The following content pack is available for use with a Graylog Illuminate license and Graylog Enterprise or Graylog Security. Contact sales to learn more about obtaining Illuminate.

The Illuminate Linux Auditbeat Spotlight for Graylog works with Graylog Illuminate Core and Elastic Auditbeat agent for Linux. The Auditbeat agent is a "lightweight shipper for audit data." The Auditbeat agent for Linux communicates with the Audit framework for LInux and adds processing, enrichment, and delivery of Linux audit messages.

The Linux Auditbeat Spotlight comes ready to use with pre-built dashboard views including:

  • Linux Auditbeat Overview

  • Network Activity

  • Admin Activity

These built-in views can serve as a starting point for creating custom dashboards.

Supported Version(s)

This Spotlight supports Auditbeat for Linux versions 7-8 and will function with both the Elastic-licensed and Apache-licensed versions of Auditbeat.

Warning: The Apache-licensed version of Auditbeat does not include the "system" module, which provides additional data sets not available in the Elastic-licensed version.

By default, Graylog Sidecar comes with the Apache-licensed version of Auditbeat. If you want to utilize the "system" module, you can install the Elastic-licensed version by adding the appropriate repo and installing Auditbeat alongside the bundled version.

Requirements

  • A configured Beats input on Graylog server (See "Create Beats Input" below)

  • The "Beats type prefix" must be enabled

  • One or more Linux hosts with Elastic Auditbeat installed

  • Beats agents, including Auditbeat, can be managed using the Graylog Sidecar

Warning: For Illuminate versions prior to Illuminate 2.2.2, the following must be added to the auditbeat.yml configuration file or to the Auditbeat configuration in the Graylog sidecar configuration for Auditbeat:

fields event_source_product: linux_auditbeat

Stream Configuration

This technology pack includes 1 stream:

  • "Illuminate:Linux Auditbeat Messages"

Hint: If this stream does not exist prior to the activation of this pack then it will be created and configured to route messages to this stream and the associated index set. There should not be any stream rules configured for this stream.

Index Set Configuration

This technology pack includes 1 index set definition:

  • "Linux Auditbeat Logs"

Hint: If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

Log Format Example

["type=CRED_ACQ msg=audit(1633670701.685:6873): pid=5205 uid=0 auid=4294967095 ses=4294970295 subj=unconfined msg='op=PAM:setcred grantors=pam_permit,pam_cap acct=\"root\" exe=\"/usr/sbin/cron\" hostname=? addr=? terminal=cron res=success'"]

What is Provided

  • Parsing rules to extract, normalize, and enrich fields Linux Auditbeat logs into Graylog schema compatible fields

  • A spotlight providing overview dashboards for Linux Auditbeat events

Log Collection

Install Elastic Auditbeat

  1. For the APT package manager, run the following command:

    Copy 
    wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
    echo "deb https://artifacts.elastic.co/packages/8.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-8.x.list

  2. For the YUM package manager, run the following command:

    Copy 
    sudo rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch
    cat << EOF | sudo tee -a /etc/yum.repos.d/elastic-8.x.repo
    [elastic-8.x]
    name=Elastic repository for 8.x packages
    baseurl=https://artifacts.elastic.co/packages/8.x/yum
    gpgcheck=1
    gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
    enabled=1
    autorefresh=1
    type=rpm-md
    EOF

Create a Beats Input

One beats input can service multiple log sources; therefore, this step is not required if a beats input has already been configured.

  1. Navigate to System > Inputs.

  2. Select Beats from the Select input dropdown, then click Launch new input.

  3. Assign a node or select Global mode.

  4. Set the title, bind address, and listening port. For example:

    • Title: "Beats input 5044"

    • Bind address: "0.0.0.0" to listen on all interfaces

    • Port: "5044"

  5. Make sure the option "Do not add Beats type as prefix" is not selected. Pipeline processing rules reference incoming data by field name and the pipeline does not function correctly if this prefix is omitted.

  6. Select Launch input to save your settings.

  7. If the input does not start automatically, select Start Input to begin listening for and processing new Beats messages (including Linux Auditbeat messages).

Create Graylog REST API Token

  1. Navigate to the Graylog user configuration menu by selecting System > Users and Teams.

  2. Select the user for which to create a token, click More Actions, then select Edit tokens.

  3. Provide a Token Name (e.g. linux_auditbeat), then click Create Token.

  4. Click Copy to Clipboard to retrieve the new API access token.

Install and Configure Graylog Sidecar Agent for Linux

Consult official documentation for full explanations and instructions.

Configure Auditbeat Log Collector in Graylog

Next, modify the Auditbeat log collector configuration. For more information on setting up Sidecar log collectors, see the Graylog documentation on default collector configurations.

  1. Navigate to System > Sidecars and select the Configurations tab.

  2. In the Log Collectors section, select Edit next to your Auditlog collector.

  3. Modify the Executable Path field to point to the new Auditbeat agent's binary path, which is set to /usr/share/auditbeat/bin/auditbeat by default.

  4. Edit the Graylog Sidecar client configuration with your Graylog server API URL and API access token.

Optionally, you can create a new Auditbeat log collector with this path rather than modify the default so that you do not overwrite the default log collector. Remember to give it a unique name, like "Auditbeat (Elastic-licensed)."

GIM Categorization

GIM categorization is provided for the following messages:

vendor_event_action gim_event_type_code gim_event_category gim_event_class gim_event_subcategory gim_event_type
executed 190000 process endpoint process.execute process started
existing_package 000000 message message.log_message message
bound-socket 000000 message message.log_message message
connected-to 000000 message message.log_message message
network_flow 129999 network network.default network message
process_stopped 190100 process endpoint process.end process stopped
process_started 190000 process endpoint process.execute process started
existing_user 119999 iam iam.default iam message
existing_process 000000 message message.log_message message
opened-file 201500 file endpoint file.access file accessed
was-authorized 109999 authentication authentication.default authentication message
started-session 109999 authentication authentication.default authentication message
acquired-credentials 109999 authentication authentication.default authentication message
disposed-credentials 109999 authentication authentication.default authentication message
ended-session 109999 authentication authentication.default authentication message
changed-login-id-to 109999 authentication authentication.default authentication message
wrote-to-file 000000 message message.log_message message
started-service 210000 service endpoint service.start service started
stopped-service 210100 service endpoint service.stop service stopped
process_error 000000 message message.log_message message
attributes_modified 201000 file endpoint file.modify file modified
updated 201000 file endpoint file.modify file modified
created 200000 file endpoint file.create file created
host 000000 message message.log_message message
authenticated 109999 authentication authentication.default authentication message
deleted 200100 file endpoint file.delete file deleted
moved 201000 file endpoint file.modify file modified
violated-apparmor-policy 301002 alert alert.host alert hips alert
package_updated 000000 message message.log_message message
ran-command 000000 message message.log_message message
refreshed-credentials 109999 authentication authentication.default authentication message
user_logout 102500 authentication authentication.logoff logoff
package_installed 000000 message message.log_message message
renamed 201000 file endpoint file.modify file modified
user_login 100000 authentication authentication.logon logon
accepted-connection-from 000000 message message.log_message message
logged-in 100000 authentication authentication.logon logon
changed-password 111004 iam iam.object modify password change
added-group-account-to 119999 iam iam.default iam message
package_removed 000000 message message.log_message message
user_changed 111000 iam iam.object modify account modified
added-user-account 111007 iam iam.object modify group member added
host_changed 000000 message message.log_message message
password_changed 111004 iam iam.object modify password change
sent-to 129999 network network.default network message
user_added 110000 iam iam.object create account created
deleted-group-account-from 110501 iam iam.object delete group deleted
changed-audit-configuration 000000 message message.log_message message
shutdown 000000 message message.log_message message
boot 000000 message message.log_message message
initial_scan 000000 message message.log_message message
deleted-user-account 000000 message message.log_message message
user_removed 000000 message message.log_message message
reboot 000000 message message.log_message message
access-permission 000000 message message.log_message message
changed-promiscuous-mode-on-device 000000 message message.log_message message
loaded-firewall-rule-to 000000 message message.log_message message
received-from 000000 message message.log_message message
created-directory 000000 message message.log_message message
changed-to-runlevel 000000 message message.log_message message
changed-file-attributes-of 000000 message message.log_message message
changed-file-permissions-of 000000 message message.log_message message
changed-file-ownership-of 000000 message message.log_message message
symlinked 000000 message message.log_message message
killed-pid 000000 message message.log_message message
read-file 000000 message message.log_message message
listen-for-connections 000000 message message.log_message message
changed-configuration 000000 message message.log_message message
crashed-program 000000 message message.log_message message
changed-system-name 000000 message message.log_message message
violated-selinux-policy 000000 message message.log_message message
changed-role-to 000000 message message.log_message message
relabeled-filesystem 000000 message message.log_message message
changed-selinux-enforcement 000000 message message.log_message message
assigned-vm-resource 000000 message message.log_message message
assigned-vm-id 000000 message message.log_message message
issued-vm-control 000000 message message.log_message message
opened-too-many-sessions-to 000000 message message.log_message message
hostname_changed 000000 message message.log_message message
checked-metadata-of 000000 message message.log_message message
mounted 000000 message message.log_message message
unmounted 000000 message message.log_message message
end 000000 message message.log_message message
changed-system-time 000000 message message.log_message message
changed-identity-of 000000 message message.log_message message
changed-timestamp-of 000000 message message.log_message message
failed-log-in-too-many-times-to 000000 message message.log_message message
loaded-selinux-policy 000000 message message.log_message message
assigned-user-role-to 000000 message message.log_message message
removed-user-role-from 000000 message message.log_message message
changed-selinux-boolean 000000 message message.log_message message
error 000000 message message.log_message message
adjusted-scheduling-policy-of 000000 message message.log_message message
allocated-memory 000000 message message.log_message message
checked-filesystem-metadata-of 000000 message message.log_message message
loaded-kernel-module 000000 message message.log_message message
unloaded-kernel-module 000000 message message.log_message message
make-device 000000 message message.log_message message
violated-seccomp-policy 000000 message message.log_message message