Docker images for Auditbeat are available from the Elastic Docker registry. The base image is centos:7.
A list of all published Docker images and tags is available at www.docker.elastic.co.
These images are free to use under the Elastic license. They contain open source and free commercial features and access to paid commercial features. Start a 30-day trial to try out all of the paid commercial features. See the Subscriptions page for information about Elastic license levels.
Obtaining Auditbeat for Docker is as simple as issuing a
docker pull command
against the Elastic Docker registry.
docker pull docker.elastic.co/beats/auditbeat:7.4.2
Alternatively, you can download other Docker images that contain only features available under the Apache 2.0 license. To download the images, go to www.docker.elastic.co.
Running Auditbeat with the setup command will create the index pattern and load visualizations , dashboards, and machine learning jobs. Run this command:
Substitute your Kibana and Elasticsearch hosts and ports.
If you are using the hosted Elasticsearch Service in Elastic Cloud, replace
-E cloud.id=<Cloud ID from Elasticsearch Service> \ -E cloud.auth=elastic:<elastic password>
The Docker image provides several methods for configuring Auditbeat. The conventional approach is to provide a configuration file via a volume mount, but it’s also possible to create a custom image with your configuration included.
Download this example configuration file as a starting point:
curl -L -O https://raw.githubusercontent.com/elastic/beats/7.4/deploy/docker/auditbeat.docker.yml
One way to configure Auditbeat on Docker is to provide
auditbeat.docker.yml via a volume mount.
docker run, the volume mount can be specified like this.
docker run -d \ --name=auditbeat \ --user=root \ --volume="$(pwd)/auditbeat.docker.yml:/usr/share/auditbeat/auditbeat.yml:ro" \ --cap-add="AUDIT_CONTROL" \ --cap-add="AUDIT_READ" \ --pid=host \ docker.elastic.co/beats/auditbeat:7.4.2 -e \ --strict.perms=false \ -E output.elasticsearch.hosts=["elasticsearch:9200"]
auditbeat.docker.yml downloaded earlier should be customized for your environment. See Configuring Auditbeat for more details. Edit the configuration file and customize it to match your environment then re-deploy your Auditbeat container.
It’s possible to embed your Auditbeat configuration in a custom image. Here is an example Dockerfile to achieve this:
FROM docker.elastic.co/beats/auditbeat:7.4.2 COPY auditbeat.yml /usr/share/auditbeat/auditbeat.yml
Under Docker, Auditbeat runs as a non-root user, but requires some privileged
capabilities to operate correctly. Ensure that the
capabilities are available to the container.
It is also essential to run Auditbeat in the host PID namespace.
docker run --cap-add=AUDIT_CONTROL,AUDIT_READ --pid=host docker.elastic.co/beats/auditbeat:7.4.2