IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
« Configure Auditbeat Configure general settings »
Elastic Docs Auditbeat Reference [8.12] Configure Auditbeat

Configure modules

edit
IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

Configure modules

edit

To enable specific modules you add entries to the auditbeat.modules list in the auditbeat.yml config file. Each entry in the list begins with a dash (-) and is followed by settings for that module.

The following example shows a configuration that runs the auditd and file_integrity modules.

auditbeat.modules:

- module: auditd
  audit_rules: |
    -w /etc/passwd -p wa -k identity
    -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access

- module: file_integrity
  paths:
  - /bin
  - /usr/bin
  - /sbin
  - /usr/sbin
  - /etc

The configuration details vary by module. See the module documentation for more detail about configuring the available modules.

« Configure Auditbeat Configure general settings »