Send audit logs to Logstash with Filebeat from Centos/RHEL

Install Filebeat

Add repositories


sudo yum install filebeat
sudo systemctl enable filebeat

Configure Filebeat

sudo cp -av /etc/filebeat/filebeat.yml /etc/filebeat/filebeat.yml.default

sudo vim /etc/filebeat/filebeat.yml


  path: ${path.config}/modules.d/*.yml
  reload.enabled: false

  hosts: ["LOGSTASHIP:5044"]

  - add_host_metadata: ~
  - add_cloud_metadata: ~

logging.to_syslog: false
logging.to_files: true
  path: "/var/log/filebeat"
  name: "filebeat.log"
  keepfiles: 7
sudo filebeat modules enable auditd

Start Filebeat

sudo filebeat -c /etc/filebeat/filebeat.yml test config
sudo systemctl start filebeat


vi 01-inputs.conf

input {
  beats { 
    port => 5044 

vi 13-auditd.conf

filter {
  if [service][type] == "auditd" {


vi 30-outputs.conf

output {
  if [service][type] == "auditd" {
    elasticsearch {
      hosts => localhost
      index => "auditd-%{+YYYY.MM}"

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.