Unable to get auditd module configured for Auditbeat


#1

Hi, just loving yaml at the moment (Grr) after a lot of experimentation, I managed to get the audit module working with the following:

##################################################
auditbeat.modules:

# The kernel metricset collects events from the audit framework in the Linux
# kernel. You need to specify audit rules for the events that you want to audit.
# Sadly this yaml file is fussy so separate each rule by a blank line
- module: audit
  metricsets: [kernel]
  kernel.resolve_ids: true
  kernel.failure_mode: log
  kernel.backlog_limit: 8192
  kernel.rate_limit: 0
  kernel.include_raw_message: false
  kernel.include_warnings: false
  kernel.audit_rules:

    -w /PTC/ -p wr -k ptc_dir_access

    -w /home/ -p wr -k home_dir_access

    -w /etc/auditbeat/auditbeat.yml -p wa -k elks_issue

    -w /etc/passwd -p wa -k passwd_changes

    -a exit,always -F arch=b64 -k b64_call

    -a exit,always -F arch=b32 -k b32_call

##################################################

And yes I needed a blank space between each rule. Tried the | after kernel.audit_rules: and even " |" (as in a blank before the |) after kernel.audit_rules:, on the above would not work. Trouble is I would prefer the auditd module running so that it groups the sys calls together.

So I have tried variations of the following:

##################################################
auditbeat.modules:

# The kernel metricset collects events from the audit framework in the Linux
# kernel. You need to specify audit rules for the events that you want to audit.
# Sadly this yaml file is fussy so separate each rule by a blank line
- module: auditd
  resolve_ids: true
  failure_mode: log
  backlog_limit: 8196
  rate_limit: 0
  include_raw_message: false
  include_warnings: false
  audit_rules:

    -w /PTC/ -p wr -k ptc_dir_access

    -w /home/ -p wr -k home_dir_access

    -w /etc/auditbeat/auditbeat.yml -p wa -k elks_issue

    -w /etc/passwd -p wa -k passwd_changes

    -a exit,always -F arch=b64 -k b64_call

    -a exit,always -F arch=b32 -k b32_call

###############################################

But get various messages such as:

The above config -
Exiting: 1 error: missing required field accessing 'auditbeat.modules.0.metricsets' (source:'/etc/auditbeat/auditbeat.yml')

With " audit_rules:|"
Exiting: error loading config file: yaml: line 52: could not find expected ':'

With " audit_rules: |"
Exiting: 1 error: missing required field accessing 'auditbeat.modules.0.metricsets' (source:'/etc/auditbeat/auditbeat.yml')

The same with removing all the blank lines.

I have checked and their are no trailing spaces and no tabs.

Thanks in advance!


(Andrew Kroh) #2

In the example above you are showing config for two different version of Auditbeat. The last one uses the correct config keys for Auditbeat 6.2. There were some breaking changes in 6.2.

Regarding the audit_rules, what I have below works fine for in Auditbeat 6.2. Multi-line strings in YAML can be complicated because there are so many options. Make sure you have the | and make sure the indentation is correct (no tabs). Blank lines and comments (#) are ignored by Auditbeat when parsing the audit_rules.

auditbeat.modules:
- module: auditd
  resolve_ids: true
  failure_mode: log
  backlog_limit: 8196
  rate_limit: 0
  include_raw_message: false
  include_warnings: false
  audit_rules: |
    -w /PTC/ -p wr -k ptc_dir_access
    -w /home/ -p wr -k home_dir_access
    -w /etc/auditbeat/auditbeat.yml -p wa -k elks_issue
    -w /etc/passwd -p wa -k passwd_changes

    -a exit,always -F arch=b64 -k b64_call
    -a exit,always -F arch=b32 -k b32_call

output.console.enabled: true

#3

Hi @andrewkroh, many thanks, will try it a little later and get back to you!


#4

Unfortunately, with the following in I get the error at the end on an auditbeat test config:

- module: auditd
  resolve_ids: true
  failure_mode: log
  backlog_limit: 8196
  rate_limit: 0
  include_raw_message: false
  include_warnings: false
  audit_rules: |
    -w /PTC/ -p wr -k ptc_dir_access
    -w /home/ -p wr -k home_dir_access
    -w /etc/auditbeat/auditbeat.yml -p wa -k elks_issue
    -w /etc/passwd -p wa -k passwd_changes

    -a exit,always -F arch=b64 -k b64_call
    -a exit,always -F arch=b32 -k b32_call

The error:

Exiting: 1 error: missing required field accessing 'auditbeat.modules.0.metricsets' (source:'/etc/auditbeat/auditbeat.yml')

If I put the output line in I get

auditbeat2018/02/28 10:03:54.721848 beat.go:635: CRIT Exiting: error unpacking config data: more then one namespace configured accessing 'output' (source:'/etc/auditbeat/auditbeat.yml')
Exiting: error unpacking config data: more then one namespace configured accessing 'output' (source:'/etc/auditbeat/auditbeat.yml')

Which makes sense as I already have output defined.

My full yaml script is as follows (Lots just commented out, left the working audit module in but commented out for reference):

########################## Auditbeat Configuration #############################
##########################          ELKS           #############################

# You can find the full configuration reference here:
# https://www.elastic.co/guide/en/beats/auditbeat/index.html

#============================  Config Reloading ================================

# Config reloading allows to dynamically load modules. Each file which is
# monitored must contain one or multiple modules as a list.
auditbeat.config.modules:

  # Glob pattern for configuration reloading
  path: ${path.config}/conf.d/*.yml

  # Period on which files under path should be checked for changes
  reload.period: 10s

  # Set to true to enable config reloading
  reload.enabled: false

# Maximum amount of time to randomly delay the start of a metricset. Use 0 to
# disable startup delay.
auditbeat.max_start_delay: 10s

#==========================  Modules configuration =============================
auditbeat.modules:

# The kernel metricset collects events from the audit framework in the Linux
# kernel. You need to specify audit rules for the events that you want to audit.
# Sadly this yaml file is fussy so separate each rule by a blank line
#- module: audit
#  metricsets: [kernel]
#  kernel.resolve_ids: true
#  kernel.failure_mode: log
#  kernel.backlog_limit: 8192
#  kernel.rate_limit: 0
#  kernel.include_raw_message: false
#  kernel.include_warnings: false
#  kernel.audit_rules:
#
#    -w /PTC/ -p wr -k ptc_dir_access
#
#    -w /home/ -p wr -k home_dir_access
#
#    -w /etc/auditbeat/auditbeat.yml -p wa -k elks_issue
#
#    -w /etc/passwd -p wa -k passwd_changes
#
#    -a exit,always -F arch=b64 -k b64_call
#
#    -a exit,always -F arch=b32 -k b32_call

- module: auditd
  resolve_ids: true
  failure_mode: log
  backlog_limit: 8196
  rate_limit: 0
  include_raw_message: false
  include_warnings: false
  audit_rules: |
    -w /PTC/ -p wr -k ptc_dir_access
    -w /home/ -p wr -k home_dir_access
    -w /etc/auditbeat/auditbeat.yml -p wa -k elks_issue
    -w /etc/passwd -p wa -k passwd_changes

    -a exit,always -F arch=b64 -k b64_call
    -a exit,always -F arch=b32 -k b32_call

#================================ General ======================================

# The name of the shipper that publishes the network data. It can be used to group
# all the transactions sent by a single shipper in the web interface.
# If this options is not defined, the hostname is used.
name: ptc-desk


#================================ Outputs ======================================

# Configure what output to use when sending the data collected by the beat.

#----------------------------- Logstash output ---------------------------------
output.logstash:
  hosts: ["soptct62-02.family.com:5044"]
  protocol: "https"

#================================= Paths ======================================

# The data path for the auditbeat installation. This is the default base path
# for all the files in which auditbeat needs to store its data. If not set by a
# CLI flag or in the configuration file, the default for the data path is a data
# subdirectory inside the home path.
path.data: /MON/data

# The logs path for a auditbeat installation. This is the default location for
# the Beat's log files. If not set by a CLI flag or in the configuration file,
# the default for the logs path is a logs subdirectory inside the home path.
path.logs: /MON/logs

#============================== Dashboards =====================================
# These settings control loading the sample dashboards to the Kibana index. Loading
# the dashboards are disabled by default and can be enabled either by setting the
# options here, or by using the `-setup` CLI flag or the `setup` command.
#setup.dashboards.enabled: true

#============================== Template =====================================

# A template is used to set the mapping in Elasticsearch
# By default template loading is enabled and the template is loaded.
# These settings can be adjusted to load your own template or overwrite existing ones.

# Set to false to disable template loading.
#setup.template.enabled: true

# Overwrite existing template
#setup.template.overwrite: false

#5

Completely ignore the following!

Hi, Just a further comment, you mention I was showing config for two different versions of Auditbeat. I don't believe so. They were for two different modules.

The Audit module which I believe just sends the individual messages across.

The Audtitd module that groups the messages per syscall. e.g. the 8 messages for a rename. It is this one that I want running.

Both were shown in the same documentation.

Happy to believe I'm wrong, but it is the auditd one that I would like working and I am getting the error from what you provided.

:cry:


Sheesh, I should reread what I was referring to. I've been looking at 6.2 documentation and have

auditbeat version 6.1.2 (amd64), libbeat 6.1.2

Installed, guessing that getting auditbeat 6.2 might correct this???


#6

Hi and apologies.

To paraphrase Will Smith in i-Robot "I am the dumbest dumb person in the history of dumb people!"

I had 6.1.2 auditbeat installed and at somepoint started following 6.2 documentation. Just didn't pick it up.

Updated auditbeat to 6.2 and config test passes.

Arrrrrrggggghhhhhhhh!

PS Thank you!


#7

Just to confirm, auditbeat is now running as expected. Sheesh. Not sure whether to laugh or cry!