Please include configurations and logs if available.
auditbeat info
- Version: 7.6.1
- Operating System: CentOS 7
- relevant config:
auditbeat was started using systemd service file
system module configuration
- module: system
datasets:
- host # General host information, e.g. uptime, IPs
- login # User logins, logouts, and system boots.
- package # Installed, updated, and removed packages
- process # Started and stopped processes
- socket # Opened and closed sockets
- user # User information
# How often datasets send state updates with the
# current state of the system (e.g. all currently
# running processes, all open sockets).
state.period: 12h
# Enabled by default. Auditbeat will read password fields in
# /etc/passwd and /etc/shadow and store a hash locally to
# detect any changes.
user.detect_password_changes: true
# File patterns of the login record files.
login.wtmp_file_pattern: /var/log/wtmp*
login.btmp_file_pattern: /var/log/btmp*
locally
ssh dcode@10.10.10.10 -R23456:127.0.0.1:23456
remotely
# get pid for sshd user session
ps -u dcode | awk '/sshd/ { print $1 }'
# Connect to local port, doesn't actually go anywhere in this case
nc 127.0.0.1 23456
View logs in Kibana using the following filter, substituting in the pid printed above (it was 20785 in this test case).
agent.type: auditbeat and process.pid: (20785) and event.action: network_flow
snipped to just process object:
"process": {
"pid": 20785,
"name": "java",
"args": [
"java",
"-Xmx1G",
"-Xms1G",
"-server",
"-XX:+UseG1GC",
"-XX:MaxGCPauseMillis=20",
"-XX:InitiatingHeapOccupancyPercent=35",
"-XX:+DisableExplicitGC",
"-Djava.awt.headless=true",
"-Xlog:gc:/var/log/kafka/kafkaServer-gc.log",
"-Xlog:gc*",
"-Dcom.sun.management.jmxremote",
"-Dcom.sun.management.jmxremote.authenticate=false",
"-Dcom.sun.management.jmxremote.ssl=false",
"-Dkafka.logs.dir=/usr/share/kafka/bin/../logs",
"-Dkafka.logs.dir=/var/log/kafka",
"-Dlog4j.configuration=file:///etc/kafka/log4j.properties",
"-cp",
"/usr/share/java/kafka/activation-1.1.1.jar:/usr/share/java/kafka/jetty-io-9.4.18.v20190429.jar:/usr/share/java/kafka/aopalliance-repackaged-2.5.0.jar:/usr/share/java/kafka/argparse4j-0.7.0.jar:/usr/share/java/kafka/jsr305-3.0.2.jar:/usr/share/java/kafka/audience-annotations-0.5.0.jar:/usr/share/java/kafka/kafka_2.12-2.3.0.jar:/usr/share/java/kafka/commons-lang3-3.8.1.jar:/usr/share/java/kafka/log4j-1.2.17.jar:/usr/share/java/kafka/connect-api-2.3.0.jar:/usr/share/java/kafka/jetty-http-9.4.18.v20190429.jar:/usr/share/java/kafka/connect-basic-auth-extension-2.3.0.jar:/usr/share/java/kafka/lz4-java-1.6.0.jar:/usr/share/java/kafka/connect-file-2.3.0.jar:/usr/share/java/kafka/maven-artifact-3.6.1.jar:/usr/share/java/kafka/connect-json-2.3.0.jar:/usr/share/java/kafka/metrics-core-2.2.0.jar:/usr/share/java/kafka/connect-runtime-2.3.0.jar:/usr/share/java/kafka/jopt-simple-5.0.4.jar:/usr/share/java/kafka/connect-transforms-2.3.0.jar:/usr/share/java/kafka/zstd-jni-1.4.0-1.jar:/usr/share/java/kafka/guava-20.0.jar:/usr/share/java/kafka/zkclient-0.11.jar:/usr/share/java/kafka/hk2-api-2.5.0.jar:/usr/share/java/kafka/plexus-utils-3.2.0.jar:/usr/share/java/kafka/hk2-locator-2.5.0.jar:/usr/share/java/kafka/zookeeper-3.4.14.jar:/usr/share/java/kafka/hk2-utils-2.5.0.jar:/usr/share/java/kafka/kafka-clients-2.3.0.jar:/usr/share/java/kafka/jackson-annotations-2.9.9.jar:/usr/share/java/kafka/osgi-resource-locator-1.0.1.jar:/usr/share/java/kafka/jackson-core-2.9.9.jar:/usr/share/java/kafka/paranamer-2.8.jar:/usr/share/java/kafka/jackson-databind-2.9.9.jar:/usr/share/java/kafka/kafka-log4j-appender-2.3.0.jar:/usr/share/java/kafka/jackson-dataformat-csv-2.9.9.jar:/usr/share/java/kafka/kafka-streams-2.3.0.jar:/usr/share/java/kafka/jackson-datatype-jdk8-2.9.9.jar:/usr/share/java/kafka/kafka-streams-examples-2.3.0.jar:/usr/share/java/kafka/jackson-jaxrs-base-2.9.9.jar:/usr/share/java/kafka/jetty-client-9.4.18.v20190429.jar:/usr/share/java/kafka/jackson-jaxrs-json-provider-2.9.9.jar:/usr/share/java/kafka/jetty-continuation-9.4.18.v20190429.jar:/usr/share/java/kafka/jackson-module-jaxb-annotations-2.9.9.jar:/usr/share/java/kafka/kafka-streams-scala_2.12-2.3.0.jar:/usr/share/java/kafka/jackson-module-paranamer-2.9.9.jar:/usr/share/java/kafka/kafka-streams-test-utils-2.3.0.jar:/usr/share/java/kafka/jackson-module-scala_2.12-2.9.9.jar:/usr/share/java/kafka/kafka-tools-2.3.0.jar:/usr/share/java/kafka/jakarta.annotation-api-1.3.4.jar:/usr/share/java/kafka/reflections-0.9.11.jar:/usr/share/java/kafka/jakarta.inject-2.5.0.jar:/usr/share/java/kafka/rocksdbjni-5.18.3.jar:/usr/share/java/kafka/jakarta.ws.rs-api-2.1.5.jar:/usr/share/java/kafka/scala-library-2.12.8.jar:/usr/share/java/kafka/javassist-3.22.0-CR2.jar:/usr/share/java/kafka/slf4j-api-1.7.26.jar:/usr/share/java/kafka/javax.servlet-api-3.1.0.jar:/usr/share/java/kafka/scala-logging_2.12-3.9.0.jar:/usr/share/java/kafka/javax.ws.rs-api-2.1.1.jar:/usr/share/java/kafka/jaxb-api-2.3.0.jar:/usr/share/java/kafka/scala-reflect-2.12.8.jar:/usr/share/java/kafka/jersey-client-2.28.jar:/usr/share/java/kafka/slf4j-log4j12-1.7.26.jar:/usr/share/java/kafka/jersey-common-2.28.jar:/usr/share/java/kafka/jersey-container-servlet-2.28.jar:/usr/share/java/kafka/jetty-servlets-9.4.18.v20190429.jar:/usr/share/java/kafka/jersey-container-servlet-core-2.28.jar:/usr/share/java/kafka/jersey-hk2-2.28.jar:/usr/share/java/kafka/snappy-java-1.1.7.3.jar:/usr/share/java/kafka/jersey-media-jaxb-2.28.jar:/usr/share/java/kafka/spotbugs-annotations-3.1.9.jar:/usr/share/java/kafka/jersey-server-2.28.jar:/usr/share/java/kafka/jetty-security-9.4.18.v20190429.jar:/usr/share/java/kafka/jetty-server-9.4.18.v20190429.jar:/usr/share/java/kafka/jetty-servlet-9.4.18.v20190429.jar:/usr/share/java/kafka/jetty-util-9.4.18.v20190429.jar:/usr/share/java/kafka/validation-api-2.0.1.Final.jar",
"kafka.Kafka",
"/etc/kafka/server.properties"
],
"executable": "/usr/lib/jvm/java-11-openjdk-11.0.6.10-1.el7_7.x86_64/bin/java",
"created": "2020-03-18T03:14:02.380Z"
},
In this case, the Kafka process above has a pid of 7268
Please include configurations and logs if available.
auditbeat info
auditbeatwas started using systemd service filesystem module configuration
locally
remotely
View logs in Kibana using the following filter, substituting in the pid printed above (it was 20785 in this test case).
agent.type: auditbeat and process.pid: (20785) and event.action: network_flowsnipped to just process object:
In this case, the Kafka process above has a pid of
7268