I have configured auditbeat as below:
########################## Auditbeat Configuration #############################
#================================ General ======================================
queue:
# Queue type by name (default 'mem')
# The memory queue will present all available events (up to the outputs
# bulk_max_size) to the output, the moment the output is ready to server
# another batch of events.
mem:
# Max number of events the queue can buffer.
events: 4096
flush:
min_events: 2048
timeout: 1s
max_procs: 1
max_start_delay: 10s
#================================= Paths ======================================
path:
home: "/usr/share/auditbeat"
config: "/etc/auditbeat"
data: "/var/lib/auditbeat"
logs: "/var/log/auditbeat/auditbeat.log"
#============================ Config Reloading ================================
# Config reloading allows to dynamically load modules. Each file which is
# monitored must contain one or multiple modules as a list.
config:
modules:
# Glob pattern for configuration reloading
path: ${path.config}/conf.d/*.yml
reload:
# Period on which files under path should be checked for changes
period: 10s
# Set to true to enable config reloading
enabled: False
#========================== Modules configuration =============================
auditbeat.modules:
#----------------------------- Auditd module -----------------------------------
#
# https://www.elastic.co/guide/en/beats/auditbeat/6.4/auditbeat-module-auditd.html
- module: auditd
resolve_ids: True
failure_mode: silent
backlog_limit: 8196
rate_limit: 0
include_raw_message: True
include_warnings: True
audit_rules: |
-w /var/log/test-audit/audit.log -p wra -k audit_log_change
-w /etc/auditbeat/auditbeat.yml -p w -k audit_poilicy_change
-w /etc/crontab -p w -k cron_job_content_change
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
-w /etc/ssh/sshd_config -p warx -k sshd_config
-a always,exit -F arch=b64 -S open,creat,openat,open_by_handle_at -F exit=-EACCES -k access
-a always,exit -F arch=b64 -S open,creat,openat,open_by_handle_at -F exit=-EPERM -k access
-a always,exit -F path=/home -F uid=0 -F auid>=1000 -F auid!=4294967295 -C auid!=obj_uid -F key=power-abuse
-a always,exit -F arch=b64 -S setuid -F a0=0 -F exe=/usr/bin/su -F key=elevated-privs
-a always,exit -F arch=b32 -S setuid -F a0=0 -F exe=/usr/bin/su -F key=elevated-privs
-a always,exit -F arch=b64 -S setresuid -F a0=0 -F exe=/usr/bin/sudo -F key=elevated-privs
-a always,exit -F arch=b32 -S setresuid -F a0=0 -F exe=/usr/bin/sudo -F key=elevated-privs
-a exit,always -F arch=b64 -S execve
-a exit,always -F arch=b32 -S execve -a always,exit -F arch=b64 -S open,openat -F exit=-EACCES -F key=access
-a always,exit -F arch=b64 -S open,openat -F exit=-EPERM -F key=access
-a exit,always -F path=/etc/cron.d -S open -S openat -S open_by_handle_at -F auid>=500 -F auid!=4294967295 -k unlisted_cron_change
-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -F auid>=500 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S rename -S renameat -F exit=-EACCES -k rename_failure
-a always,exit -F arch=b64 -S rename -S renameat -F exit=-EACCES -k rename_failure
-a always,exit -F arch=b32 -S rename -S renameat -F exit=-EPERM -k rename_failure
-a always,exit -F arch=b64 -S rename -S renameat -F exit=-EPERM -k rename_failure
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
#----------------------------- File Integrity module -----------------------------------
- module: file_integrity
paths:
- /bin
- /sbin
- /usr/sbin
- /usr/bin
- /opt/bin
- /opt/sbin
- /etc/passwd
- /etc/shadow
- /etc/auditbeat
- /etc/rsyslog.conf
- /etc/crontab
- /etc/audit/auditd.conf
- /etc/cron.d
# List of regular expressions to filter out notifications for unwanted files.
# Wrap in single quotes to workaround YAML escaping rules. By default no files
# are ignored.
# testing
exclude_files:
- (?i)\.sw[nop]$
- ~$
- /\.git($|/)
# Scan over the configured file paths at startup and send events for new or
# modified files since the last time Auditbeat was running.
scan_at_start: True
# Average scan rate. This throttles the amount of CPU and I/O that Auditbeat
# consumes at startup while scanning. Default is "50 MiB".
scan_rate_per_sec: 50 MiB
# Limit on the size of files that will be hashed. Default is "100 MiB".
# Limit on the size of files that will be hashed. Default is "100 MiB".
max_file_size: 100 MiB
# Hash types to compute when the file changes. Supported types are
# blake2b_256, blake2b_384, blake2b_512, md5, sha1, sha224, sha256, sha384,
# sha512, sha512_224, sha512_256, sha3_224, sha3_256, sha3_384 and sha3_512.
# Default is sha1.
hash_types: [sha1]
# Detect changes to files included in subdirectories. Disabled by default.
recursive: True
#------------------------------- Kafka output ----------------------------------
output.kafka:
# Boolean flag to enable or disable the output module.
enabled: True
# The list of Kafka broker addresses from where to fetch the cluster metadata.
# The cluster metadata contain the actual Kafka brokers events are published
# to.
hosts:
- x.y.z.z:9092
Does in the above settings, auditbeat listens to /var/log/secure and give all information in the /var/log/secure as events?.