Running Auditbeat on Dockeredit

Docker images for Auditbeat are available from the Elastic Docker registry. The base image is centos:7.

A list of all published Docker images and tags is available at The source code is in GitHub.

These images are free to use under the Elastic license. They contain open source and free commercial features and access to paid commercial features. Start a 30-day trial to try out all of the paid commercial features. See the Subscriptions page for information about Elastic license levels.

Pulling the imageedit

Obtaining Beats for Docker is as simple as issuing a docker pull command against the Elastic Docker registry.

docker pull

Alternatively, you can download other Docker images that contain only features available under the Apache 2.0 license. To download the images, go to

Configure Auditbeat on Dockeredit

The Docker image provides several methods for configuring Auditbeat. The conventional approach is to provide a configuration file via a bind mount, but it’s also possible to create a custom image with your configuration included.

Bind-mounted configurationedit

One way to configure Auditbeat on Docker is to provide auditbeat.yml via a bind mount. With docker run, the bind mount can be specified like this:

docker run \
  --mount type=bind,source="$(pwd)"/auditbeat.yml,target=/usr/share/auditbeat/auditbeat.yml \
Custom image configurationedit

It’s possible to embed your Auditbeat configuration in a custom image. Here is an example Dockerfile to achieve this:

COPY auditbeat.yml /usr/share/auditbeat/auditbeat.yml

Special requirementsedit

Under Docker, Auditbeat runs as a non-root user, but requires some privileged capabilities to operate correctly. Ensure that the AUDIT_CONTROL and AUDIT_READ capabilities are available to the container.

It is also essential to run Auditbeat in the host PID namespace.

docker run --cap-add=AUDIT_CONTROL,AUDIT_READ --pid=host