Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Auditbeat] Add ignore errors in audit rules #15768

Closed
fixed77 opened this issue Jan 23, 2020 · 12 comments · Fixed by #36851
Closed

[Auditbeat] Add ignore errors in audit rules #15768

fixed77 opened this issue Jan 23, 2020 · 12 comments · Fixed by #36851
Assignees
@efd6
Labels
Auditbeat enhancement

Comments

@fixed77
Copy link

fixed77 commented Jan 23, 2020

In auditd there is a rule "-i".
This rule will cause auditctl to continue loading rules when it runs across an unsupported field or a rule with a syntax error but exit with success reason code.

It would be nice to add this feature to auditbeat.
Thus, it would be possible to make the same auditbeat settings for different systems.
@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

@weastur
Copy link

weastur commented Dec 23, 2020

+1

1 similar comment
@9r00t-z
Copy link

9r00t-z commented Jan 8, 2021

+1

@Dominator-3000
Copy link

I really surprised when don't find this function in auditbeat. When you have a large infrastructure with different software that is not unified, it is very difficult to make a single config that is suitable for everything.

@botelastic
Copy link

botelastic bot commented Jan 27, 2022

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@botelastic botelastic bot added the Stalled label Jan 27, 2022
@weastur
Copy link

weastur commented Jan 31, 2022

Up

@botelastic botelastic bot removed the Stalled label Jan 31, 2022
@gwsales
Copy link

gwsales commented May 3, 2022

This is pretty important, how can we get this addressed?

@elasticmachine
Copy link
Collaborator

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

@fixed77
Copy link
Author

fixed77 commented Dec 2, 2022

Up

@chenwei791129
Copy link

Up, i need this option in auditbeat config

@jkiv
Copy link

jkiv commented Sep 25, 2023

One possible workaround is to run auditd along side auditbeat.

Use your rules file with auditd and specify socket_type: multicast in the auditd module config in your auditbeat.xml:

# ...
auditbeat.modules:
- module: auditd
  socket_type: multicast
# ...

auditbeat will ignore any audit_rule_files or audit_rule entries and will rely on auditd for audit log messages. (https://discuss.elastic.co/t/auditbeat-running-with-auditd/144782/2)

@efd6 efd6 mentioned this issue Oct 15, 2023
Merged
6 tasks
@jamiehynds
Copy link

Thanks to everyone for their upvotes and comments on this Auditbeat enhancement. Happy to report that we've added a new ignore_errors config option via this PR. The option will be available from Auditbeat 8.12 onwards.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@efd6 efd6

Labels
Auditbeat enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

auditbeat/module/auditd: add ignore_errors config option efd6/beats