audit module reports security-relevant information based on data captured
from the operating system (OS) or services running on the OS. Although this
feature doesn’t provide additional security to your system, it does make it
easier for you to discover and track security policy violations.
The Audit module supports the common configuration options that are described under configuring Auditbeat. Here is an example configuration:
auditbeat.modules: - module: audit metricsets: [kernel] kernel.audit_rules: | # Define audit rules here. # Create file watches (-w) or syscall audits (-a or -A). For example: #-w /etc/passwd -p wa -k identity #-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access - module: audit metricsets: [file] file.paths: - /bin - /usr/bin - /sbin - /usr/sbin - /etc
The following metricsets are available: