System login dataset

edit

This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

This is the login dataset of the system module.

Implementation

edit

The login dataset is implemented for Linux only.

On Linux, the dataset reads the utmp files that keep track of logins and logouts to the system. They are usually located at /var/log/wtmp (successful logins) and /var/log/btmp (failed logins).

The file patterns used to locate the files can be configured using login.wtmp_file_pattern and login.btmp_file_pattern. By default, both the current files and any rotated files (e.g. wtmp.1, wtmp.2) are read.

utmp files are binary, but you can display their contents using the utmpdump utility.

Example dashboard

edit

The dataset comes with a sample dashboard:

Auditbeat System Login Dashboard

Fields

edit

For a description of each field in the dataset, see the exported fields section.

Here is an example document generated by this dataset:

{
    "@timestamp": "2017-10-12T08:05:34.853Z",
    "agent": {
        "hostname": "host.example.com",
        "name": "host.example.com"
    },
    "event": {
        "action": "user_login",
        "dataset": "login",
        "kind": "event",
        "module": "system",
        "origin": "/var/log/wtmp.1",
        "outcome": "success"
    },
    "message": "Login by user vagrant (UID: 1000) on pts/1 (PID: 17559) from 10.0.2.2 (IP: 10.0.2.2)",
    "process": {
        "pid": 17559
    },
    "service": {
        "type": "system"
    },
    "source": {
        "ip": "10.0.2.2"
    },
    "user": {
        "id": 1000,
        "name": "vagrant",
        "terminal": "pts/1"
    }
}