Auditbeat Docker images can be used on Kubernetes to check files integrity.
Kubernetes deploy manifestsedit
By deploying Auditbeat as a DaemonSet we ensure we get a running instance on each node of the cluster.
Everything is deployed under
kube-system namespace, you can change that by
updating the YAML file.
To get the manifests just run:
curl -L -O https://raw.githubusercontent.com/elastic/beats/7.8/deploy/kubernetes/auditbeat-kubernetes.yaml
If you are using Kubernetes 1.7 or earlier: Auditbeat uses a hostPath volume to persist internal data, it’s located
under /var/lib/auditbeat-data. The manifest uses folder autocreation (
DirectoryOrCreate), which was introduced in
Kubernetes 1.8. You will need to remove
type: DirectoryOrCreate from the manifest and create the host folder yourself.
Some parameters are exposed in the manifest to configure logs destination, by default they will use an existing Elasticsearch deploy if it’s present, but you may want to change that behavior, so just edit the YAML file and modify them:
- name: ELASTICSEARCH_HOST value: elasticsearch - name: ELASTICSEARCH_PORT value: "9200" - name: ELASTICSEARCH_USERNAME value: elastic - name: ELASTICSEARCH_PASSWORD value: changeme
To deploy Auditbeat to Kubernetes just run:
kubectl create -f auditbeat-kubernetes.yaml
Then you should be able to check the status by running:
$ kubectl --namespace=kube-system get ds/auditbeat NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE-SELECTOR AGE auditbeat 32 32 0 32 0 <none> 1m
Auditbeat is able to monitor the file integrity of files in pods,
to do that, the directories with the container root file systems have to be
mounted as volumes in the Auditbeat container. For example, containers
executed with containerd have their root file systems under
The reference manifest contains an example of this.