WARNING: Version 6.2 of Auditbeat has passed its EOL date.

This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.

« Auditbeat command reference Configuring Auditbeat »
Elastic Docs Auditbeat Reference [6.2] Setting up and running Auditbeat

Running Auditbeat on Docker

edit

Running Auditbeat on Docker

edit

Docker images for Auditbeat are available from the Elastic Docker registry. You can retrieve an image with a docker pull command.

docker pull docker.elastic.co/beats/auditbeat:6.2.4

The base image is centos:7 and the source code can be found on GitHub.

Configure Auditbeat on Docker

edit

The Docker image provides several methods for configuring Auditbeat. The conventional approach is to provide a configuration file via a bind mount, but it’s also possible to create a custom image with your configuration included.

Bind-mounted configuration
edit

One way to configure Auditbeat on Docker is to provide auditbeat.yml via a bind mount. With docker run, the bind mount can be specified like this:

docker run \
  --mount type=bind,source="$(pwd)"/auditbeat.yml,target=/usr/share/auditbeat/auditbeat.yml \
  docker.elastic.co/beats/auditbeat:6.2.4
Custom image configuration
edit

It’s possible to embed your Auditbeat configuration in a custom image. Here is an example Dockerfile to achieve this:

FROM docker.elastic.co/beats/auditbeat:6.2.4
COPY auditbeat.yml /usr/share/auditbeat/auditbeat.yml

Special requirements

edit

Under Docker, Auditbeat runs as a non-root user, but requires some privileged capabilities to operate correctly. Ensure that the AUDIT_CONTROL and AUDIT_READ capabilities are available to the container.

It is also essential to run Auditbeat in the host PID namespace.

docker run --cap-add=AUDIT_CONTROL,AUDIT_READ --pid=host docker.elastic.co/beats/auditbeat:6.2.4
« Auditbeat command reference Configuring Auditbeat »