I have an RHEL (7.6) server I'm testing Auditbeat on. (on-premise, vmware)
I've noticed that, every day at 5:20AM, there is a spam of several hundred "existing_package" events. I don't see any automatic updates being on, but there might be a mechanism I don't know of.
With that in mind, the questions are:
- How can I verify there are no automatic update mechanisms up? (I would like to check)
- And in the case there are none, what could be causing this spam?
I checked the crontabs and there is no job scheduled for that time...
Additional information:
- Auditbeat version: 7.2.0 (ELK version)
- event.action: "existing_package"
- event.dataset: "package"
- event.kind: "state"
- event.module: "system"
- (Example) message: "Package selinux-policy (3.13.1) is already installed"
- service.type: "system"
ELK forum post: https://discuss.elastic.co/t/existing-package-spam/297455