Get a DemoStart Free TrialSign In

Auditd

Collect and ship Auditd logs to Logstash and Elasticsearch.

Filebeat is a lightweight shipper that enables you to send your Auditd application logs to Logstash and Elasticsearch. Configure Filebeat using the pre-defined examples below to start sending and analysing your Auditd application logs.

Send Your DataLogsApplicationsAuditd Guide

Follow this step by step guide to get 'logs' from your system to Logit.io:

Step 1 - Install Filebeat

To get started you will need to install filebeat. To do this you have two main options:

  • Choose the AMD / Intel file (x86_64) or
  • Choose the ARM file (arm64)

You can tell if you have a Linux PC with an AMD / Intel CPU (kernel) architecture by opening a terminal and running the uname -m command. If it displays x86_64 you have AMD / Intel architecture.

To successfully install filebeat you will need to have root access.

If you have an x86_64 system download and extract the contents of the file using the following commands:

curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.12.2-linux-x86_64.tar.gz
tar xzvf filebeat-8.12.2-linux-x86_64.tar.gz

If you have an arm64 system download and extract the contents of the file using the following commands:

curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.12.2-linux-arm64.tar.gz
tar xzvf filebeat-8.12.2-linux-arm64.tar.gz

To get started you will need to install filebeat. To do this you have two main options:

  • Choose the AMD / Intel file (x86_64) or
  • Choose the ARM file (aarch64)

You can tell if you have a Mac with an ARM CPU architecture by opening the Terminal application and running the arch command. If it displays arm64 you have ARM architecture.

To successfully install filebeat you will need to have root access.

If you have an x86_64 system download and extract the contents of the file using the following commands:

curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.12.2-darwin-x86_64.tar.gz
tar xzvf filebeat-8.12.2-darwin-x86_64.tar.gz

If you have an aarch64 system download and extract the contents of the file using the following commands:

curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.12.2-darwin-aarch64.tar.gz
tar xzvf filebeat-8.12.2-darwin-aarch64.tar.gz

To get started you will need to install filebeat. To do this you have two main options:

  • Choose the AMD / Intel file (x86_64) or
  • Choose the ARM file (aarch64)

You can tell if you have a PC with an ARM CPU architecture by opening the Terminal application and running the arch command. If it displays arm64 you have ARM architecture.

To successfully install filebeat you will need to have root access.

If you have an x86_64 system download and install filebeat using the following commands:

curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.12.2-amd64.deb
sudo dpkg -i filebeat-8.12.2-amd64.deb

If you have an aarch64 system download and install filebeat using the following commands:

curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.12.2-arm64.deb
sudo dpkg -i filebeat-8.12.2-arm64.deb

To get started you will need to install filebeat. To do this you have two main options:

  • Choose the AMD / Intel file (x86_64) or
  • Choose the ARM file (aarch64)

You can tell if you have a PC with an ARM CPU architecture by opening the Terminal application and running the arch command. If it displays arm64 you have ARM architecture.

To successfully install filebeat you will need to have root access.

If you have an x86_64 system download and install filebeat using the following commands:

curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.12.2-x86_64.rpm
sudo rpm -vi filebeat-8.12.2-x86_64.rpm

If you have an aarch64 system download and install filebeat using the following commands:

curl -L -O https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-8.12.2-aarch64.rpm
sudo rpm -vi filebeat-8.12.2-aarch64.rpm

Step 2 - Enable the Auditd module

There are several built in filebeat modules you can use. You will need to enable the auditd module:

sudo filebeat modules list
sudo filebeat modules enable auditd

In the module config under modules.d, change the module settings to match your environment. You must enable at least one fileset in the module.

Filesets are disabled by default.

Copy the snippet below and replace the contents of the auditd.yml module file:

# Module: auditd
# Docs: https://www.elastic.co/guide/en/beats/filebeat/8.12/filebeat-module-auditd.html

- module: auditd
  log:
    enabled: true

    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:

There are several built in filebeat modules you can use. You will need to enable the auditd module:

./filebeat modules list
./filebeat modules enable auditd

In the module config under modules.d, change the module settings to match your environment. You must enable at least one fileset in the module.

Filesets are disabled by default.

Copy the snippet below and replace the contents of the auditd.yml module file:

# Module: auditd
# Docs: https://www.elastic.co/guide/en/beats/filebeat/8.12/filebeat-module-auditd.html

- module: auditd
  log:
    enabled: true

    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:

There are several built in filebeat modules you can use. You will need to enable the auditd module:

sudo filebeat modules list
sudo filebeat modules enable auditd

In the module config under modules.d, change the module settings to match your environment. You must enable at least one fileset in the module.

Filesets are disabled by default.

Copy the snippet below and replace the contents of the auditd.yml module file:

# Module: auditd
# Docs: https://www.elastic.co/guide/en/beats/filebeat/8.12/filebeat-module-auditd.html

- module: auditd
  log:
    enabled: true

    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:

There are several built in filebeat modules you can use. You will need to enable the auditd module:

sudo filebeat modules list
sudo filebeat modules enable auditd

In the module config under modules.d, change the module settings to match your environment. You must enable at least one fileset in the module.

Filesets are disabled by default.

Copy the snippet below and replace the contents of the auditd.yml module file:

# Module: auditd
# Docs: https://www.elastic.co/guide/en/beats/filebeat/8.12/filebeat-module-auditd.html

- module: auditd
  log:
    enabled: true

    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:

Step 3 - Update your configuration file

The configuration file below is pre-configured to send data to your Logit.io Stack via Logstash.

Copy the configuration file below and overwrite the contents of filebeat.yml.

# ============================== Filebeat modules ==============================
filebeat.config.modules:
  path: ${path.config}/modules.d/*.yml
  reload.enabled: false
  #reload.period: 10s

# ================================== Outputs ===================================
# ------------------------------ Logstash Output -------------------------------
output.logstash:
    hosts: ["your-logstash-host:your-ssl-port"]
    loadbalance: true
    ssl.enabled: true

# ================================= Processors =================================
processors:
  - add_host_metadata:
      when.not.contains.tags: forwarded
  - add_cloud_metadata: ~
  - add_docker_metadata: ~
  - add_kubernetes_metadata: ~

If you’re running Filebeat 7 add this code block to the end. Otherwise, you can leave it out.

# ... For Filebeat 7 only ...
filebeat.registry.path: /var/lib/filebeat

If you’re running Filebeat 6 add this code block to the end. Otherwise, you can leave it out.

# ... For Filebeat 6 only ...
registry_file: /var/lib/filebeat/registry

Validate your YAML

It’s a good idea to run the configuration file through a YAML validator to rule out indentation errors, clean up extra characters, and check if your YAML file is valid. Yamllint.com is a great choice.

Step 4 - Validate configuration

sudo ./filebeat -e -c filebeat.yml --strict.perms=false

You’ll be running filebeat as root, so you need to change ownership of the configuration file and any configurations enabled in the modules.d directory, or run filebeat with --strict.perms=false as shown above. Read more about how to change ownership.

If the yml file is invalid, filebeat will print an `error loading config file` error message with details on how to correct the problem. If you have issues starting filebeat see "How To Diagnose No Data In Stack" below to troubleshoot. 
sudo ./filebeat -e -c filebeat.yml --strict.perms=false

You’ll be running filebeat as root, so you need to change ownership of the configuration file and any configurations enabled in the modules.d directory, or run filebeat with --strict.perms=false as shown above. Read more about how to change ownership.

If the yml file is invalid, filebeat will print an `error loading config file` error message with details on how to correct the problem. If you have issues starting filebeat see "How To Diagnose No Data In Stack" below to troubleshoot. 
sudo filebeat -e -c /etc/filebeat/filebeat.yml
If the yml file is invalid, filebeat will print an `error loading config file` error message with details on how to correct the problem. If you have issues starting filebeat see "How To Diagnose No Data In Stack" below to troubleshoot. 
sudo filebeat -e -c /etc/filebeat/filebeat.yml
If the yml file is invalid, filebeat will print an `error loading config file` error message with details on how to correct the problem. If you have issues starting filebeat see "How To Diagnose No Data In Stack" below to troubleshoot.

Step 5 - Start filebeat

To start Filebeat, run:

sudo chown root filebeat.yml 
sudo chown root modules.d/auditd.yml 
sudo ./filebeat -e

You’ll be running filebeat as root, so you need to change ownership of the configuration file and any configurations enabled in the modules.d directory, or run filebeat with --strict.perms=false as shown above. Read more about how to change ownership.

To start Filebeat, run:

sudo chown root filebeat.yml 
sudo chown root modules.d/auditd.yml 
sudo ./filebeat -e

You’ll be running filebeat as root, so you need to change ownership of the configuration file and any configurations enabled in the modules.d directory, or run filebeat with --strict.perms=false as shown above. Read more about how to change ownership.

To start Filebeat, run:

sudo service filebeat start

To start Filebeat, run:

sudo service filebeat start

Step 6 - Check Logit.io for your logs

Data should now have been sent to your Stack.

View my data

If you don't see logs take a look at How to diagnose no data in Stack below for how to diagnose common issues.

Step 7 - how to diagnose no data in Stack

If you don't see data appearing in your Stack after following the steps, visit the Help Centre guide for steps to diagnose no data appearing in your Stack or Chat to support now.

Step 8 - Auditd dashboard

The Auditd module comes with predefined Kibana dashboards. To view your dashboards for any of your Logit.io stacks, launch Logs and choose Dashboards.

Predefined kibana dashboard screenshot

Step 9 - Auditd Overview

Empower your log management with Filebeat, a nimble shipper designed to facilitate the seamless transmission of your Auditd application logs to both Logstash and Elasticsearch. Employ the pre-defined examples provided below to effortlessly configure Filebeat, kickstarting the process of sending and analyzing your Auditd application logs.

Return to Search
Sign Up

© 2024 Logit.io Ltd, All rights reserved.