Step 2: Configure Auditbeatedit

To configure Auditbeat, you edit the configuration file. For rpm and deb, you’ll find the configuration file at /etc/auditbeat/auditbeat.yml. For mac and win, look in the archive that you just extracted. There’s also a full example configuration file called auditbeat.reference.yml that shows all non-deprecated options.

See the Config File Format section of the Beats Platform Reference for more about the structure of the config file.

To configure Auditbeat:

  1. Define the Auditbeat modules that you want to enable. Auditbeat uses modules to collect the audit information. For each module, specify the metricsets that you want to collect.

    The following example shows the file metricset configured to generate events whenever a file in one of the specified paths changes on disk:

    - module: audit
      metricsets: [file]
      - /bin
      - /usr/bin
      - /sbin
      - /usr/sbin
      - /etc

    If you accept the default configuration without specifying additional modules, Auditbeat uses a configuration that’s tailored to the operating system where Auditbeat is running.

    See Configuring Auditbeat for more details about configuring modules.

  2. If you are sending output to Elasticsearch (and not using Logstash), set the IP address and port where Auditbeat can find the Elasticsearch installation:

      hosts: [""]

    If you are sending output to Logstash, make sure you Configure the Logstash output instead.

  3. If you plan to use the sample Kibana dashboards provided with Auditbeat, configure the Kibana endpoint:

      host: "localhost:5601"

    Where host is the hostname and port of the machine where Kibana is running, for example, localhost:5601.


    If you specify a path after the port number, you need to include the scheme and port: http://localhost:5601/path.

  4. If you’ve secured Elasticsearch and Kibana, you need to pass credentials when you run the commands that set up and start Auditbeat. You can either pass credentials at the command line (as shown later in the getting started guide), or specify credentials in the config file. If you plan to run Auditbeat as a service, you must specify credentials in the config file.

    For example:

      hosts: ["myEShost:9200"]
      username: elastic
      password: elastic
      host: "mykibanahost:5601"
      username: elastic
      password: elastic

    Also see the security-related options described in Set up the Kibana endpoint and Configure the Elasticsearch output.

Before starting auditbeat, you should look at the configuration options in the configuration file. For more information about these options, see Configuring Auditbeat.