Multiple auditbeat file_integrity module configurations

I have had issues in the past with the flexibility of the auditbeat file_integrity module configuration. On one hand I want to monitor most changes under /etc and similar directories, but on another hand I also want to monitor a few very specific changes under /home.

I would like to benefit from the new detection rule for alerting on changes to ~/.ssh/authorized_keys files but currently I have chosen to instead monitor everything under /etc because it doesn't seem like there is a way to do both at one time using auditbeat.

Is there anyway of specifying a primary key for each auditbeat module configuration so that they don't conflict when there are multiple module configurations setup?

Basically I would like the following, but it doesn't seem to be supported right now:

    # Monitor system paths using exclusions
    - module: file_integrity
      - /bin
      - /usr/bin
      - /sbin
      - /usr/sbin
      - /etc
      - /root

      - '(?i)\.sw[nop]$'
      - '~$'
      - '/\.git($|/)'

    # Monitor user directories using inclusions to only show .ssh file changes
    - module: file_integrity
      - /home

      - '/\.ssh($|/)'

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.