Visualize command history

elk6 · June 26, 2020, 5:38pm

I'm a complete noob at Elastic Stack. I need to display command history in kibana in an easy to read format, I'm looking for something like this. For that, I've set auditbeat with this rule to log every command someone runs:
-a always,exit -F arch=b64 -S execve,execveat -F key=actionmade
However the log that it generates is really complicated and hard to read.

I'm facing two things:

Is it possible to create a table like in the first picture? If so, could I ask for some guidance?
This is a more minor thing but auditbeat logs some commands that the system runs and not the user, is it possible to make it log only commands that a user enters with a shell?

Thanks ahead!

mykael · June 27, 2020, 2:10pm

I'd start by going into Discover on the auditbeat log and expanding a few records to find one that is actually a command history record. You'll have to hit the '>' sign infront of it to expand it. Once you've worked out the fields you want (date, user and command), slipping them into a table is real easy - just ignore the rest of the fields.

system · July 25, 2020, 2:10pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to have an array that pulls up linux commands Kibana	7	308	May 19, 2023
How to track the user commands in Kibana? Kibana	3	277	February 14, 2023
Auditbeat rules Beats auditbeat	1	296	July 7, 2021
Process auditd log to elasticsearch by using Filebeat Beats filebeat	2	2793	July 5, 2017
Auditbeat: Combining data from both (system & file_integrity) modules Beats auditbeat	1	322	August 31, 2021

Visualize command history

Related topics