- Auditbeat Reference: other versions:
- Overview
- Contributing to Beats
- Getting started with Auditbeat
- Breaking changes in 6.2
- Setting up and running Auditbeat
- Configuring Auditbeat
- Specify which modules to run
- Specify general settings
- Reload the configuration dynamically
- Configure the internal queue
- Configure the output
- Specify SSL settings
- Filter and enhance the exported data
- Parse data by using ingest node
- Set up project paths
- Set up the Kibana endpoint
- Load the Kibana dashboards
- Load the Elasticsearch index template
- Configure logging
- Use environment variables in the configuration
- YAML tips and gotchas
- Regular expression support
- auditbeat.reference.yml
- Modules
- Exported fields
- Monitoring Auditbeat
- Securing Auditbeat
- Troubleshooting
WARNING: Version 6.2 of Auditbeat has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
Specify which modules to run
editSpecify which modules to run
editTo enable specific modules you add entries to the auditbeat.modules list in
the auditbeat.yml config file. Each entry in the list begins with a dash
(-) and is followed by settings for that module.
The following example shows a configuration that runs the auditd and
file_integrity moduled.
auditbeat.modules: - module: auditd audit_rules: | -w /etc/passwd -p wa -k identity -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access - module: file_integrity paths: - /bin - /usr/bin - /sbin - /usr/sbin - /etc
The configuration details vary by module. See the module documentation for more detail about configuring the available modules.
Was this helpful?
Thank you for your feedback.