• Auditbeat Reference: 8.197.14other versionsother versions: 8.198.188.178.168.158.148.138.128.118.108.98.88.78.68.58.48.38.28.18.07.177.167.157.147.137.127.117.107.97.87.77.67.57.47.37.27.17.06.86.76.66.56.46.36.26.16.0
• Auditbeat overview
• Quick start: installation and configuration
• Set up and run
  • Directory layout
  • Secrets keystore
  • Command reference
  • Repositories for APT and YUM
  • Run Auditbeat on Docker
  • Running Auditbeat on Kubernetes
  • Auditbeat and systemd
  • Start Auditbeat
  • Stop Auditbeat
• Upgrade Auditbeat
• Configure
  • Modules
  • General settings
  • Project paths
  • Config file reloading
  • Output
    • Elasticsearch Service
    • Elasticsearch
    • Logstash
    • Kafka
    • Redis
    • File
    • Console
    • Change the output codec
  • Kerberos
  • SSL
  • Index lifecycle management (ILM)
  • Elasticsearch index template
  • Kibana endpoint
  • Kibana dashboards
  • Processors
    • Define processors
    • add_cloud_metadata
    • add_cloudfoundry_metadata
    • add_docker_metadata
    • add_fields
    • add_host_metadata
    • add_id
    • add_kubernetes_metadata
    • add_labels
    • add_locale
    • add_network_direction
    • add_nomad_metadata
    • add_observer_metadata
    • add_process_metadata
    • add_tags
    • community_id
    • convert
    • copy_fields
    • decode_base64_field
    • decode_json_fields
    • decode_xml
    • decode_xml_wineventlog
    • decompress_gzip_field
    • detect_mime_type
    • dissect
    • dns
    • drop_event
    • drop_fields
    • extract_array
    • fingerprint
    • include_fields
    • rate_limit
    • registered_domain
    • rename
    • translate_sid
    • truncate_fields
    • urldecode
  • Internal queue
  • Logging
  • HTTP endpoint
  • Regular expression support
  • Instrumentation
  • auditbeat.reference.yml
• How to guides
  • Load the Elasticsearch index template
  • Change the index name
  • Load Kibana dashboards
  • Enrich events with geoIP information
  • Parse data by using ingest node
  • Use environment variables in the configuration
  • Avoid YAML formatting problems
• Modules
  • Auditd Module
  • File Integrity Module
  • System Module
    • System host dataset
    • System login dataset
    • System package dataset
    • System process dataset
    • System socket dataset
    • System user dataset
• Exported fields
  • Auditd fields
  • Beat fields
  • Cloud provider metadata fields
  • Common fields
  • Docker fields
  • ECS fields
  • File Integrity fields
  • Host fields
  • Jolokia Discovery autodiscover provider fields
  • Kubernetes fields
  • Process fields
  • System fields
• Monitor
  • Use internal collection
    • Settings for internal collection
  • Use Metricbeat collection
  • Use legacy collection (deprecated)
    • Settings for legacy collection
• Secure
  • Grant users access to secured resources
    • Create a setup user
    • Create a monitoring user
    • Create a publishing user
    • Create a reader user
    • Learn more about privileges, roles, and users
  • Grant access using API keys
  • Secure communication with Elasticsearch
  • Secure communication with Logstash
  • Use Linux Secure Computing Mode (seccomp)
• Troubleshoot
  • Get Help
  • Debug
  • Common problems
    • Auditbeat fails to watch folders because too many files are open
    • Auditbeat uses too much bandwidth
    • Error loading config file
    • Found unexpected or unknown characters
    • Logstash connection doesn’t work
    • Publishing to Logstash fails with "connection reset by peer" message
    • @metadata is missing in Logstash
    • Not sure whether to use Logstash or Beats
    • SSL client fails to connect to Logstash
    • Monitoring UI shows fewer Beats than expected
    • Dashboard could not locate the index-pattern
• Contribute to Beats