WARNING: Version 6.0 of Auditbeat has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
Step 2: Configure Auditbeat
editStep 2: Configure Auditbeat
editTo configure Auditbeat, you edit the configuration file. For rpm and deb,
you’ll find the configuration file at /etc/auditbeat/auditbeat.yml
.
For mac and win, look in the archive that you just extracted. There’s also a
full example configuration file called auditbeat.reference.yml
that shows
all non-deprecated options.
See the Config File Format section of the Beats Platform Reference for more about the structure of the config file.
To configure Auditbeat:
-
Define the Auditbeat modules that you want to enable. Auditbeat uses modules to collect the audit information. For each module, specify the metricsets that you want to collect.
The following example shows the
file
metricset configured to generate events whenever a file in one of the specified paths changes on disk:auditbeat.modules: - module: audit metricsets: [file] file.paths: - /bin - /usr/bin - /sbin - /usr/sbin - /etc
If you accept the default configuration without specifying additional modules, Auditbeat uses a configuration that’s tailored to the operating system where Auditbeat is running.
See Configuring Auditbeat for more details about configuring modules.
-
If you are sending output to Elasticsearch (and not using Logstash), set the IP address and port where Auditbeat can find the Elasticsearch installation:
output.elasticsearch: hosts: ["127.0.0.1:9200"]
If you are sending output to Logstash, make sure you Configure the Logstash output instead.
-
If you plan to use the sample Kibana dashboards provided with Auditbeat, configure the Kibana endpoint:
setup.kibana: host: "localhost:5601"
Where
host
is the hostname and port of the machine where Kibana is running, for example,localhost:5601
.If you specify a path after the port number, you need to include the scheme and port:
http://localhost:5601/path
. -
If you’ve secured Elasticsearch and Kibana, you need to specify credentials in the config file before you run the commands that set up and start Auditbeat. For example:
output.elasticsearch: hosts: ["myEShost:9200"] username: "elastic" password: "elastic" setup.kibana: host: "mykibanahost:5601" username: "elastic" password: "elastic"
The
username
andpassword
settings for Kibana are optional. If you don’t specify credentials for Kibana, Auditbeat uses theusername
andpassword
specified for the Elasticsearch output.Also see the security-related options described in Set up the Kibana endpoint and Configure the Elasticsearch output.
To test your configuration file, change to the directory where the
Auditbeat binary is installed, and run Auditbeat in the foreground with
the following options specified: ./auditbeat test config -e
. Make sure your
config files are in the path expected by Auditbeat (see Directory layout),
or use the -c
flag to specify the path to the config file.
Before starting auditbeat, you should look at the configuration options in the configuration file. For more information about these options, see Configuring Auditbeat.