Auditbeat
A log shipper designed for audit data.
Auditbeat is an open source shipping agent that lets you ship audit data to one or more destinations, including Logstash.
Follow this step by step guide to get 'logs' from your system to Logit.io:
Step 1 - Install Auditbeat
To get started first follow the steps below:
- Install auditbeat
- Root access
- Verify the required port is open
Older versions can be found here auditbeat 7, auditbeat 6, auditbeat 5
Step 2 - Configure Modules
Locate and open the auditbeat configuration file:
- deb/rpm (Debian/Ubuntu/Mint/CentOS/RHEL/Fedora):
/etc/auditbeat/auditbeat.yml
- Windows:
C:\Program Files\auditbeat\auditbeat.yml
- Mac:
<EXTRACTED_ARCHIVE>/auditbeat.yml
By default, the file_integrity
module will be enabled. This module watches for file changes such as when a file is created, updated or deleted.
When a change is detected, auditbeat will send events containing metadata to one or more configured output sources (e.g. Logstash).
The module can be configured in auditbeat.yml
by adding or removing path addresses. Auditbeat will watch for changes in files relative to these paths.
Step 3 - Configure output
We'll be shipping to Logstash so that we have the option to run filters before the data is indexed.
Comment out the elasticsearch output block.
## Comment out elasticsearch output
#output.elasticsearch:
# hosts: ["localhost:9200"]
Step 4 - Validate configuration
DEB/RPM
sudo auditbeat -e -c /etc/auditbeat/auditbeat.yml
macOS
sudo ./auditbeat -e -c auditbeat.yml --strict.perms=false
You’ll be running auditbeat as root, so you need to change ownership of the configuration file and any configurations enabled in the modules.d directory, or run auditbeat with --strict.perms=false as shown above. Read more about how to change ownership.
Windows
cd <EXTRACTED_ARCHIVE>
.\auditbeat.exe -e -c auditbeat.yml
Linux
sudo ./auditbeat -e -c auditbeat.yml --strict.perms=false
You’ll be running auditbeat as root, so you need to change ownership of the configuration file and any configurations enabled in the modules.d directory, or run auditbeat with --strict.perms=false as shown above. Read more about how to change ownership.
Step 5 - Start auditbeat
Start or restart auditbeat to apply the configuration changes.
Step 6 - Check Logit.io for your logs
Data should now have been sent to your Stack.
If you don't see logs take a look at How to diagnose no data in Stack below for how to diagnose common issues.
Step 7 - how to diagnose no data in Stack
If you don't see data appearing in your Stack after following the steps, visit the Help Centre guide for steps to diagnose no data appearing in your Stack or Chat to support now.
Step 8 - Auditbeat Logging Overview
Auditbeat is one of the most recent additions to Elastic Stack’s Beats. It is primarily used to gather audit data on user activity and processes running on your server’s infrastructure. Additionally, Auditbeat can be used to detect crucial and unexpected changes to configuration files & binaries.
This can be key to helping you to identify compliance issues and security violations in your organisation. Once configured, changes to the file are updated in real-time to your output, allowing for optimised visibility of security-related instances. It can be used directly to undertake these processes & gather data without the need to access Linux’s Auditd.
Centralising your Auditbeat event data using a log management system such as Logit.io provides a way of easily managing your ELK Stack overheads in one single platform.
If you need any further assistance with migrating your Auditbeat data to Logstash we're here to help you get started. Feel free to reach out by contacting our support team by visiting our dedicated Help Centre or via live chat & we'll be happy to assist.