more then one namespace configured accessing 'output' (source:'/etc/auditbeat/auditbeat.yml')
Which makes sense as I already have output defined.
My full yaml script is as follows (Lots just commented out, left the working audit module in but commented out for reference):
########################## Auditbeat Configuration #############################
########################## ELKS #############################
# You can find the full configuration reference here:
# https://www.elastic.co/guide/en/beats/auditbeat/index.html
#============================ Config Reloading ================================
# Config reloading allows to dynamically load modules. Each file which is
# monitored must contain one or multiple modules as a list.
auditbeat.config.modules:
# Glob pattern for configuration reloading
path: ${path.config}/conf.d/*.yml
# Period on which files under path should be checked for changes
reload.period: 10s
# Set to true to enable config reloading
reload.enabled: false
# Maximum amount of time to randomly delay the start of a metricset. Use 0 to
# disable startup delay.
auditbeat.max_start_delay: 10s
#========================== Modules configuration =============================
auditbeat.modules:
# The kernel metricset collects events from the audit framework in the Linux
# kernel. You need to specify audit rules for the events that you want to audit.
# Sadly this yaml file is fussy so separate each rule by a blank line
#- module: audit
# metricsets: [kernel]
# kernel.resolve_ids: true
# kernel.failure_mode: log
# kernel.backlog_limit: 8192
# kernel.rate_limit: 0
# kernel.include_raw_message: false
# kernel.include_warnings: false
# kernel.audit_rules:
#
# -w /PTC/ -p wr -k ptc_dir_access
#
# -w /home/ -p wr -k home_dir_access
#
# -w /etc/auditbeat/auditbeat.yml -p wa -k elks_issue
#
# -w /etc/passwd -p wa -k passwd_changes
#
# -a exit,always -F arch=b64 -k b64_call
#
# -a exit,always -F arch=b32 -k b32_call
- module: auditd
resolve_ids: true
failure_mode: log
backlog_limit: 8196
rate_limit: 0
include_raw_message: false
include_warnings: false
audit_rules: |
-w /PTC/ -p wr -k ptc_dir_access
-w /home/ -p wr -k home_dir_access
-w /etc/auditbeat/auditbeat.yml -p wa -k elks_issue
-w /etc/passwd -p wa -k passwd_changes
-a exit,always -F arch=b64 -k b64_call
-a exit,always -F arch=b32 -k b32_call
#================================ General ======================================
# The name of the shipper that publishes the network data. It can be used to group
# all the transactions sent by a single shipper in the web interface.
# If this options is not defined, the hostname is used.
name: ptc-desk
#================================ Outputs ======================================
# Configure what output to use when sending the data collected by the beat.
#----------------------------- Logstash output ---------------------------------
output.logstash:
hosts: ["soptct62-02.family.com:5044"]
protocol: "https"
#================================= Paths ======================================
# The data path for the auditbeat installation. This is the default base path
# for all the files in which auditbeat needs to store its data. If not set by a
# CLI flag or in the configuration file, the default for the data path is a data
# subdirectory inside the home path.
path.data: /MON/data
# The logs path for a auditbeat installation. This is the default location for
# the Beat's log files. If not set by a CLI flag or in the configuration file,
# the default for the logs path is a logs subdirectory inside the home path.
path.logs: /MON/logs
#============================== Dashboards =====================================
# These settings control loading the sample dashboards to the Kibana index. Loading
# the dashboards are disabled by default and can be enabled either by setting the
# options here, or by using the `-setup` CLI flag or the `setup` command.
#setup.dashboards.enabled: true
#============================== Template =====================================
# A template is used to set the mapping in Elasticsearch
# By default template loading is enabled and the template is loaded.
# These settings can be adjusted to load your own template or overwrite existing ones.
# Set to false to disable template loading.
#setup.template.enabled: true
# Overwrite existing template
#setup.template.overwrite: false
Hi, Just a further comment, you mention I was showing config for two different versions of Auditbeat. I don't believe so. They were for two different modules.
The Audit module which I believe just sends the individual messages across.
The Audtitd module that groups the messages per syscall. e.g. the 8 messages for a rename. It is this one that I want running.
Both were shown in the same documentation.
Happy to believe I'm wrong, but it is the auditd one that I would like working and I am getting the error from what you provided.
Sheesh, I should reread what I was referring to. I've been looking at 6.2 documentation and have
auditbeat version 6.1.2 (amd64), libbeat 6.1.2
Installed, guessing that getting auditbeat 6.2 might correct this???
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
