Elastic SIEM – An Event Tracking Feature

SIEM with ELK – san3ncrypt3d – Making cybersecurity a habit & Privacy a Goal


Torture the data, and it will confess to anything.

Ronald Coase


Elastic SIEM (Security Information and Event Management) is a new feature provided by Elastic NV. Using Elastic SIEM we can track and maintain important events that concern us.

Events are actions that reflect something that has happened.

Examples – Let’s say we have an important instance that hosts a service. Now we want to know successful and failed login attempts made to this instance.

Also, let’s say we have “/etc/nginx” directory and we want to track events, if any, in this directory. Simply put, changes that have been made in this directory i.e. file are created, deleted, or updated.

All of this can be done. Since it’s better to show Visualization than just definitions, that’s what we’ll do.


Below are the objectives of this blog:

  1. We will install auditbeat on an important instance (Ubuntu) and configure auditbeat.yml in a secured way so that it will send events to elasticsearch.
  2. Visualise various events on Kibana
  3. File-Integrity Module
  4. System Module
  5. Auditd Module
  6. Data Exporters

Install Auditbeat

Here, we are going to install auditbeat on an instance where events are important to us. Our OS is ubuntu.

curl -L -O https://artifacts.elastic.co/downloads/beats/auditbeat/auditbeat-7.7.1-amd64.deb
sudo dpkg -i auditbeat-7.7.1-amd64.deb

If your OS is different, you may download the package from the given link.


Now it is required to add elasticsearch host, username, and password in auditbeat.yml configuration file.

Figure 1:- Example of elasticsearch config we need to change

For password, we will be using auditbeat keystore. It is not recommended to enter a password in plain text format as shown in the above example.

sudo auditbeat keystore create
sudo auditbeat keystore add elasticsearch_password

A prompt will be shown asking for value.

Figure 2 Using Keystore which will store our credentials in key-value format.

Now our password is stored in elasticsearch_password variable. Let’s use this variable in the config file.

Figure 3 Here we are using key name and value will be retrieved with help of Keystore

Now add kibana host.

Figure 4: Kibana hostname

We have successfully set up our auditbeat. Let’s test it.

sudo auditbeat setup
sudo service auditbeat start

Visualise various events in Kibana

Figure 5: Number of Hosts in which auditbeat has been installed and sending logs to SIEM

All hosts under the hosts section tell us the total number of hosts we have configured.

Figure 6: User login Authentication

Here we can see that there have been 5 success login attempts and 478 failed attempts made for both hosts.

Since the most important part of SIEM is events, we can use KQL(Kibana query Language) and add filters to go through them.

Example:- After audit beat, I installed Nodejs and tree using apt-get. Let’s see our relevant data.

Figure 7: Filter results to get the package installed

Below we can see relevant events.

Figure 8: Result of executed KQL query


Let’s see various login attempts made on our instance. Use and set event.action to user_login.

Figure 9: Filter results to get user_login
Figure 10:- Here we can see two users karol and query trying to access my instance and we also have their source IP.


Event Action

Figure 11:- This shows various available event actions. Also, zero value depicts that the respective event hasn’t happened in the last frame.

File Integrity Module

The audit beat has three available modules. System, File Integrity, and auditd.

File Integrity module handles file related events.

It uses Linux kernel API, i.e. inotify  (An API that provides a mechanism for monitoring filesystem events). So, if anyone is using a lower version of Linux or if inotify is not supported in their version, then this module will not be available.

Figure 12:- Here paths represent the various path that has been entered for the event.

Let’s add some files in /bin and check for the relevant events.

Figure 13: Filtering results to get results from module file_integrity
Figure 14:- Here we can see opstree and opstree1 files have been created. We can also see a file named tree created from an earlier installation of tree utility
Custom Directory or File

Here, I have a sample nodejs application which is being served. So I want to know if any changes have been done to this directory.

Figure 15:- I have added the custom path of my application
Figure 16:- Here we can see I have deleted my package.json file and created a directory opstree.

System Module

The system Module collects important events related to a system.

  • host ( Host Information like OS, Kernel Version)
  • login ( Contain Login related Information like Failed Attempts)
  • package ( Contain Information like package installed or deleted)
  • process ( Process that has been started or stopped recently )
  • socket (Monitor network traffic to and from running processes)
  • user (User-created or deleted)

Example:- Earlier we checked for login attempts made to our instance, the events displayed there were mainly because of this module.

Now let’s say I want to know if a user has been added or deleted recently.

Figure 17: Filtering results to get user_added
Figure 18: Here we can see user opstree and prashant have been added

It is better to remove the socket from system module as it creates a large noise ratio.

If I want to check processes that have been executed with root privilege, I can do it with the help of this nested query


Figure 19: We can see a process with sudo privileged has been executed updating auditbeat.yml file and overall 23 events related to it.

Auditd Module

Auditd module receives events from the Linux Audit Framework which is a part of the Linux kernel.

Using this module we can track specific syscalls that have been called e.g open, truncate, create. Also, files and directories that have been accessed.

System call auditing lets you track your system’s behavior on a level even below the application level.

Example rule:- -a always,exit -S mkdir

Here the -a option adds system call rules whereas -d option will delete. This rule triggers an event whenever the mkdir system call is exited (always,exit). Apart from exit one can use (always,entry). The -S option adds the name of the system call which in this case is mkdir.

Another example:- -w /etc/passwd -p w

Here -w stands for to watch a file. All system calls requesting write permissions to this file are analyzed.

Let’s add these rules to our auditbeat.yml

Figure 20: Adding rules to monitor mkdir syscall and passwd file.

I have created a directory and using root privileges, changed /etc/passwd file. Let’s see if mkdir syscall is triggered or not and the same for /etc/passwd.

Figure 21: Filter results to get auditd module
Figure 22: We can see event.module is auditd. As mkdir is called and exited it is being tracked.
Figure 23: Here we can see event.module is auditd. As I have changed this file using sudo, it is triggered

So we can check for any syscall being called and watch any file. We can also replace mkdir with other systemcall.

Data Exporters

Elastic SIEM also offers compatibility with other exporters.

Figure 24: Different data sources apart from auditbeat.

Let’s say you have CISCO ASA Firewall, a security device that has  firewall, antivirus, intrusion prevention, and VPN capabilities. Select Cisco and configure it and then you will be able to centrally mange logs and events of Cisco ASA Firewall.

You can use Elastic SIEM to centrally manage your events from other exporters as shown in Figure 24.


Elastic SIEM is one of the top elite tools to see and centrally manage events.

Here we have discussed Elastic SIEM, its events and how can we customize it. We also discussed different modules of auditbeat and showed, briefly, their purpose and use case.

Image Source


Opstree is an End to End DevOps solution provider


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: