WARNING: Version 6.0 of Filebeat has passed its EOL date.

This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.

Elastic Docs Filebeat Reference [6.0] Modules
« Apache2 module Icinga module »

Auditd moduleedit

The auditd module collects and parses logs from the audit daemon (auditd).

When you run the module, it performs a few tasks under the hood:

  • Sets the default paths to the log files (but don’t worry, you can override the defaults)
  • Makes sure each multiline log event gets sent as a single event
  • Uses ingest node to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana
  • Deploys dashboards for visualizing the log data

Compatibilityedit

The auditd module was tested with logs from auditd on OSes like CentOS 6 and CentOS 7.

This module is not available for Windows.

Set up and run the moduleedit

If you’ve secured Elasticsearch and Kibana, you need to configure the username and password options in the Elasticsearch output before setting up and running the module. See Configure the Elasticsearch output.

Before doing these steps, verify that Elasticsearch and Kibana are running and that Elasticsearch is ready to receive data from Filebeat.

To set up and run the module:

  1. Enable the module:

    ./filebeat modules enable auditd

    The modules enable command enables the auditd config defined in the modules.d directory. See Specify which modules to run for other ways to enable modules.

    To see a list of enabled and disabled modules, run:

    ./filebeat modules list

  2. Set up the initial environment:

    ./filebeat setup -e

    The setup command loads the recommended index template for writing to Elasticsearch and deploys the sample dashboards for visualizing the data in Kibana. This is a one-time setup step.

    The -e flag is optional and sends output to standard error instead of syslog.

  3. Run Filebeat:

    ./filebeat -e

    If the module is configured correctly, you’ll see INFO Harvester started messages for each file specified in the config.

    If your logs aren’t in the default location, see Configure the module, then run Filebeat after you’ve configured the module.

    Depending on how you’ve installed Filebeat, you might see errors related to file ownership or permissions when you try to run Filebeat modules. See Config File Ownership and Permissions in the Beats Platform Reference if you encounter errors related to file ownership or permissions.

  4. Explore your data in Kibana:

    1. Open your browser and navigate to the Dashboard overview in Kibana: http://localhost:5601/app/kibana#/dashboards. Replace localhost with the name of the Kibana host.
    2. If security is enabled, log in with the Kibana username and password that you used when you set up security.

    3. Enter auditd in the search box, then open a dashboard and explore the visualizations for your parsed logs.

      If you don’t see data in Kibana, try changing the date range to a larger range. By default, Kibana shows the last 15 minutes.

Example dashboardedit

This module comes with a sample dashboard showing an overview of the audit log data. You can build more specific dashboards that are tailored to the audit rules that you use on your systems.

kibana audit auditd

Configure the moduleedit

You can further refine the behavior of the auditd module by specifying variable settings in the modules.d/auditd.yml file, or overriding settings at the command line.

The following example shows how to set paths in the modules.d/auditd.yml file to override the default paths for logs:

- module: auditd
  log:
    enabled: true
    var.paths: ["/path/to/log/audit/audit.log*"]

To specify the same settings at the command line, you use:

./filebeat --modules auditd -M "auditd.log.var.paths=[/path/to/log/audit/audit.log*]"

Variable settingsedit

The auditd module provides the following settings for configuring the behavior of the module. Each fileset has separate settings.

If you don’t specify variable settings, the auditd module uses the defaults.

For more information, see Specify variable settings. Also see Advanced settings.

When you specify a setting at the command line, remember to prefix the setting with the module name, for example, auditd.log.var.paths instead of log.var.paths.

log fileset settingsedit

var.paths
An array of paths that specify where to look for the log files. If left empty, Filebeat will choose the paths depending on your operating systems.

Fieldsedit

For a description of each field in the module, see the exported fields section.

« Apache2 module Icinga module »