Have an account? Sign in
Auditbeat is an open source shipping agent that lets you ship audit data to one or more destinations, including Logstash.
curl -L -O https://artifacts.elastic.co/downloads/beats/auditbeat/auditbeat-oss-7.8.1-amd64.deb sudo dpkg -i auditbeat-oss-7.8.1-amd64.deb
curl -L -O https://artifacts.elastic.co/downloads/beats/auditbeat/auditbeat-oss-7.8.1-x86_64.rpm sudo rpm -vi auditbeat-oss-7.8.1-x86_64.rpm
curl -L -O https://artifacts.elastic.co/downloads/beats/auditbeat/auditbeat-oss-7.8.1-darwin-x86_64.tar.gz tar xzvf auditbeat-oss-7.8.1-darwin-x86_64.tar.gz
- Download the auditbeat Windows zip file from the official downloads page.
- Extract the contents of the zip file into C:\Program Files.
- Rename the
- Open a PowerShell prompt as an Administrator (right-click the PowerShell icon and select Run As Administrator). If you are running Windows XP, you may need to download and install PowerShell.
- Run the following commands to install auditbeat as a Windows service:
cd 'C:\Program Files\auditbeat' .\install-service-auditbeat.ps1
PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-auditbeat.ps1.
Locate and open the auditbeat configuration file:
- deb/rpm (Debian/Ubuntu/Mint/CentOS/RHEL/Fedora):
By default, the
file_integrity module will be enabled. This module watches for file changes such as when a file is created, updated or deleted.
When a change is detected, auditbeat will send events containing metadata to one or more configured output sources (e.g. Logstash).
The module can be configured in
auditbeat.yml by adding or removing path addresses. Auditbeat will watch for changes in files relative to these paths.
We'll be shipping to Logstash so that we have the option to run filters before the data is indexed.
Comment out the elasticsearch output block.
## Comment out elasticsearch output #output.elasticsearch: # hosts: ["localhost:9200"]
Uncomment and change the logstash output to match below.
output.logstash: hosts: ["your-logstash-host:your-ssl-port"] loadbalance: true ssl.enabled: true
Let's check the configuration file is syntactically correct by running auditbeat directly inside the terminal.
If the file is invalid, auditbeat will print an
error loading config file error message with details on how to correct the problem.
sudo auditbeat -e -c /etc/auditbeat/auditbeat.yml
cd <EXTRACTED_ARCHIVE> ./auditbeat -e -c auditbeat.yml
cd <EXTRACTED_ARCHIVE> .\auditbeat.exe -e -c auditbeat.yml
If we now start the Auditbeat service, any audited changes will be shipped to your hosted Logstash instance.
sudo systemctl enable auditbeat sudo systemctl start auditbeat
Try changing a file located in one of the configured directory paths. You should see a change event in Kibana.
Auditbeat is one of the most recent additions to Elastic Stack’s Beats. It is primarily used to gather audit data on user activity and processes running on your server’s infrastructure. Additionally, Auditbeat can be used to detect crucial and unexpected changes to configuration files & binaries.
This can be key to helping you to identify compliance issues and security violations in your organisation. Once configured, changes to the file are updated in real-time to your output, allowing for optimised visibility of security-related instances. It can be used directly to undertake these processes & gather data without the need to access Linux’s Auditd.
Centralising your Auditbeat event data using a log management system such as Logit.io provides a way of easily managing your ELK Stack overheads in one single platform.
If you need any further assistance with migrating your Auditbeat data to Logstash we're here to help you get started. Feel free to reach out by contacting our support team by visiting our dedicated Help Centre or via live chat & we'll be happy to assist.