Auditd
Collect and ship Auditd logs to Logstash and Elasticsearch.
Filebeat is a lightweight shipper that enables you to send your Auditd application logs to Logstash and Elasticsearch. Configure Filebeat using the pre-defined examples below to start sending and analysing your Auditd application logs.
Follow this step by step guide to get 'logs' from your system to Logit.io:
Step 2 - Enable the Auditd Module
There are several built in filebeat modules you can use. To enable the Auditd module run.
deb/rpm
sudo filebeat modules list
sudo filebeat modules enable auditd
Additional module configuration can be done using the per module config files located in the modules.d folder, most commonly this would be to read logs from a non-default location
deb/rpm /etc/filebeat/modules.d/
Step 3 - Update your configuration file
The configuration file below is pre-configured to send data to your Logit.io Stack via Logstash.
Copy the configuration file below and overwrite the contents of filebeat.yml.
# ============================== Filebeat modules ==============================
filebeat.config.modules:
path: ${path.config}/modules.d/*.yml
reload.enabled: false
#reload.period: 10s
# ================================== Outputs ===================================
# ------------------------------ Logstash Output -------------------------------
output.logstash:
hosts: ["your-logstash-host:your-ssl-port"]
loadbalance: true
ssl.enabled: true
# ================================= Processors =================================
processors:
- add_host_metadata:
when.not.contains.tags: forwarded
- add_cloud_metadata: ~
- add_docker_metadata: ~
- add_kubernetes_metadata: ~
If you’re running Filebeat 7 add this code block to the end. Otherwise, you can leave it out.
# ... For Filebeat 7 only ...
filebeat.registry.path: /var/lib/filebeat
If you’re running Filebeat 6 add this code block to the end. Otherwise, you can leave it out.
# ... For Filebeat 6 only ...
registry_file: /var/lib/filebeat/registry
Validate your YAML
It’s a good idea to run the configuration file through a YAML validator to rule out indentation errors, clean up extra characters, and check if your YAML file is valid. Yamllint.com is a great choice.
Step 4 - Validate configuration
If you have issues starting in the next step, you can use these commands below to troubleshoot.
Let's check the configuration file is syntactically correct by running directly inside the terminal.
If the file is invalid, will print an error loading config file error message with details on how to correct the problem.
deb/rpm
sudo -e -c /etc//.yml
macOS
cd <EXTRACTED_ARCHIVE>
sudo ./ -e -c .yml
Windows
cd <EXTRACTED_ARCHIVE>
.\.exe -e -c .yml
Step 5 - Start filebeat
Start or restart to apply the configuration changes.
Step 6 - Check Logit.io for your logs
Now you should view your data:
If you don't see logs take a look at How to diagnose no data in Stack below for how to diagnose common issues.
Step 7 - how to diagnose no data in Stack
If you don't see data appearing in your Stack after following the steps, visit the Help Centre guide for steps to diagnose no data appearing in your Stack or Chat to support now.
Step 8 - Auditd dashboard
The Auditd module comes with predefined Kibana dashboards. To view your dashboards for any of your Logit.io stacks, launch Kibana and choose Dashboards.
Step 9 - Auditd Overview
Empower your log management with Filebeat, a nimble shipper designed to facilitate the seamless transmission of your Auditd application logs to both Logstash and Elasticsearch. Employ the pre-defined examples provided below to effortlessly configure Filebeat, kickstarting the process of sending and analyzing your Auditd application logs.