32 lines
847 B
Text
32 lines
847 B
Text
|
[id="configuration-{beatname_lc}"]
|
||
|
== Specify which modules to run
|
||
|
|
||
|
To enable specific modules you add entries to the `auditbeat.modules` list in
|
||
|
the +{beatname_lc}.yml+ config file. Each entry in the list begins with a dash
|
||
|
(-) and is followed by settings for that module.
|
||
|
|
||
|
The following example shows a configuration that runs the `auditd` and
|
||
|
`file_integrity` moduled.
|
||
|
|
||
|
[source,yaml]
|
||
|
----
|
||
|
auditbeat.modules:
|
||
|
|
||
|
- module: auditd
|
||
|
audit_rules: |
|
||
|
-w /etc/passwd -p wa -k identity
|
||
|
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
|
||
|
|
||
|
- module: file_integrity
|
||
|
paths:
|
||
|
- /bin
|
||
|
- /usr/bin
|
||
|
- /sbin
|
||
|
- /usr/sbin
|
||
|
- /etc
|
||
|
----
|
||
|
|
||
|
The configuration details vary by module. See the
|
||
|
<<{beatname_lc}-modules,module documentation>> for more detail about configuring
|
||
|
the available modules.
|