Auditbeat quick start: installation and configuration

edit

Auditbeat quick start: installation and configuration

edit

This guide describes how to get started quickly with audit data collection. You’ll learn how to:

  • install Auditbeat on each system you want to monitor
  • specify the location of your audit data
  • parse log data into fields and send it to Elasticsearch
  • visualize the log data in Kibana
Auditbeat Auditd dashboard

Before you begin

edit

You need Elasticsearch for storing and searching your data, and Kibana for visualizing and managing it.

To get started quickly, spin up a deployment of our hosted Elasticsearch Service. The Elasticsearch Service is available on AWS, GCP, and Azure. Try it out for free.

Step 1: Install Auditbeat

edit

Install Auditbeat on all the servers you want to monitor.

To download and install Auditbeat, use the commands that work with your system:

curl -L -O https://artifacts.elastic.co/downloads/beats/auditbeat/auditbeat-8.17.0-amd64.deb
sudo dpkg -i auditbeat-8.17.0-amd64.deb

The commands shown are for AMD platforms, but ARM packages are also available. Refer to the download page for the full list of available packages.

Other installation options

edit

Step 2: Connect to the Elastic Stack

edit

Connections to Elasticsearch and Kibana are required to set up Auditbeat.

Set the connection information in auditbeat.yml. To locate this configuration file, see Directory layout.

Specify the cloud.id of your Elasticsearch Service, and set cloud.auth to a user who is authorized to set up Auditbeat. For example:

cloud.id: "staging:dXMtZWFzdC0xLmF3cy5mb3VuZC5pbyRjZWM2ZjI2MWE3NGJmMjRjZTMzYmI4ODExYjg0Mjk0ZiRjNmMyY2E2ZDA0MjI0OWFmMGNjN2Q3YTllOTYyNTc0Mw=="
cloud.auth: "auditbeat_setup:YOUR_PASSWORD" 

This examples shows a hard-coded password, but you should store sensitive values in the secrets keystore.

To learn more about required roles and privileges, see Grant users access to secured resources.

You can send data to other outputs, such as Logstash, but that requires additional configuration and setup.

Step 3: Configure data collection modules

edit

Auditbeat uses modules to collect audit information.

By default, Auditbeat uses a configuration that’s tailored to the operating system where Auditbeat is running.

To use a different configuration, change the module settings in auditbeat.yml.

The following example shows the file_integrity module configured to generate events whenever a file in one of the specified paths changes on disk:

auditbeat.modules:

- module: file_integrity
  paths:
  - /bin
  - /usr/bin
  - /sbin
  - /usr/sbin
  - /etc

To test your configuration file, change to the directory where the Auditbeat binary is installed, and run Auditbeat in the foreground with the following options specified: ./auditbeat test config -e. Make sure your config files are in the path expected by Auditbeat (see Directory layout), or use the -c flag to specify the path to the config file.

For more information about configuring Auditbeat, also see:

Step 4: Set up assets

edit

Auditbeat comes with predefined assets for parsing, indexing, and visualizing your data. To load these assets:

  1. Make sure the user specified in auditbeat.yml is authorized to set up Auditbeat.
  2. From the installation directory, run:

    auditbeat setup -e

    -e is optional and sends output to standard error instead of the configured log output.

This step loads the recommended index template for writing to Elasticsearch and deploys the sample dashboards for visualizing the data in Kibana.

A connection to Elasticsearch (or Elasticsearch Service) is required to set up the initial environment. If you’re using a different output, such as Logstash, see Load the index template manually and Load Kibana dashboards.

Step 5: Start Auditbeat

edit

Before starting Auditbeat, modify the user credentials in auditbeat.yml and specify a user who is authorized to publish events.

To start Auditbeat, run:

sudo service auditbeat start

If you use an init.d script to start Auditbeat, you can’t specify command line flags (see Command reference). To specify flags, start Auditbeat in the foreground.

Also see Auditbeat and systemd.

Auditbeat should begin streaming events to Elasticsearch.

If you see a warning about too many open files, you need to increase the ulimit. See the FAQ for more details.

Step 6: View your data in Kibana

edit

To make it easier for you to start auditing the activities of users and processes on your system, Auditbeat comes with pre-built Kibana dashboards and UIs for visualizing your data.

To open the dashboards:

  1. Launch Kibana:

    1. Log in to your Elastic Cloud account.
    2. Navigate to the Kibana endpoint in your deployment.
  2. In the side navigation, click Discover. To see Auditbeat data, make sure the predefined auditbeat-* data view is selected.

    If you don’t see data in Kibana, try changing the time filter to a larger range. By default, Kibana shows the last 15 minutes.

  3. In the side navigation, click Dashboard, then select the dashboard that you want to open.

The dashboards are provided as examples. We recommend that you customize them to meet your needs.

What’s next?

edit

Now that you have audit data streaming into Elasticsearch, learn how to unify your logs, metrics, uptime, and application performance data.

  1. Ingest data from other sources by installing and configuring other Elastic Beats:

    Elastic Beats To capture

    Metricbeat

    Infrastructure metrics

    Filebeat

    Logs

    Winlogbeat

    Windows event logs

    Heartbeat

    Uptime information

    APM

    Application performance metrics

  2. Use the Observability apps in Kibana to search across all your data:

    Elastic apps Use to

    Metrics app

    Explore metrics about systems and services across your ecosystem

    Logs app

    Tail related log data in real time

    Uptime app

    Monitor availability issues across your apps and services

    APM app

    Monitor application performance

    SIEM app

    Analyze security events