The Illuminate Linux Auditbeat Spotlight for Graylog works with Graylog Illuminate Core and Elastic Auditbeat agent for Linux. The Auditbeat agent is a "lightweight shipper for audit data." The Auditbeat agent for Linux communicates with the Audit framework for LInux and adds processing, enrichment, and delivery of Linux audit messages.

The Linux Auditbeat Spotlight comes ready to use with pre-built dashboard views including:

  • Linux Auditbeat Overview
  • Network Activity
  • Admin activity

These built-in views can serve as a starting point for creating custom dashboards.

Supported Version(s)

This Spotlight supports Auditbeat for Linux versions 7-8 and will function with both the Elastic-licensed and Apache-licensed versions of Auditbeat.

Warning: The Apache-licensed version of Auditbeat does NOT include the "system" module, which provides additional data sets not available in the Elastic-licensed version.

By default, Graylog Sidecar comes with the Apache-licensed version of Auditbeat. If you want to utilize the "system" module, you can install the Elastic-licensed version by adding the appropriate repo and installing Auditbeat alongside the bundled version.

Install Elastic Version of Auditbeat

For the APT package manager, run the following command:

Copy 
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
echo "deb https://artifacts.elastic.co/packages/8.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-8.x.list

For the YUM package manager, run the following command:

Copy 
sudo rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch
cat << EOF | sudo tee -a /etc/yum.repos.d/elastic-8.x.repo
[elastic-8.x]
name=Elastic repository for 8.x packages
baseurl=https://artifacts.elastic.co/packages/8.x/yum
gpgcheck=1
gpgkey=https://artifacts.elastic.co/GPG-KEY-elasticsearch
enabled=1
autorefresh=1
type=rpm-md
EOF

Configure Auditbeat Log Collector in Graylog

Next, modify the Auditbeat log collector configuration. For more information on setting up Sidecar log collectors, see the Graylog documentation on default collector configurations.

  1. Navigate to System > Sidecars and select the Configurations tab.

  2. Then, under the Log Collectors menu, select Edit next to your Auditlog collector.

  3. Modify the "Executable Path" field to point to the new Auditbeat agent's binary path, which is set to /usr/share/auditbeat/bin/auditbeat by default.

Optionally, you can also opt to create a new Auditbeat log collector with this path rather than modify the default so that you do not overwrite the default log collector. Remember to give it a unique name, like "Auditbeat (Elastic-licensed)."

Stream Configuration

This technology pack includes one stream:

  • “Illuminate:Linux Auditbeat Messages”

Hint: If this stream does not exist prior to the activation of this pack then it will be created and configured to route messages to this stream and the associated index set. There should not be any stream rules configured for this stream.

Index Set Configuration

This technology pack includes one index set definition:

  • "Illuminate: Linux Auditbeat Messages"
Hint: If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

Log Format Example

["type=CRED_ACQ msg=audit(1633670701.685:6873): pid=5205 uid=0 auid=4294967095 ses=4294970295 subj=unconfined msg='op=PAM:setcred grantors=pam_permit,pam_cap acct=\"root\" exe=\"/usr/sbin/cron\" hostname=? addr=? terminal=cron res=success'"]

Requirements

  • A configured Beats input on Graylog server (See “Create Beats Input” below)
  • The "Beats type prefix" must be enabled
  • One or more Linux hosts with Elastic Auditbeat installed
  • Beats agents, including Auditbeat, can be managed using the Graylog Sidecar
Warning: For Illuminate versions prior to Illuminate 2.2.2, the following must be added to the auditbeat.yml configuration file or to the Auditbeat configuration in the Graylog sidecar configuration for Auditbeat: 
fields event_source_product: linux_auditbeat

What is Provided

  • Parsing rules to extract Linux Auditbeat logs into Graylog schema compatible fields
  • Data lookup tables use in the normalization and enrichment of Linux Auditbeat log messages into the Graylog schema
  • Dashboards

Auditbeat Log Message Processing

The Illuminate processing of Linux Auditbeat messages provides the following:

  • Field extraction, normalization and message enrichment for Linux Auditbeat log messages
  • GIM Categorization of the following messages:

Auditbeat Module: AuditD

| vendor_event_category |

Auditbeat Module: System

Auditbeat Module: File Integrity

Auditbeat Dataset Auditbeat Log Category GIM Category GIM Subcategory

executed cell cell

bound-socket cell cell

connected-to cell cell

network_flow


process_stopped


process_started


existing_user


existing_process


opened-file


was-authorized


started-session


acquired-credentials


disposed-credentails


ended-session


changed-logon-id-to


wrote-to-file


started-service


stopped-service


process_error


attributes_modified


updated


created


host


authenticated


deleted


moved


violated-apparmor-policy


package_updated


ran-command


refreshed-credentials


user_logout


package_installed


renamed


user_login


accepted-connection-from


logged-in


changed-password


added-group-account-to


package_removed


user_changed


added-user-account


host_changed


password_changed


sent-to


user_added


deleted-group-account-from

Linux Auditbeat Spotlight Content Pack

Create a Beats Input

HintOne beats input can service multiple log sources; therefore, this step is not required if a beats input has already been configured.
  1. On the Select Input drop-down menu, select the System menu and then choose Inputs.
  2. Select Beats from the Select Input drop-down menu.
  3. Click Launch New Input.
  4. Assign a node or select Global mode.
  5. Set the Title, Bind Address, and listening Port. For example:
    1. Title: “Beats input 5044”
    2. Bind address: “0.0.0.0” to listen on all interfaces
    3. Port: “5044”
  6. Make sure the option “Do not add Beats type as prefix” is not selected. Pipeline processing rules reference incoming data by field name and the pipeline will not function correctly if this prefix is omitted.
  7. Save the input settings.
  8. If the input does not start automatically, select Start Input to begin listening for and processing new Beats messages (including Linux Auditbeat messages).