Elastic Stack 7 : Install Auditbeat2021/06/22 |
Install Auditbeat that can monitor Audit actions.
|
|
[1] | Install Auditbeat. Configure Elasticsearch repository before it. |
[root@dlp ~]# dnf -y install auditbeat
|
[2] | Configure basic settings and start Auditbeat. |
[root@dlp ~]#
vi /etc/auditbeat/auditbeat.yml # line 13 : set Audit action (way of writing rules is the same with auditctl) - module: auditd audit_rules: | ## Define audit rules here. ## Create file watches (-w) or syscall audits (-a or -A). Uncomment these ## examples or add your own rules. ## If you are on a 64 bit platform, everything should be running ## in 64 bit mode. This rule will detect any use of the 32 bit syscalls ## because this might be a sign of someone exploiting a hole in the 32 ## bit API. #-a always,exit -F arch=b32 -S all -F key=32bit-abi ## Executions. #-a always,exit -F arch=b64 -S execve,execveat -k exec ## External access (warning: these can be expensive to audit). #-a always,exit -F arch=b64 -S accept,bind,connect -F key=external-access ## Identity changes. #-w /etc/group -p wa -k identity #-w /etc/passwd -p wa -k identity #-w /etc/gshadow -p wa -k identity ..... ..... # line 122 : if use Kibana, uncomment and specify output host # if SSL is enabled on Kibana, hostname should be the same with the hostname in certs
setup.kibana:
.....
host: "https://dlp.srv.world:5601"
# line 147 : specify output host # the default is localhost's Elasticsearch # if output to Logstash, comment out Elasticsearch and uncomment logstash lines output.elasticsearch: # Array of hosts to connect to.l hosts: ["localhost:9200"] ..... ..... #output.logstash: # The Logstash hosts #hosts: ["localhost:5044"]
[root@dlp ~]#
vi /etc/auditbeat/auditbeat.reference.yml # line 34 : basic settings for auditd module - module: auditd resolve_ids: true failure_mode: silent backlog_limit: 8196 rate_limit: 0 include_raw_message: false include_warnings: false audit_rules: | ..... .....[root@dlp ~]# systemctl enable --now auditbeat
|
[3] | Verify status the data has been collected normally. |
# index list [root@dlp ~]# curl localhost:9200/_cat/indices?v health status index uuid pri rep docs.count docs.deleted store.size pri.store.size green open .apm-agent-configuration y3hQme2SQpGMtb64NLsNdA 1 0 0 0 208b 208b yellow open heartbeat-7.13.2-2021.06.22-000001 LHK787g7S92UFiUXDDrwpQ 1 1 53 0 195.8kb 195.8kb green open .kibana_7.13.2_001 zA_r0rrjT7OMUMVSGmRVfg 1 0 4541 388 3.5mb 3.5mb green open .apm-custom-link d1-9Pkn-RXOu_qhMOanvVA 1 0 0 0 208b 208b green open .kibana-event-log-7.13.2-000001 Y-rCmM6yTBKa9W5H1LeJ1g 1 0 1 0 5.6kb 5.6kb yellow open filebeat-7.13.2-2021.06.22-000001 c18zEwqAQVeNecW7d6EAQg 1 1 11825 0 1.7mb 1.7mb yellow open auditbeat-7.13.2-2021.06.22-000001 -kMW1wnKQ9-b8WjnJmvScA 1 1 904 0 715.8kb 715.8kb green open .async-search WRLoMwCITRKD3C_BrFJ9bw 1 0 49 239 157kb 157kb green open .kibana_task_manager_7.13.2_001 x6V232xKQLinqRedJRAbgw 1 0 10 4471 567.2kb 567.2kb yellow open packetbeat-7.13.2-2021.06.22-000001 nYN59YPRQwGmDrMRXijZxA 1 1 36649 0 10.6mb 10.6mb yellow open test_index Vh0HutpLRciaMWX3pFo7Zg 1 1 1 0 5.5kb 5.5kb yellow open sshd_fail-2021.06 HiOI2ac-RzK2BiwQ_gb-VQ 1 1 43 0 68.7kb 68.7kb yellow open metricbeat-7.13.2-2021.06.22-000001 aVbbCHScQBujmT8JMRdRBw 1 1 15393 0 8.9mb 8.9mb # document list on the index [root@dlp ~]# curl localhost:9200/auditbeat-7.13.2-2021.06.22-000001/_search?pretty { "took" : 3, "timed_out" : false, "_shards" : { "total" : 1, "successful" : 1, "skipped" : 0, "failed" : 0 }, "hits" : { "total" : { "value" : 1562, "relation" : "eq" }, "max_score" : 1.0, "hits" : [ { "_index" : "auditbeat-7.13.2-2021.06.22-000001", "_type" : "_doc", "_id" : "1aItMnoB8xzJeutJ83E7", "_score" : 1.0, "_source" : { "@timestamp" : "2021-06-22T05:25:07.631Z", "user" : { "id" : "0", "name" : "root", "entity_id" : "Nr6gnj5txO/XVTRU", "group" : { "name" : "root", "id" : "0" } }, "related" : { "user" : [ "root" ] }, "service" : { "type" : "system" }, ..... ..... |
[4] | If Kibana is running, it's possible to import data to sample Dashboards. |
[root@dlp ~]# auditbeat setup --dashboards Loading dashboards (Kibana must be running and reachable) Loaded dashboards |
Sponsored Link |
|