Graylog Illuminate is available for use with Graylog Operations and Graylog Security. Contact sales to learn more about obtaining the Graylog Illuminate release file.

The Illuminate Linux Auditbeat Spotlight for Graylog works with Graylog Illuminate Core and Elastic Auditbeat agent for Linux. The Auditbeat agent is a "lightweight shipper for audit data." The Auditbeat agent for Linux communicates with the Audit framework for LInux and adds processing, enrichment, and delivery of Linux audit messages.

The Linux Auditbeat Spotlight comes ready to use with pre-built dashboard views including:

  • Linux Auditbeat Overview
  • Network Activity
  • Admin activity

These built-in views can serve as a starting point for creating custom dashboards.

Supported Version(s)

This Spotlight was developed using Auditbeat for Linux version 7. This spotlight will function with both the OSS ("Open-Source Software") and non-OSS versions of the Linux Auditbeat agent; the non-OSS version of the agent does not include the system module which provides additional data sets not available in the OSS version of Auditbeat.

Stream Configuration

This technology pack includes one stream:

  • “Illuminate:Linux Auditbeat Messages”

Hint: If this stream does not exist prior to the activation of this pack then it will be created and configured to route messages to this stream and the associated index set. There should not be any stream rules configured for this stream.

Index Set Configuration

This technology pack includes one index set definition:

  • "Illuminate: Linux Auditbeat Messages"
Hint: If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

Log Format Example

["type=CRED_ACQ msg=audit(1633670701.685:6873): pid=5205 uid=0 auid=4294967095 ses=4294970295 subj=unconfined msg='op=PAM:setcred grantors=pam_permit,pam_cap acct=\"root\" exe=\"/usr/sbin/cron\" hostname=? addr=? terminal=cron res=success'"]

Requirements

  • A configured Beats input on Graylog server (See “Create Beats Input” below)
  • The "Beats type prefix" must be enabled
  • One or more Linux hosts with Elastic Auditbeat installed
  • Beats agents, including Auditbeat, can be managed using the Graylog Sidecar
Warning: For Illuminate versions prior to Illuminate 2.2.2 the following has to be added to the auditbeat.yml configuration file or to the Auditbeat configuration in the Graylog sidecar configuration for Auditbeat:
fields event_source_product: linux_auditbeat

What is Provided

  • Parsing rules to extract Linux Auditbeat logs into Graylog schema compatible fields
  • Data lookup tables use in the normalization and enrichment of Linux Auditbeat log messages into the Graylog schema
  • Dashboards

Auditbeat Log Message Processing

The Illuminate processing of Linux Auditbeat messages provides the following:

  • Field extraction, normalization and message enrichment for Linux Auditbeat log messages
  • GIM Categorization of the following messages:

Auditbeat Module: AuditD

| vendor_event_category |

Auditbeat Module: System

Auditbeat Module: File Integrity

Auditbeat Dataset Auditbeat Log Category GIM Category GIM Subcategory

executed cell cell

bound-socket cell cell

connected-to cell cell

network_flow


process_stopped


process_started


existing_user


existing_process


opened-file


was-authorized


started-session


acquired-credentials


disposed-credentails


ended-session


changed-logon-id-to


wrote-to-file


started-service


stopped-service


process_error


attributes_modified


updated


created


host


authenticated


deleted


moved


violated-apparmor-policy


package_updated


ran-command


refreshed-credentials


user_logout


package_installed


renamed


user_login


accepted-connection-from


logged-in


changed-password


added-group-account-to


package_removed


user_changed


added-user-account


host_changed


password_changed


sent-to


user_added


deleted-group-account-from

Linux Auditbeat Spotlight Content Pack

Create a Beats Input

HintOne Beats input can service multiple log sources; therefore, this step is not required if a Beats input has already been configured.
  1. On the Select Input drop-down menu, select the System menu and then choose Inputs.
  2. Select Beats from the Select Input drop-down menu.
  3. Click Launch New Input.
  4. Assign a node or select Global mode.
  5. Set the Title, Bind Address, and listening Port. For example:
    1. Title: “Beats input 5044”
    2. Bind address: “0.0.0.0” to listen on all interfaces
    3. Port: “5044”
  6. Make sure the option “Do not add Beats type as prefix” is not selected. Pipeline processing rules reference incoming data by field name and the pipeline will not function correctly if this prefix is omitted.
  7. Save the input settings.
  8. If the input does not start automatically, select Start Input to begin listening for and processing new Beats messages (including Linux Auditbeat messages).

References