RHEL Auditbeat - "existing_package" spam

ziv

6/17/23, 9:14 AM

I have an RHEL (7.6) server I'm testing Auditbeat on. (on-premise, vmware)

I've noticed that, every day at 5:20AM, there is a spam of several hundred "existing_package" events. I don't see any automatic updates being on, but there might be a mechanism I don't know of.

With that in mind, the questions are:

How can I verify there are no automatic update mechanisms up? (I would like to check)
And in the case there are none, what could be causing this spam?

I checked the crontabs and there is no job scheduled for that time...

Additional information:

Auditbeat version: 7.2.0 (ELK version)
event.action: "existing_package"
event.dataset: "package"
event.kind: "state"
event.module: "system"
(Example) message: "Package selinux-policy (3.13.1) is already installed"
service.type: "system"

ELK forum post: https://discuss.elastic.co/t/existing-package-spam/297455

0 + 0

package-management

redhat

rhel7

elk

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: RHEL Auditbeat - "existing_package" spam

TH: RHEL Auditbeat - สแปม "existing_package"

RO: RHEL Auditbeat - spam „existing_package”.

RU: RHEL Auditbeat — спам «existing_package»

VI: RHEL Auditbeat - thư rác "có_gói"

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.