Did anyone have a working collector configuration for Auditbeat for Linux machines? If so can someone share the sample file with me? I am new to Graylog and trying to find my way around.
Thanks,
Rajesh
Below is a working windows auditbeat. I haven’t used it in a while but it would be a good start.
# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}
output.logstash:
hosts: [${user.BeatsInput}]
path:
data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
logs: C:\Program Files\Graylog\sidecar\logs
tags:
- windows
- auditbeat
auditbeat.modules:
- module: file_integrity
paths:
- C:/windows
- C:/windows/system32
- C:/Program Files
- C:/Program Files (x86)
- module: system
datasets:
- host # General host information, e.g. uptime, IPs
- process # Started and stopped processes
# - login #!!linux only
state.period: 12
user.detect_password_changes: true
#processors:
# - add_host_metadata: ~ #Commented out
# - add_cloud_metadata: ~ #Commented out
1 Like
Okay, If I want to use for Linux, I just need to modify the Paths?
Most likely. There is all sorts of docs over at Elasticsearch on Auditbeat to set the parameters you want… make sure you look at the right elasticsearch version since Graylog does not use the most recent version of Elasticseach.
I would link you to it but @macko003 prefers that the community do a little more googling… 
1 Like
OFF
Yes, it is my fault. Or I’m too lazy to do other’s work. Most when the registration and the post creation need more time then googling. (Not in this case)
1 Like
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.