Auditbeat configuring file

Hello ,

I just tried to work on auditbeat this is my auditbeat.yml file


  • module: file_integrity
    • /home/rdave/Desktop/xyz.cfg.txt
      setup.template.enabled: false
      reload.enabled: true
      reload.period: 10s
      hosts: ['localhost:9200']
      index: "auditbeat"

I want to observe the change in the configuration file along with the username and I also want to know what was changed in the config file.
A help would be highly appreciated


Hi @shrikantgulia, the file_integrity module can't tell you who changed a file - the underlying APIs do not support it.

Which operating system do you want to do this on? On Linux, this is possible using the auditd module and an audit rule like -w /home/rdave/Desktop/xyz.cfg.txt -p wa -k file-changed.

There is currently no way in Auditbeat (or any other Beat) to track what changes happened to a file. This is not something operating systems typically expose directly, and so it would require keeping a copy of the file for comparison. There is an open Github issue if you're interested in tracking this:

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.