WARNING: Version 6.2 of Auditbeat has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
To configure Auditbeat, you edit the configuration file. For rpm and deb,
you’ll find the configuration file at
For mac and win, look in the archive that you just extracted. There’s also a
full example configuration file called
auditbeat.reference.yml that shows
all non-deprecated options.
See the Config File Format section of the Beats Platform Reference for more about the structure of the config file.
To configure Auditbeat:
Define the Auditbeat modules that you want to enable. Auditbeat uses modules to collect the audit information. For each module, specify the metricsets that you want to collect.
The following example shows the
file_integritymodule configured to generate events whenever a file in one of the specified paths changes on disk:
auditbeat.modules: - module: file_integrity paths: - /bin - /usr/bin - /sbin - /usr/sbin - /etc
If you accept the default configuration without specifying additional modules, Auditbeat uses a configuration that’s tailored to the operating system where Auditbeat is running.
See Configuring Auditbeat for more details about configuring modules.
If you are sending output to Elasticsearch (and not using Logstash), set the IP address and port where Auditbeat can find the Elasticsearch installation:
output.elasticsearch: hosts: ["127.0.0.1:9200"]
If you are sending output to Logstash, make sure you Configure the Logstash output instead.
If you plan to use the sample Kibana dashboards provided with Auditbeat, configure the Kibana endpoint:
setup.kibana: host: "localhost:5601"
hostis the hostname and port of the machine where Kibana is running, for example,
If you specify a path after the port number, you need to include the scheme and port:
If you’ve secured Elasticsearch and Kibana, you need to specify credentials in the config file before you run the commands that set up and start Auditbeat. For example:
passwordsettings for Kibana are optional. If you don’t specify credentials for Kibana, Auditbeat uses the
passwordspecified for the Elasticsearch output.
To test your configuration file, change to the directory where the
Auditbeat binary is installed, and run Auditbeat in the foreground with
the following options specified:
./auditbeat test config -e. Make sure your
config files are in the path expected by Auditbeat (see Directory layout),
or use the
-c flag to specify the path to the config file.
Before starting auditbeat, you should look at the configuration options in the configuration file. For more information about these options, see Configuring Auditbeat.