I have been trying to monitor my host using Auditbeat docker but so far I am unable to see any login attemps to my ELK stack (SIEM). The container runs without any problems. Here is the command used to bring up the contaner:
docker run
--name=auditbeat
--user=root
--cap-add=AUDIT_CONTROL
--cap-add=AUDIT_READ
--pid=host
--privileged=true
--volume=/var/run/docker.sock:/var/run/docker.sock
docker.elastic.co/beats/auditbeat:7.4.2 -e
-E output.elasticsearch.hosts=["elasticsearch:9200"]
Here are the rules running
auditctl -l
-a never,exit -S all -F pid=15025
-w /etc/passwd -p wa -k identity
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F key=access
auditctl -s
enabled 1
failure 0
pid 15025
rate_limit 0
backlog_limit 8192
lost 0
backlog 0
backlog_wait_time 0
loginuid_immutable 0 unlocked
Any idea what is still missing?
Thanks in advance