Send audit logs to Logstash with Filebeat from Centos/RHEL

Install Filebeat

Add repositories

https://www.elastic.co/guide/en/beats/filebeat/current/setup-repositories.html

Install

sudo yum install filebeat
sudo systemctl enable filebeat

Configure Filebeat

sudo cp -av /etc/filebeat/filebeat.yml /etc/filebeat/filebeat.yml.default

sudo vim /etc/filebeat/filebeat.yml

filebeat.inputs:

filebeat.config.modules:
  path: ${path.config}/modules.d/*.yml
  reload.enabled: false

output.logstash:
  hosts: ["LOGSTASHIP:5044"]

processors:
  - add_host_metadata: ~
  - add_cloud_metadata: ~

logging.to_syslog: false
logging.to_files: true
logging.files:
  path: "/var/log/filebeat"
  name: "filebeat.log"
  keepfiles: 7
sudo filebeat modules enable auditd

Start Filebeat

sudo filebeat -c /etc/filebeat/filebeat.yml test config
sudo systemctl start filebeat

Logstash

vi 01-inputs.conf

input {
  beats { 
    port => 5044 
  }
}

vi 13-auditd.conf

filter {
  if [service][type] == "auditd" {

  }
}

vi 30-outputs.conf

output {
  if [service][type] == "auditd" {
    elasticsearch {
      hosts => localhost
      index => "auditd-%{+YYYY.MM}"
    }
  }
}

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.