Score:0

RHEL Auditbeat - "existing_package" spam

gr flag
ziv

I have an RHEL (7.6) server I'm testing Auditbeat on. (on-premise, vmware)

I've noticed that, every day at 5:20AM, there is a spam of several hundred "existing_package" events. I don't see any automatic updates being on, but there might be a mechanism I don't know of.

With that in mind, the questions are:

  1. How can I verify there are no automatic update mechanisms up? (I would like to check)
  2. And in the case there are none, what could be causing this spam?

I checked the crontabs and there is no job scheduled for that time...

Additional information:

  • Auditbeat version: 7.2.0 (ELK version)
  • event.action: "existing_package"
  • event.dataset: "package"
  • event.kind: "state"
  • event.module: "system"
  • (Example) message: "Package selinux-policy (3.13.1) is already installed"
  • service.type: "system"

ELK forum post: https://discuss.elastic.co/t/existing-package-spam/297455

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.