Audit Module

edit

The audit module reports security-relevant information based on data captured from the operating system (OS) or services running on the OS. Although this feature doesn’t provide additional security to your system, it does make it easier for you to discover and track security policy violations.

Example configuration

edit

The Audit module supports the common configuration options that are described under configuring Auditbeat. Here is an example configuration:

auditbeat.modules:
- module: audit
  metricsets: [kernel]
  kernel.audit_rules: |
    # Define audit rules here.
    # Create file watches (-w) or syscall audits (-a or -A). For example:
    #-w /etc/passwd -p wa -k identity
    #-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access

- module: audit
  metricsets: [file]
  file.paths:
  - /bin
  - /usr/bin
  - /sbin
  - /usr/sbin
  - /etc

Metricsets

edit

The following metricsets are available: