Auditbeat for Linux hosts on Graylog 3.2.4

Did anyone have a working collector configuration for Auditbeat for Linux machines? If so can someone share the sample file with me? I am new to Graylog and trying to find my way around.


Below is a working windows auditbeat. I haven’t used it in a while but it would be a good start.

# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}
   hosts: [${user.BeatsInput}]
  data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data      
  logs: C:\Program Files\Graylog\sidecar\logs                       
    - windows                                                       
    - auditbeat                                                     
- module: file_integrity
  - C:/windows
  - C:/windows/system32
  - C:/Program Files
  - C:/Program Files (x86)
- module: system
    - host      # General host information, e.g. uptime, IPs
    - process   # Started and stopped processes
#   - login                                                         #!!linux only 
state.period: 12
user.detect_password_changes: true                                  
#  - add_host_metadata: ~                                           #Commented out
#  - add_cloud_metadata: ~                                          #Commented out
1 Like

Okay, If I want to use for Linux, I just need to modify the Paths?

Most likely. There is all sorts of docs over at Elasticsearch on Auditbeat to set the parameters you want… make sure you look at the right elasticsearch version since Graylog does not use the most recent version of Elasticseach.

I would link you to it but @macko003 prefers that the community do a little more googling… :crazy_face:

1 Like


Yes, it is my fault. Or I’m too lazy to do other’s work. Most when the registration and the post creation need more time then googling. (Not in this case)

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.