To configure Auditbeat, you edit the configuration file. For rpm and deb,
you’ll find the configuration file at
Docker, it’s located at
/usr/share/auditbeat/auditbeat.yml. For mac and win,
look in the archive that you just extracted.
There’s also a full example configuration file called
that shows all non-deprecated options.
See the Config File Format section of the Beats Platform Reference for more about the structure of the config file.
To configure Auditbeat:
Define the Auditbeat modules that you want to enable. Auditbeat uses modules to collect the audit information. For each module, specify the metricsets that you want to collect.
The following example shows the
file_integritymodule configured to generate events whenever a file in one of the specified paths changes on disk:
auditbeat.modules: - module: file_integrity paths: - /bin - /usr/bin - /sbin - /usr/sbin - /etc
If you accept the default configuration without specifying additional modules, Auditbeat uses a configuration that’s tailored to the operating system where Auditbeat is running.
See Configuring Auditbeat for more details about configuring modules.
If you are sending output to Elasticsearch (and not using Logstash), set the IP address and port where Auditbeat can find the Elasticsearch installation:
output.elasticsearch: hosts: ["127.0.0.1:9200"]
If you are sending output to Logstash, make sure you Configure the Logstash output instead.
If you plan to use the sample Kibana dashboards provided with Auditbeat, configure the Kibana endpoint:
setup.kibana: host: "localhost:5601"
hostis the hostname and port of the machine where Kibana is running, for example,
If you specify a path after the port number, you need to include the scheme and port:
If you’ve secured Elasticsearch and Kibana, you need to specify credentials in the config file before you run the commands that set up and start Auditbeat. For example:
This examples shows a hard-coded password, but you should store sensitive values in the secrets keystore.
passwordsettings for Kibana are optional. If you don’t specify credentials for Kibana, Auditbeat uses the
passwordspecified for the Elasticsearch output.
For more information, see Securing Auditbeat.
Before starting auditbeat, you should look at the configuration options in the configuration file. For more information about these options, see Configuring Auditbeat.