DevOps Fest 2020. Philipp Krenn. Scale Your Auditing Events
The Linux Audit daemon is responsible for writing audit records to the disk, which you can then access with ausearch and aureport. However, it turned out that parsing and centralizing these records is not as easy as you would hope. Elastic's new Auditbeat fixes this by keeping the original configuration, but ships them to a centralized location where you can easily visualize all events. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations.
This talk shows you what can you do to discover changes, events, and potential security breaches as soon as possible on interactive dashboards. Additionally, we are combining Auditd events with logs, which are security-relevant, and explore them in Elastic's free SIEM.
- name: base
short: All fields defined directly at the top level
The `base` field set contains all fields which are on the top level.
These fields are common across all types of events.
- name: "@timestamp"
short: Date/time when the event originated.
Date/time when the event originated.
This is the date/time extracted from the event, typically representing
when the event was generated by the source.
If the event source has no original timestamp, this value is typically
populated by the first time the event was received by the pipeline.
Required field for all events.