Auditbeat sidecar config template

Hello:
Anyone can help me how to write a sidecar config template for Auditbeat ( Windows )
Binaries are installed on c:\Program Files\Auditbeat
Sidecar is installed c:\Program files\graylog\sidecar
I can’t get it to work config fails
Also if you can provide a link with a better explanation of how to write this template.
I have Winlogbeat running perfectly with the config file provided by sidecar.
I will appreciate it
jc

1 Like

nothing??
a mute community?

he @juanquy

I guess that nobody that is active in this community has done that before - or is allowed to share his solution.

Jan

Probably you have error in your auditbeat config file. First check official documentation:
https://www.elastic.co/guide/en/beats/auditbeat/master/auditbeat-configuration.html
https://www.elastic.co/guide/en/beats/auditbeat/current/configuring-howto-auditbeat.html
https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-modules.html

I checked google and find this interesting article, hope it helps:

Maybe a miss understands, what I need is help understanding how to do a “New Collector Configuration”, is this new config, based on the auditbeat yml config file?

why this?

# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}

I can’t find a page in the manual to explain it.

Probably you didn’t read manual carefully. Did you?
https://docs.graylog.org/en/3.1/pages/sidecar.html#adopt-configuration-to-graylog-3-0
https://docs.graylog.org/en/3.1/pages/sidecar.html#runtime-variables

And this is the failing code:

 # Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}
output.logstash:
   hosts: ["192.168.1.1:5044"]
auditbeat.modules:
- module: file_integrity
  paths:
  - C:/windows
  - C:/windows/system32
  - C:/Program Files
  - C:/Program Files (x86)
- module: system
  datasets:
- host    # General host information, e.g. uptime, IPs
- process # Started and stopped processes
state.period: 12
processors:
  - add_host_metadata: ~
  - add_cloud_metadata: ~

regards
jc

  1. Please check, that your generated auditbeat config file syntax using this command:
    auditbeat test config PATH_TO_CONFIG_FILE.yml
    https://www.elastic.co/guide/en/beats/auditbeat/current/command-line-options.html#test-command

  2. you included a lot of auditbeat modules. I will probably start with one, if it works, continue with another. This way, you can discover problem easily.

  3. Your path in paths parameter contains spaces, but you don’t wrapped it to quote mark:
    https://www.elastic.co/guide/en/beats/filebeat/7.4/yaml-tips.html#wrap-paths-in-quotes

Thanks bro: and yes I did read it and the manual still confusing
I included only 2 modules,

  • module: file_integrity
  • module: system

The file generated by "New Collector Config " GUI is saved by the sidecar on
c:\Program Files\Graylog\sidecar\generated\beatName.conf
not a yml , so how I can check syntax?
The other yml I have is the original that came with Auditbeat install but I thought New sidecar only needs the binaries, sidecar use the config file we generate in the GUI. right?

I had wanted to see if I could get this going - a good morning challenge. Here is the working config I modified off the one you posted. Simple troubleshooting: under sidecar overview, click on the client, then hover your mouse over the failed beat and it will give a comment about what it doesn’t like.

# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}
output.logstash:
   hosts: [${user.BeatsInput}]
path:                                                               #missing
  data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data      #missing
  logs: C:\Program Files\Graylog\sidecar\logs                       #missing
tags: 
    - windows                                                       #added
    - auditbeat                                                     #added
auditbeat.modules:
- module: file_integrity
  paths:
  - C:/windows
  - C:/windows/system32
  - C:/Program Files
  - C:/Program Files (x86)
- module: system
  datasets:
    - host      # General host information, e.g. uptime, IPs
    - process   # Started and stopped processes
#   - login                                                         #!!linux only 
state.period: 12
user.detect_password_changes: true                                  #added
#processors:                                                        #Commented out
#  - add_host_metadata: ~                                           #Commented out
#  - add_cloud_metadata: ~                                          #Commented out

Thank you for the advice!

click on the client, then hover your mouse over the failed beat and it will give a comment about what it doesn’t like.

So here you sending to put the data in the winlogbeat directory, that directory is already created by sidecar winlog collector, do I should manuall create a new directory for Auditbeat?

path:                                                               #missing
  data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data      #missing
  logs: C:\Program Files\Graylog\sidecar\logs                       #missing

so path will be more like:

path:
data: C:\Program Files\Graylog\sidecar\cache\auditbeat\data
logs: C:\Program Files\Graylog\sidecar\logs

having a data path that uses auditbeat rather than winlogbeat would technically be correct but it didn’t seem to make a difference… you end up with the same stuff you don’t touch existing twice. You don’t have to make the directory, the configuration is smart enough to make the new path.

On a side note - others have mentioned that (lack of) indentation can cause issues… and it makes readability better…

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.