- Auditbeat Reference: other versions:
- Auditbeat overview
- Quick start: installation and configuration
- Set up and run
- Upgrade Auditbeat
- Configure
- Modules
- General settings
- Project paths
- Config file reloading
- Output
- Kerberos
- SSL
- Index lifecycle management (ILM)
- Elasticsearch index template
- Kibana endpoint
- Kibana dashboards
- Processors
- Define processors
- add_cloud_metadata
- add_cloudfoundry_metadata
- add_docker_metadata
- add_fields
- add_host_metadata
- add_id
- add_kubernetes_metadata
- add_labels
- add_locale
- add_network_direction
- add_nomad_metadata
- add_observer_metadata
- add_process_metadata
- add_session_metadata
- add_tags
- append
- community_id
- convert
- copy_fields
- decode_base64_field
- decode_duration
- decode_json_fields
- decode_xml
- decode_xml_wineventlog
- decompress_gzip_field
- detect_mime_type
- dissect
- dns
- drop_event
- drop_fields
- extract_array
- fingerprint
- include_fields
- move_fields
- rate_limit
- registered_domain
- rename
- replace
- syslog
- translate_ldap_attribute
- translate_sid
- truncate_fields
- urldecode
- Internal queue
- Logging
- HTTP endpoint
- Regular expression support
- Instrumentation
- Feature flags
- auditbeat.reference.yml
- How to guides
- Modules
- Exported fields
- Monitor
- Secure
- Troubleshoot
- Get Help
- Debug
- Understand logged metrics
- Common problems
- Auditbeat fails to watch folders because too many files are open
- Auditbeat uses too much bandwidth
- Error loading config file
- Found unexpected or unknown characters
- Logstash connection doesn’t work
- Publishing to Logstash fails with "connection reset by peer" message
- @metadata is missing in Logstash
- Not sure whether to use Logstash or Beats
- SSL client fails to connect to Logstash
- Monitoring UI shows fewer Beats than expected
- Dashboard could not locate the index-pattern
- High RSS memory usage due to MADV settings
- Contribute to Beats
Run Auditbeat on Docker
editRun Auditbeat on Docker
editDocker images for Auditbeat are available from the Elastic Docker registry. The base image is centos:7.
A list of all published Docker images and tags is available at www.docker.elastic.co.
These images are free to use under the Elastic license. They contain open source and free commercial features and access to paid commercial features. Start a 30-day trial to try out all of the paid commercial features. See the Subscriptions page for information about Elastic license levels.
Pull the image
editObtaining Auditbeat for Docker is as simple as issuing a docker pull
command
against the Elastic Docker registry.
docker pull docker.elastic.co/beats/auditbeat:8.17.0
Alternatively, you can download other Docker images that contain only features available under the Apache 2.0 license. To download the images, go to www.docker.elastic.co.
As another option, you can use the hardened Wolfi image. Using Wolfi images requires Docker version 20.10.10 or higher. For details about why the Wolfi images have been introduced, refer to our article Reducing CVEs in Elastic container images.
docker pull docker.elastic.co/beats/auditbeat-wolfi:8.17.0
Optional: Verify the image
editYou can use the Cosign application to verify the Auditbeat Docker image signature.
wget https://artifacts.elastic.co/cosign.pub cosign verify --key cosign.pub docker.elastic.co/beats/auditbeat:8.17.0
The cosign
command prints the check results and the signature payload in JSON format:
Verification for docker.elastic.co/beats/auditbeat:8.17.0 -- The following checks were performed on each of these signatures: - The cosign claims were validated - Existence of the claims in the transparency log was verified offline - The signatures were verified against the specified public key
Run the Auditbeat setup
editA known issue in version 8.17.0 prevents Beats Docker images from starting when no options are provided. When running an image on that version, add an --environment container
parameter to avoid the problem. This is planned to be addressed in issue #42060.
Running Auditbeat with the setup command will create the index pattern and load visualizations , dashboards, and machine learning jobs. Run this command:
docker run --rm \ --cap-add="AUDIT_CONTROL" \ --cap-add="AUDIT_READ" \ docker.elastic.co/beats/auditbeat:8.17.0 \ setup -E setup.kibana.host=kibana:5601 \ -E output.elasticsearch.hosts=["elasticsearch:9200"]
Substitute your Kibana and Elasticsearch hosts and ports. |
|
If you are using the hosted Elasticsearch Service in Elastic Cloud, replace
the |
-E cloud.id=<Cloud ID from Elasticsearch Service> \ -E cloud.auth=elastic:<elastic password>
Run Auditbeat on a read-only file system
editIf you’d like to run Auditbeat in a Docker container on a read-only file
system, you can do so by specifying the --read-only
option.
Auditbeat requires a stateful directory to store application data, so
with the --read-only
option you also need to use the --mount
option to
specify a path to where that data can be stored.
For example:
docker run --rm \ --mount type=bind,source=$(pwd)/data,destination=/usr/share/auditbeat/data \ --read-only \ docker.elastic.co/beats/auditbeat:8.17.0
Configure Auditbeat on Docker
editThe Docker image provides several methods for configuring Auditbeat. The conventional approach is to provide a configuration file via a volume mount, but it’s also possible to create a custom image with your configuration included.
Example configuration file
editDownload this example configuration file as a starting point:
curl -L -O https://raw.githubusercontent.com/elastic/beats/8.17/deploy/docker/auditbeat.docker.yml
Volume-mounted configuration
editOne way to configure Auditbeat on Docker is to provide auditbeat.docker.yml
via a volume mount.
With docker run
, the volume mount can be specified like this.
docker run -d \ --name=auditbeat \ --user=root \ --volume="$(pwd)/auditbeat.docker.yml:/usr/share/auditbeat/auditbeat.yml:ro" \ --cap-add="AUDIT_CONTROL" \ --cap-add="AUDIT_READ" \ --pid=host \ docker.elastic.co/beats/auditbeat:8.17.0 -e \ --strict.perms=false \ -E output.elasticsearch.hosts=["elasticsearch:9200"]
Customize your configuration
editThe auditbeat.docker.yml
downloaded earlier should be customized for your environment. See Configure for more details. Edit the configuration file and customize it to match your environment then re-deploy your Auditbeat container.
Custom image configuration
editIt’s possible to embed your Auditbeat configuration in a custom image. Here is an example Dockerfile to achieve this:
FROM docker.elastic.co/beats/auditbeat:8.17.0 COPY auditbeat.yml /usr/share/auditbeat/auditbeat.yml
Special requirements
editUnder Docker, Auditbeat runs as a non-root user, but requires some privileged
capabilities to operate correctly. Ensure that the AUDIT_CONTROL
and AUDIT_READ
capabilities are available to the container.
It is also essential to run Auditbeat in the host PID namespace.
docker run --cap-add=AUDIT_CONTROL --cap-add=AUDIT_READ --user=root --pid=host docker.elastic.co/beats/auditbeat:8.17.0
On this page
ElasticON events are back!
Learn about the Elastic Search AI Platform from the experts at our live events.
Register now