Keep in mind to add type auditd to the configuration, so that the rules below will work. Just add a new configuration and tag to your configuration that include the audit log file. Use the Collector-Sidecar to configure Filebeat if you run it already in your environment. The configuration file settings stay the same with Filebeat 6 as they were for Filebeat 5. They also create a dedicated index in Elasticsearch, but Graylog also manages all indices in Elasticsearch so, for most Graylog users, these modules are of little benefit. However, since Graylog does the parsing, analysis and visualization in place of Logstash and Kibana, neither of those two components apply. Modules are designed to work in an Elastic Stack environment and provide pre-built parsers for logstash and dashboards for Kibana. In version 6, Filebeat introduced the concept of modules.
More details can be found in the Filebeat documentation filebeat: prospectors: - encoding: plain fields: collector_node_id: c00010.lan type: auditd ignore_older: 0 paths: - /var/log/audit/audit.log scan_frequency: 10s tail_files: true type: log output: logstash: hosts: - graylog001.lan:5044 - graylog002.lan:5044 - graylog003.lan:5044 loadbalance: true # to enhance security of this sensitive data, enable client certificates # and certificate verification # ssl.certificate_authorities: # ssl.certificate: "/etc/client.crt" # ssl.key: "/etc/client.key" # ssl.verification_mode: trueFilebeat 6.x
Like any other log file that should be transported with Filebeat, the best solution would be to use one prospector that includes the configuration specific for that file. Please check to make sure you do not violate any policies in your environment, running the collector as root is by far the simplest solution. The collector needs to run as root or needs to be added to the group “root” to have access to that log file. Deliver the Log Fileīy default, the auditd log file is owned by the user and group root and not accessible to any other user. Of course, it is also possible to configure Filebeat manually if you are only collecting from a single host. This Filebeat instance can be controlled by Graylog Collector-Sidecar or any kind of configuration management you already use. The easiest way to get this up and running would be to use Elastic's Filebeat and create a Beats input on the Graylog server.
The collector should use a secured transport connection. As these messages may include sensitive information and are security relevant, they should not be transferred in plain text over any kind of network. However, information in these messages might be incomplete if those messages exceed the size limitations of syslog (1024kb). Changing the default settings to send these additional messages using syslog is one option. In order to collect these important messages, you need to make an extra effort to fetch the file with a log collector, then transmit it to Graylog.
This is similar to our earlier blog post, “Back to Basics: Enhance Windows Security with Sysmon and Graylog”, but now for Linux.
In this post, we will walk through the steps to capture this information and bring it into your Graylog instance, to get insight into what users do on your Linux servers. By default, these messages are written to /var/log/audt/audit.log, which is written to file by the auditd process directly and not sent via syslog. If you run the audit daemon on your Linux distribution you might notice that some of the most valuable information produced by auditd is not transmitted when you enable syslog forwarding to Graylog.