32 lines
1.3 KiB
Markdown
32 lines
1.3 KiB
Markdown
|
# Auditbeat
|
||
|
|
||
|
## Ship audit information from Kubernetes to Elasticsearch
|
||
|
|
||
|
### Kubernetes DaemonSet
|
||
|
|
||
|
By deploying auditbeat as a [DaemonSet](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/)
|
||
|
we ensure we get a running auditbeat daemon on each node of the cluster.
|
||
|
|
||
|
Everything is deployed under `kube-system` namespace, you can change that by
|
||
|
updating YAML manifests under this folder.
|
||
|
|
||
|
### Settings
|
||
|
|
||
|
We use official [Beats Docker images](https://github.com/elastic/beats-docker),
|
||
|
as they allow external files configuration, a [ConfigMap](https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/)
|
||
|
is used for kubernetes specific settings. Check [auditbeat-configmap.yaml](auditbeat-configmap.yaml)
|
||
|
for details.
|
||
|
|
||
|
Also, [auditbeat-daemonset.yaml](auditbeat-daemonset.yaml) uses a set of environment
|
||
|
variables to configure Elasticsearch output:
|
||
|
|
||
|
Variable | Default | Description
|
||
|
-------- | ------- | -----------
|
||
|
ELASTICSEARCH_HOST | elasticsearch | Elasticsearch host
|
||
|
ELASTICSEARCH_PORT | 9200 | Elasticsearch port
|
||
|
ELASTICSEARCH_USERNAME | elastic | Elasticsearch username for HTTP auth
|
||
|
ELASTICSEARCH_PASSWORD | changeme | Elasticsearch password
|
||
|
|
||
|
If there is an existing `elasticsearch` service in the kubernetes cluster these
|
||
|
defaults will use it.
|