To configure Auditbeat, you edit the configuration file. The default
configuration file is called
auditbeat.yml. The location of the file
varies by platform. To locate the file, see Directory layout.
There’s also a full example configuration file called
that shows all non-deprecated options.
See the Config File Format section of the Beats Platform Reference for more about the structure of the config file.
To configure Auditbeat:
Define the Auditbeat modules that you want to enable. Auditbeat uses modules to collect the audit information. For each module, specify the metricsets that you want to collect.
The following example shows the
file_integritymodule configured to generate events whenever a file in one of the specified paths changes on disk:
auditbeat.modules: - module: file_integrity paths: - /bin - /usr/bin - /sbin - /usr/sbin - /etc
If you accept the default configuration without specifying additional modules, Auditbeat uses a configuration that’s tailored to the operating system where Auditbeat is running.
See Configuring Auditbeat for more details about configuring modules.
Configure the output. Auditbeat supports a variety of outputs, but typically you’ll either send events directly to Elasticsearch, or to Logstash for additional processing.
To send output directly to Elasticsearch (without using Logstash), set the location of the Elasticsearch installation:
If you’re running Elasticsearch on your own hardware, set the host and port where Auditbeat can find the Elasticsearch installation. For example:
output.elasticsearch: hosts: ["myEShost:9200"]
If you plan to use the sample Kibana dashboards provided with Auditbeat, configure the Kibana endpoint. You can skip this step if Kibana is running on the same host as Elasticsearch.
If Elasticsearch and Kibana are secured, set credentials in the
auditbeat.ymlconfig file before you run the commands that set up and start Auditbeat.
If you’re running Elasticsearch on your own hardware, specify your Elasticsearch and Kibana credentials:
This examples shows a hard-coded password, but you should store sensitive values in the secrets keystore.
passwordsettings for Kibana are optional. If you don’t specify credentials for Kibana, Auditbeat uses the
passwordspecified for the Elasticsearch output.
To use the pre-built Kibana dashboards, this user must have the
kibana_userbuilt-in role or equivalent privileges.
For more information, see Securing Auditbeat.
To test your configuration file, change to the directory where the
Auditbeat binary is installed, and run Auditbeat in the foreground with
the following options specified:
./auditbeat test config -e. Make sure your
config files are in the path expected by Auditbeat (see Directory layout),
or use the
-c flag to specify the path to the config file.
Before starting Auditbeat, you should look at the configuration options in the configuration file. For more information about these options, see Configuring Auditbeat.