Docker images for Auditbeat are available from the Elastic Docker
registry. You can retrieve an image with a
docker pull command.
docker pull docker.elastic.co/beats/auditbeat:6.2.4
Configure Auditbeat on Dockeredit
The Docker image provides several methods for configuring Auditbeat. The conventional approach is to provide a configuration file via a bind mount, but it’s also possible to create a custom image with your configuration included.
One way to configure Auditbeat on Docker is to provide
auditbeat.yml via a bind mount.
docker run, the bind mount can be specified like this:
docker run \ --mount type=bind,source="$(pwd)"/auditbeat.yml,target=/usr/share/auditbeat/auditbeat.yml \ docker.elastic.co/beats/auditbeat:6.2.4
Custom image configurationedit
It’s possible to embed your Auditbeat configuration in a custom image. Here is an example Dockerfile to achieve this:
FROM docker.elastic.co/beats/auditbeat:6.2.4 COPY auditbeat.yml /usr/share/auditbeat/auditbeat.yml
Under Docker, Auditbeat runs as a non-root user, but requires some privileged
capabilities to operate correctly. Ensure that the
capabilities are available to the container.
It is also essential to run Auditbeat in the host PID namespace.
docker run --cap-add=AUDIT_CONTROL,AUDIT_READ --pid=host docker.elastic.co/beats/auditbeat:6.2.4