Auditd

deb (Debian/Ubuntu/Mint)

curl -L -O https://artifacts.elastic.co/downloads/beats//-oss-7.15.1-amd64.deb
sudo dpkg -i -oss-7.15.1-amd64.deb

rpm (CentOS/RHEL/Fedora)

curl -L -O https://artifacts.elastic.co/downloads/beats//-oss-7.15.1-x86_64.rpm
sudo rpm -vi -oss-7.15.1-x86_64.rpm

macOS

curl -L -O https://artifacts.elastic.co/downloads/beats//-oss-7.15.1-darwin-x86_64.tar.gz
tar xzvf -oss-7.15.1-darwin-x86_64.tar.gz

Windows

• Download the Windows zip file from the official downloads page.
• Extract the contents of the zip file into C:\Program Files.
• Rename the -<version>-windows directory to ``.
• Open a PowerShell prompt as an Administrator (right-click the PowerShell icon and select Run As Administrator). If you are running Windows XP, you may need to download and install PowerShell.
• Run the following commands to install as a Windows service:

cd 'C:\Program Files\'
.\install-service-.ps1

There are several built in filebeat modules you can use. To enable the Auditd module run.

deb/rpm

sudo filebeat modules list
sudo filebeat modules enable auditd

Additional module configuration can be done using the per module config files located in the modules.d folder, most commonly this would be to read logs from a non-default location

deb/rpm /etc/filebeat/modules.d/

deb/rpm /etc/filebeat/filebeat.yml

We'll be shipping to Logstash so that we have the option to run filters before the data is indexed.
Comment out the elasticsearch output block.

## Comment out elasticsearch output
#output.elasticsearch:
#  hosts: ["localhost:9200"]

Let's check the configuration file is syntactically correct by running directly inside the terminal. If the file is invalid, will print an error loading config file error message with details on how to correct the problem.

deb/rpm

sudo  -e -c /etc//.yml

macOS

cd <EXTRACTED_ARCHIVE>
./ -e -c .yml

Windows

cd <EXTRACTED_ARCHIVE>
.\.exe -e -c .yml

All Logit.io stacks come pre-configured with popular Logstash filters. We would recommend that you add Auditd specific filters if you don't already have them, to ensure enhanced dashboards and modules work correctly.

Edit your Logstash filters by choosing Stack > Settings > Logstash Filters

if [fileset][module] == "auditd" {
    grok {
         match => { 
             "message" => [ "%{AUDIT_PREFIX} %{AUDIT_KEY_VALUES:[auditd][log][kv]} old auid=%{NUMBER:[auditd][log][old_auid]} new auid=%{NUMBER:[auditd][log][new_auid]} old ses=%{NUMBER:[auditd][log][old_ses]} new ses=%{NUMBER:[auditd][log][new_ses]}", "%{AUDIT_PREFIX} %{AUDIT_KEY_VALUES:[auditd][log][kv]} msg=['\"](%{DATA:[auditd][log][msg]}\s+)?%{AUDIT_KEY_VALUES:[auditd][log][sub_kv]}['\"]", "%{AUDIT_PREFIX} %{AUDIT_KEY_VALUES:[auditd][log][kv]}", "%{AUDIT_PREFIX}", "%{AUDIT_TYPE} %{AUDIT_KEY_VALUES:[auditd][log][kv]}" ]
         }
         pattern_definitions => {
             "AUDIT_TYPE" => "^type=%{NOTSPACE:[auditd][log][record_type]}"
             "AUDIT_PREFIX" => "%{AUDIT_TYPE} msg=audit\(%{NUMBER:[auditd][log][epoch]}:%{NUMBER:[auditd][log][sequence]}\):(%{DATA})?"
             "AUDIT_KEY_VALUES" => "%{WORD}=%{GREEDYDATA}"
         }
    }
    date {
        match => [ "[auditd][log][epoch]", "UNIX" ]
        target => "@timestamp"
    }
    mutate {
        convert => { "[auditd][log][sequence]" => "integer" }
    }
    geoip {
        source => "[auditd][log][addr]"
        target => "[auditd][log][geoip]"
    }
}

Ok, time to start ingesting data!

deb/rpm

sudo systemctl enable filebeat
sudo systemctl start filebeat

If you don't see data appearing in your Stack after following the steps, visit the Help Centre guide for steps to diagnose no data appearing in your Stack or Chat to support now.

The Auditd module comes with predefined Kibana dashboards. To view your dashboards for any of your Logit.io stacks, launch Kibana and choose Dashboards.