Auditbeat

A log shipper designed for audit data

Auditbeat is an open source shipping agent that lets you ship audit data to one or more destinations, including Logstash.

Install Integration

Please click on the Install Integration button to configure your stack for this source.

Install Auditbeat

To get started first follow the steps below:

Older versions can be found here: auditbeat 7 (opens in a new tab), auditbeat 6 (opens in a new tab), auditbeat 5 (opens in a new tab)

Configure Modules

  • deb/rpm (Debian/Ubuntu/Mint/CentOS/RHEL/Fedora): /etc/auditbeat/auditbeat.yml

By default, the file_integrity module will be enabled. This module watches for file changes such as when a file is created, updated or deleted. When a change is detected, auditbeat will send events containing metadata to one or more configured output sources (e.g. Logstash).

The module can be configured in auditbeat.yml by adding or removing path addresses. Auditbeat will watch for changes in files relative to these paths.

There is also a full example configuration file called auditbeat.reference.yml that shows all the possible options.

Configure output

We'll be shipping to Logstash so that we have the option to run filters before the data is indexed.
Comment out the elasticsearch output block.

## Comment out elasticsearch output
#output.elasticsearch:
#  hosts: ["localhost:9200"]
⚠️

No input available! Your stack is missing the required input for this data source.

Talk to support to add the input

Validate Configuration

In the directory where Filebeat is installed, run the following command to validate the installation:
.\@beatname.exe test config -c @beatname.yml

If the yml file is invalid, @beatname will print a description of the error. For example, if the output.logstash section was missing, @beatname would print no outputs are defined, please define one under the output section

Start Auditbeat

Start or restart Auditbeat (opens in a new tab) to apply the configuration changes.

Check Logit.io for your logs

Data should now have been sent to your Stack.

View My Data

If you don't see take a look at How to diagnose no data in Stack below for how to diagnose common issues.

How to diagnose no data in Stack

If you don't see data appearing in your stack after following this integration, take a look at the troubleshooting guide for steps to diagnose and resolve the problem or contact our support team and we'll be happy to assist.

Auditbeat Logging Overview

Auditbeat is one of the most recent additions to Elastic Stack's Beats. It is primarily used to gather audit data on user activity and processes running on your server's infrastructure. Additionally, Auditbeat can be used to detect crucial and unexpected changes to configuration files & binaries.

This can be key to helping you to identify compliance (opens in a new tab) issues and security (opens in a new tab) violations in your organisation. Once configured, changes to the file are updated in real-time to your output, allowing for optimised visibility of security-related instances. It can be used directly to undertake these processes & gather data without the need to access Linux's Auditd.

Centralising your Auditbeat event data using a log management system such as Logit.io provides a way of easily managing your ELK Stack overheads in one single platform.

If you need any further assistance with migrating your Auditbeat data to Logstash we're here to help you get started. Feel free to reach out by contacting our support team via live chat & we'll be happy to assist.