Running Auditbeat on Dockeredit

Docker images for Auditbeat are available from the Elastic Docker registry. You can retrieve an image with a docker pull command.

docker pull docker.elastic.co/beats/auditbeat:6.1.4

The base image is centos:7 and the source code can be found on GitHub.

Configure Auditbeat on Dockeredit

The Docker image provides several methods for configuring Auditbeat. The conventional approach is to provide a configuration file via a bind-mounted volume, but it’s also possible to create a custom image with your configuration included.

Bind-mounted configurationedit

One way to configure Auditbeat on Docker is to provide auditbeat.yml via bind-mounting. With docker run, the bind-mount can be specified like this:

docker run \
  -v ~/auditbeat.yml:/usr/share/auditbeat/auditbeat.yml \
  docker.elastic.co/beats/auditbeat:6.1.4
Custom image configurationedit

It’s possible to embed your Auditbeat configuration in a custom image. Here is an example Dockerfile to achieve this:

FROM docker.elastic.co/beats/auditbeat:6.1.4
COPY auditbeat.yml /usr/share/auditbeat/auditbeat.yml
USER root
RUN chown auditbeat /usr/share/auditbeat/auditbeat.yml
USER auditbeat

Special requirementsedit

Under Docker, Auditbeat runs as a non-root user, but requires some privileged capabilities to operate correctly. Ensure that the AUDIT_CONTROL and AUDIT_READ capabilities are available to the container.

It is also essential to run Auditbeat in the host PID namespace.

docker run --cap-add=AUDIT_CONTROL,AUDIT_READ --pid=host docker.elastic.co/beats/auditbeat:6.1.4