Specify which modules to runedit

To enable specific modules and metricsets, you add entries to the auditbeat.modules list in the auditbeat.yml config file. Each entry in the list begins with a dash (-) and is followed by settings for that module.

The following example shows a configuration that runs the audit module with the kernel and file metricsets enabled:


- module: audit
  metricsets: [kernel]
  kernel.audit_rules: |
    -w /etc/passwd -p wa -k identity
    -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access

- module: audit
  metricsets: [file]
  - /bin
  - /usr/bin
  - /sbin
  - /usr/sbin
  - /etc

The configuration details vary by module. See the module documentation for more detail about configuring the available modules and metricsets.