What is Auditbeat audit syntax to exclude a process or path?

I have Auditbeat running with a bunch of CIS benchmark proposed auditd rules. One of my processes generates a bunch of false positive "time change" logs that I would like to filter out. audit: type=1300 audit(1642859012.725:23957): arch=c000003e syscall=159 success=yes exit=5 a0=c000045ce0 a1=0 a2=0 a3=c00005dfc0 items=0 ppid=1 pid=848 auid=4294967295 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=4294967295 comm="node_exporter" exe="/home/tladmin/node_exporter" key="time-change"
I tried this config line:
-a never,exclude -F path=/home/tladmin/node_exporter -k exclude_file
but it fails with:
failed to interpret rule '-a never,exclude -F path=/home/tladmin/node_exporter -k exclude_file': failed to add filter '{2 path = /home/tladmin/node_exporter}': field 'path' cannot be used the exclude flag accessing 'auditbeat.modules.0' (source:'/etc/auditbeat/auditbeat.yml')

So what is the secret syntax to doing an exclusion for a specific file path?

This syntax I used was taken from auditd examples (How to exclude a file/directory from auditd rules – The Geek Diary) so if auditbeat used the same rules as auditd, then it should not complain about this syntax.

I think the way to exclude based on exe field would be:

-a exclude,always -F exe=/home/tladmin/node_exporter

Filtering on exe was added to the kernel in ~4.17, but I think Auditbeat needs to be updated to allow that.

I found an existing issue that's related. Update allowed fields with "exclude" flag · Issue #78 · elastic/go-libaudit · GitHub

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.