Skip to content

gurucleff/logstash-auditd

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
README.md
README.md
 
 
auditd-filter.conf
auditd-filter.conf
 
 

Repository files navigation

logstash-auditd

Logstash/grok filter for parsing auditd event logs and display it on the official module dashboard. Elasticsearch docs seems to have example filters for all the other filebeat modules except this one.

Made with Logstash 5.4, tested on CentOS 6. Might not work properly, feel free to contribute.

In order to get exec events logged we need to ensure that the following exists in /etc/audit/audit.rules.

-a exit,always -F arch=b64 -S execve
-a exit,always -F arch=b32 -S execve

The filters are in the following order of record_type processing groups

DAEMON_START
LOGIN
USER_LOGIN
EXECVE
SYSCALL
CRED_ACQ USER_CMD USER_START USER_ACCT USER_END
CWD PATH BPRM_FCAPS (pretty generic, probably will match everything else)

Enjoy!

About

logstash 5.4 auditd filter

Topics

logstash filebeat auditd

Resources

Readme
Activity

Stars

5 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy