WARNING: Version 6.0 of Auditbeat has passed its EOL date.

This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.

« Modules Audit file metricset »
Elastic Docs Auditbeat Reference [6.0] Modules

Audit Module

edit

Audit Module

edit

The audit module reports security-relevant information based on data captured from the operating system (OS) or services running on the OS. Although this feature doesn’t provide additional security to your system, it does make it easier for you to discover and track security policy violations.

Example configuration

edit

The Audit module supports the common configuration options that are described under configuring Auditbeat. Here is an example configuration:

auditbeat.modules:
- module: audit
  metricsets: [kernel]
  kernel.audit_rules: |
    # Define audit rules here.
    # Create file watches (-w) or syscall audits (-a or -A). For example:
    #-w /etc/passwd -p wa -k identity
    #-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access

- module: audit
  metricsets: [file]
  file.paths:
  - /bin
  - /usr/bin
  - /sbin
  - /usr/sbin
  - /etc

Metricsets

edit

The following metricsets are available:

« Modules Audit file metricset »