Auditbeat
Auditbeat - то анализатор сетевых пакетов в реальном времени, который вы можете использовать с Elasticsearch для обеспечения мониторинга приложений и повышения производительности системы аналитики. Packetbeat дополняет платформу Beats обеспечивая видимость между серверами вашей сети.
Отправка событий с помощью Auditbeat
примечание
Для настройки сбора с Filebeat необходимо выполнить настройку HTTP коллектора
Дополнительные настройки Heartbeat можно найти в документации
Открыть файл auditbeat.yaml с помощью nano и заполнить следующим образом:
- v6 с Basic Auth
- fake-elastic v7 без Basic Auth
- v8 с Basic Auth
auditbeat.modules:
# The auditd module collects events from the audit framework in the Linux
# kernel. You need to specify audit rules for the events that you want to audit.
- module: auditd
resolve_ids: true
failure_mode: silent
backlog_limit: 8196
rate_limit: 0
include_raw_message: false
include_warnings: false
# Set to true to publish fields with null values in events.
keep_null: true
# Load audit rules from separate files. Same format as audit.rules(7).
# audit_rule_files: [ '${path.config}/audit.rules.d/*.conf' ]
# audit_rules: |
# Unauthorized access attempts.
# -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
# The file integrity module sends events when files are changed (created,
# updated, deleted). The events contain file metadata and hashes.
- module: file_integrity
paths:
- /etc
output.elasticsearch:
hosts: ["https://ip-Комрада:9200"]
username: elastic
password: pass
# List of root certificates for HTTPS server verifications
ssl.certificate_authorities: ["/usr/share/auditbeat/client/ca.pem"]
# Certificate for SSL client authentication
ssl.certificate: "/usr/share/auditbeat/client/client.pem"
# Client certificate key
ssl.key: "/usr/share/auditbeat/client/client-key.pem"
auditbeat.modules:
# The auditd module collects events from the audit framework in the Linux
# kernel. You need to specify audit rules for the events that you want to audit.
- module: auditd
resolve_ids: true
failure_mode: silent
backlog_limit: 8196
rate_limit: 0
include_raw_message: false
include_warnings: false
# Set to true to publish fields with null values in events.
keep_null: true
# Load audit rules from separate files. Same format as audit.rules(7).
# audit_rule_files: [ '${path.config}/audit.rules.d/*.conf' ]
# audit_rules: |
# Unauthorized access attempts.
#-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
# The file integrity module sends events when files are changed (created,
# updated, deleted). The events contain file metadata and hashes.
- module: file_integrity
paths:
- /etc
output.elasticsearch:
hosts: ["ip-Комрада:9200"]
auditbeat.modules:
# The auditd module collects events from the audit framework in the Linux
# kernel. You need to specify audit rules for the events that you want to audit.
- module: auditd
resolve_ids: true
failure_mode: silent
backlog_limit: 8196
rate_limit: 0
include_raw_message: false
include_warnings: false
# Set to true to publish fields with null values in events.
keep_null: true
# Load audit rules from separate files. Same format as audit.rules(7).
# audit_rule_files: [ '${path.config}/audit.rules.d/*.conf' ]
# audit_rules: |
#Unauthorized access attempts.
# -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
# The file integrity module sends events when files are changed (created,
# updated, deleted). The events contain file metadata and hashes.
- module: file_integrity
paths:
- /etc
output.elasticsearch:
hosts: ["ip-Комрада:9200"]
username: Elastic2
password: Pass2
ssl.key: "/usr/share/packetbeat/client/client-key.pem"
Сохранить файл (Ctrl+O, Ctrl+X)