We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
saddr_fam
Hi!!! I tried to filter out some traffic and get only AF_INET and AF_INET6 audit logs using these rules:
-a always,exit -F arch=b64 -S connect,accept,listen,bind -F a2=16 -F saddr_fam=2 -F success=1 -F key=network-v4 -a always,exit -F arch=b64 -S connect,accept,listen,bind -F a2=24 -F saddr_fam=10 -F success=1 -F key=network-v6
but I get this error
[root@PC rules.d]# auditbeat test config Exiting: 1 error: failed to unpack the auditd config: 1 error: failed loading rules: 2 errors: at /etc/auditbeat/audit.rules.d/audit-rules.conf:24: failed to interpret rule '-a always,exit -F arch=b64 -S connect,accept,listen,bind -F a2=16 -F saddr_fam=2 -F success=1 -F key=network-v4': failed to add filter '{2 saddr_fam = 2}': invalid field 'saddr_fam' on left; at /etc/auditbeat/audit.rules.d/audit-rules.conf:25: failed to interpret rule '-a always,exit -F arch=b64 -S connect,accept,listen,bind -F a2=24 -F saddr_fam=10 -F success=1 -F key=network-v6': failed to add filter '{2 saddr_fam = 10}': invalid field 'saddr_fam' on left accessing 'auditbeat.modules.0' (source:'/etc/auditbeat/auditbeat.yml')
The text was updated successfully, but these errors were encountered:
Pinging @elastic/security-external-integrations (Team:Security-External Integrations)
Sorry, something went wrong.
This issue doesn't have a Team:<team> label.
Team:<team>
I created an issue in the upstream library. elastic/go-libaudit#144
efd6
Successfully merging a pull request may close this issue.
Hi!!! I tried to filter out some traffic and get only AF_INET and AF_INET6 audit logs using these rules:
but I get this error
The text was updated successfully, but these errors were encountered: