Running Auditbeat on Dockeredit

Docker images for Auditbeat are available from the Elastic Docker registry. You can retrieve an image with a docker pull command.

docker pull

The base image is centos:7 and the source code can be found on GitHub.

Configure Auditbeat on Dockeredit

The Docker image provides several methods for configuring Auditbeat. The conventional approach is to provide a configuration file via a bind mount, but it’s also possible to create a custom image with your configuration included.

Bind-mounted configurationedit

One way to configure Auditbeat on Docker is to provide auditbeat.yml via a bind mount. With docker run, the bind mount can be specified like this:

docker run \
  --mount type=bind,source="$(pwd)"/auditbeat.yml,target=/usr/share/auditbeat/auditbeat.yml \
Custom image configurationedit

It’s possible to embed your Auditbeat configuration in a custom image. Here is an example Dockerfile to achieve this:

COPY auditbeat.yml /usr/share/auditbeat/auditbeat.yml

Special requirementsedit

Under Docker, Auditbeat runs as a non-root user, but requires some privileged capabilities to operate correctly. Ensure that the AUDIT_CONTROL and AUDIT_READ capabilities are available to the container.

It is also essential to run Auditbeat in the host PID namespace.

docker run --cap-add=AUDIT_CONTROL,AUDIT_READ --pid=host