WARNING: Version 6.0 of Filebeat has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
auditd module collects and parses logs from the audit daemon
When you run the module, it performs a few tasks under the hood:
- Sets the default paths to the log files (but don’t worry, you can override the defaults)
- Makes sure each multiline log event gets sent as a single event
- Uses ingest node to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana
- Deploys dashboards for visualizing the log data
auditd module was tested with logs from
auditd on OSes like CentOS
6 and CentOS 7.
This module is not available for Windows.
If you’ve secured Elasticsearch and Kibana, you need to configure the
password options in the Elasticsearch output before setting up
and running the module. See
Configure the Elasticsearch output.
Before doing these steps, verify that Elasticsearch and Kibana are running and that Elasticsearch is ready to receive data from Filebeat.
To set up and run the module:
Enable the module:
./filebeat modules enable auditd
To see a list of enabled and disabled modules, run:
./filebeat modules list
Set up the initial environment:
./filebeat setup -e
setupcommand loads the recommended index template for writing to Elasticsearch and deploys the sample dashboards for visualizing the data in Kibana. This is a one-time setup step.
-eflag is optional and sends output to standard error instead of syslog.
If the module is configured correctly, you’ll see
INFO Harvester startedmessages for each file specified in the config.
If your logs aren’t in the default location, see Configure the module, then run Filebeat after you’ve configured the module.
Depending on how you’ve installed Filebeat, you might see errors related to file ownership or permissions when you try to run Filebeat modules. See Config File Ownership and Permissions in the Beats Platform Reference if you encounter errors related to file ownership or permissions.
Explore your data in Kibana:
Open your browser and navigate to the Dashboard overview in Kibana:
localhostwith the name of the Kibana host.
- If security is enabled, log in with the Kibana username and password that you used when you set up security.
Enter auditd in the search box, then open a dashboard and explore the visualizations for your parsed logs.
If you don’t see data in Kibana, try changing the date range to a larger range. By default, Kibana shows the last 15 minutes.
- Open your browser and navigate to the Dashboard overview in Kibana: http://localhost:5601/app/kibana#/dashboards. Replace
This module comes with a sample dashboard showing an overview of the audit log data. You can build more specific dashboards that are tailored to the audit rules that you use on your systems.
You can further refine the behavior of the
auditd module by specifying
variable settings in the
modules.d/auditd.yml file, or overriding settings at the command line.
The following example shows how to set paths in the
file to override the default paths for logs:
- module: auditd log: enabled: true var.paths: ["/path/to/log/audit/audit.log*"]
To specify the same settings at the command line, you use:
./filebeat --modules auditd -M "auditd.log.var.paths=[/path/to/log/audit/audit.log*]"
auditd module provides the following settings for configuring the
behavior of the module. Each fileset has separate settings.
If you don’t specify variable settings, the
auditd module uses the
When you specify a setting at the command line, remember to prefix the
setting with the module name, for example,
- An array of paths that specify where to look for the log files. If left empty, Filebeat will choose the paths depending on your operating systems.
For a description of each field in the module, see the exported fields section.