Step 2: Configure Auditbeat

To configure Auditbeat, you edit the configuration file. For rpm and deb, you’ll find the configuration file at /etc/auditbeat/auditbeat.yml. For mac and win, look in the archive that you just extracted. There’s also a full example configuration file called auditbeat.reference.yml that shows all non-deprecated options.

See the Config File Format section of the Beats Platform Reference for more about the structure of the config file.

To configure Auditbeat:

  1. Define the Auditbeat modules that you want to enable. Auditbeat uses modules to collect the audit information. For each module, specify the metricsets that you want to collect.

    The following example shows the file_integrity module configured to generate events whenever a file in one of the specified paths changes on disk:

    auditbeat.modules:
    
    - module: file_integrity
      paths:
      - /bin
      - /usr/bin
      - /sbin
      - /usr/sbin
      - /etc

    If you accept the default configuration without specifying additional modules, Auditbeat uses a configuration that’s tailored to the operating system where Auditbeat is running.

    See Configuring Auditbeat for more details about configuring modules.

  2. If you are sending output to Elasticsearch (and not using Logstash), set the IP address and port where Auditbeat can find the Elasticsearch installation:

    output.elasticsearch:
      hosts: ["127.0.0.1:9200"]

    If you are sending output to Logstash, make sure you Configure the Logstash output instead.

  3. If you plan to use the sample Kibana dashboards provided with Auditbeat, configure the Kibana endpoint:

    setup.kibana:
      host: "localhost:5601"

    Where host is the hostname and port of the machine where Kibana is running, for example, localhost:5601.

    If you specify a path after the port number, you need to include the scheme and port: http://localhost:5601/path.

  4. If you’ve secured Elasticsearch and Kibana, you need to specify credentials in the config file before you run the commands that set up and start Auditbeat. For example:

    output.elasticsearch:
      hosts: ["myEShost:9200"]
      username: "elastic"
      password: "elastic"
    setup.kibana:
      host: "mykibanahost:5601"
      username: "elastic"  
      password: "elastic"

    The username and password settings for Kibana are optional. If you don’t specify credentials for Kibana, Auditbeat uses the username and password specified for the Elasticsearch output.

    If you are planning to set up the Kibana dashboards, the user must have the kibana_user built-in role or equivalent privileges.

    Also see the security-related options described in Set up the Kibana endpoint and Configure the Elasticsearch output.

To test your configuration file, change to the directory where the Auditbeat binary is installed, and run Auditbeat in the foreground with the following options specified: ./auditbeat test config -e. Make sure your config files are in the path expected by Auditbeat (see Directory layout), or use the -c flag to specify the path to the config file.

Before starting auditbeat, you should look at the configuration options in the configuration file. For more information about these options, see Configuring Auditbeat.