Solution for Auditd Log Ingest

[jdonovan-itcnp]

Trying to put together a proof of concept to see if SO is fit for my required purpose. I am having some trouble getting auditd logs into SO. Seems as though logstash receives the logs from filebeat's auditd module, but the required ingest pipeline is not present in Elastic, so the logs do not arrive.

Is there a solution available, or any guidance, for how we can get auditd logs ingested into elastic/SO? Is this a supported use case?

[jdonovan-itcnp]

Was able to get AuditBeat working for this purpose, however I had hoped for Filebeat to be available since Auditbeat requires that auditd be disabled.

[cm-ops]

Did you try manually enabling the pipeline? Similar to the command here - https://docs.securityonion.net/en/latest/filebeat.html#walkthrough-netflow-logs It would be something like sudo docker exec -i so-filebeat filebeat setup modules --pipelines --modules auditd -M "auditd.log.enabled=true" -c /usr/share/filebeat/module-setup.yml