I want to run audit beat along with auditd.
is there any option?
or can we write auditbeat logs in some file?
from Andrew Kroh:
To run the two simultaneously you must use the multicast socket_type in Auditbeat and you must not set any audit_rules in your Auditbeat config (they will be managed by auditd).
auditbeat.modules:
- module: auditd
socket_type: multicast
This let's Auditbeat receive a broadcast of the audit messages (just like journald does).
output to file:
output.file:
path: "/var/auditbeat/logs"
filename: auditbeat
rotate_every_kb: 20000
number_of_files: 2
permissions: 0644
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.