File and kernel metricsets does not work together


I am trying to setup auditbeat to monitor both logins to the systems and filechanges but if I enable the file metricset the kernel one stop sending data into elasticsearch.

I have the following configuration:


- module: audit
  metricsets: [kernel]
  kernel.audit_rules: |
    -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
    -w /etc/group -p wa -k identity
    -w /etc/passwd -p wa -k identity
    -w /etc/gshadow -p wa -k identity
    -w /etc/shadow -p wa -k identity
  module: audit
  metricsets: [file]
  - /bin
  - /usr/bin
  - /sbin
  - /usr/sbin
  - /etc
  file.max_file_size: 100 MiB
  file.hash_types: [sha1] 

I really hope this is a configuration issue while I am aware that it is not yet a stable version.

Thanks in advance.

I think you are missing - in front of the second module declaration, as shown in this example.

Right, tanks.