WARNING: Version 6.0 of Auditbeat has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
Specify which modules to run
editSpecify which modules to run
editTo enable specific modules and metricsets, you add entries to the
auditbeat.modules
list in the auditbeat.yml
config file. Each entry in
the list begins with a dash (-) and is followed by settings for that module.
The following example shows a configuration that runs the audit
module with
the kernel
and file
metricsets enabled:
auditbeat.modules: - module: audit metricsets: [kernel] kernel.audit_rules: | -w /etc/passwd -p wa -k identity -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access - module: audit metricsets: [file] file.paths: - /bin - /usr/bin - /sbin - /usr/sbin - /etc
The configuration details vary by module. See the module documentation for more detail about configuring the available modules and metricsets.