WARNING: Version 6.0 of Auditbeat has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
Audit Moduleedit
The audit module reports security-relevant information based on data captured
from the operating system (OS) or services running on the OS. Although this
feature doesn’t provide additional security to your system, it does make it
easier for you to discover and track security policy violations.
Example configurationedit
The Audit module supports the common configuration options that are described under configuring Auditbeat. Here is an example configuration:
auditbeat.modules:
- module: audit
metricsets: [kernel]
kernel.audit_rules: |
# Define audit rules here.
# Create file watches (-w) or syscall audits (-a or -A). For example:
#-w /etc/passwd -p wa -k identity
#-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
- module: audit
metricsets: [file]
file.paths:
- /bin
- /usr/bin
- /sbin
- /usr/sbin
- /etc
Metricsetsedit
The following metricsets are available: