The Illuminate Linux Auditbeat Spotlight for Graylog works with Graylog Illuminate Core and Elastic Auditbeat agent for Linux. The Auditbeat agent is a "lightweight shipper for audit data." The Auditbeat agent for Linux communicates with the Audit framework for LInux and adds processing, enrichment, and delivery of Linux audit messages.
The Linux Auditbeat Spotlight comes ready to use with pre-built dashboard views including:
- Linux Auditbeat Overview
- Network Activity
- Admin activity
These built-in views can serve as a starting point for creating custom dashboards.
Supported Version(s)
This Spotlight was developed using Auditbeat for Linux version 7. This spotlight will function with both the OSS ("Open-Source Software") and non-OSS versions of the Linux Auditbeat agent; the non-OSS version of the agent does not include the system module which provides additional data sets not available in the OSS version of Auditbeat.
Stream Configuration
This technology pack includes one stream:
- “Illuminate:Linux Auditbeat Messages”
Hint: If this stream does not exist prior to the activation of this pack then it will be created and configured to route messages to this stream and the associated index set. There should not be any stream rules configured for this stream.
Index Set Configuration
This technology pack includes one index set definition:
- "Illuminate: Linux Auditbeat Messages"
Log Format Example
["type=CRED_ACQ msg=audit(1633670701.685:6873): pid=5205 uid=0 auid=4294967095 ses=4294970295 subj=unconfined msg='op=PAM:setcred grantors=pam_permit,pam_cap acct=\"root\" exe=\"/usr/sbin/cron\" hostname=? addr=? terminal=cron res=success'"]
Requirements
- A configured Beats input on Graylog server (See “Create Beats Input” below)
- The "Beats type prefix" must be enabled
- One or more Linux hosts with Elastic Auditbeat installed
- Beats agents, including Auditbeat, can be managed using the Graylog Sidecar
fields event_source_product: linux_auditbeat
What is Provided
- Parsing rules to extract Linux Auditbeat logs into Graylog schema compatible fields
- Data lookup tables use in the normalization and enrichment of Linux Auditbeat log messages into the Graylog schema
- Dashboards
Auditbeat Log Message Processing
The Illuminate processing of Linux Auditbeat messages provides the following:
- Field extraction, normalization and message enrichment for Linux Auditbeat log messages
- GIM Categorization of the following messages:
Auditbeat Module: AuditD
|
vendor_event_category
|
Auditbeat Module: System
Auditbeat Module: File Integrity
Auditbeat Dataset | Auditbeat Log Category | GIM Category | GIM Subcategory |
---|---|---|---|
|
executed | cell | cell |
|
bound-socket | cell | cell |
|
connected-to | cell | cell |
|
network_flow |
|
|
|
process_stopped |
|
|
|
process_started |
|
|
|
existing_user |
|
|
|
existing_process |
|
|
|
opened-file |
|
|
|
was-authorized |
|
|
|
started-session |
|
|
|
acquired-credentials |
|
|
|
disposed-credentails |
|
|
|
ended-session |
|
|
|
changed-logon-id-to |
|
|
|
wrote-to-file |
|
|
|
started-service |
|
|
|
stopped-service |
|
|
|
process_error |
|
|
|
attributes_modified |
|
|
|
updated |
|
|
|
created |
|
|
|
host |
|
|
|
authenticated |
|
|
|
deleted |
|
|
|
moved |
|
|
|
violated-apparmor-policy |
|
|
|
package_updated |
|
|
|
ran-command |
|
|
|
refreshed-credentials |
|
|
|
user_logout |
|
|
|
package_installed |
|
|
|
renamed |
|
|
|
user_login |
|
|
|
accepted-connection-from |
|
|
|
logged-in |
|
|
|
changed-password |
|
|
|
added-group-account-to |
|
|
|
package_removed |
|
|
|
user_changed |
|
|
|
added-user-account |
|
|
|
host_changed |
|
|
|
password_changed |
|
|
|
sent-to |
|
|
|
user_added |
|
|
|
deleted-group-account-from |
|
|
Linux Auditbeat Spotlight Content Pack
Create a Beats Input
- On the Select Input drop-down menu, select the System menu and then choose Inputs.
- Select Beats from the Select Input drop-down menu.
- Click Launch New Input.
- Assign a node or select Global mode.
- Set the Title, Bind Address, and listening Port. For example:
- Title: “Beats input 5044”
- Bind address: “0.0.0.0” to listen on all interfaces
- Port: “5044”
- Make sure the option “Do not add Beats type as prefix” is not selected. Pipeline processing rules reference incoming data by field name and the pipeline will not function correctly if this prefix is omitted.
- Save the input settings.
- If the input does not start automatically, select Start Input to begin listening for and processing new Beats messages (including Linux Auditbeat messages).