WARNING: Version 6.0 of Auditbeat has passed its EOL date.

This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.

« Configuring Auditbeat Specify general settings »
Elastic Docs Auditbeat Reference [6.0] Configuring Auditbeat

Specify which modules to run

edit
IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Specify which modules to run

edit

To enable specific modules and metricsets, you add entries to the auditbeat.modules list in the auditbeat.yml config file. Each entry in the list begins with a dash (-) and is followed by settings for that module.

The following example shows a configuration that runs the audit module with the kernel and file metricsets enabled:

auditbeat.modules:

- module: audit
  metricsets: [kernel]
  kernel.audit_rules: |
    -w /etc/passwd -p wa -k identity
    -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access

- module: audit
  metricsets: [file]
  file.paths:
  - /bin
  - /usr/bin
  - /sbin
  - /usr/sbin
  - /etc

The configuration details vary by module. See the module documentation for more detail about configuring the available modules and metricsets.

« Configuring Auditbeat Specify general settings »