I have Auditbeat running with a bunch of CIS benchmark proposed auditd rules. One of my processes generates a bunch of false positive "time change" logs that I would like to filter out. audit: type=1300 audit(1642859012.725:23957): arch=c000003e syscall=159 success=yes exit=5 a0=c000045ce0 a1=0 a2=0 a3=c00005dfc0 items=0 ppid=1 pid=848 auid=4294967295 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=4294967295 comm="node_exporter" exe="/home/tladmin/node_exporter" key="time-change"
I tried this config line:
-a never,exclude -F path=/home/tladmin/node_exporter -k exclude_file
but it fails with: failed to interpret rule '-a never,exclude -F path=/home/tladmin/node_exporter -k exclude_file': failed to add filter '{2 path = /home/tladmin/node_exporter}': field 'path' cannot be used the exclude flag accessing 'auditbeat.modules.0' (source:'/etc/auditbeat/auditbeat.yml')
So what is the secret syntax to doing an exclusion for a specific file path?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.