youtubebeat/vendor/github.com/elastic/beats/auditbeat/docs/auditbeat-modules-config.asciidoc

32 lines
847 B
Text
Raw Normal View History

2018-11-18 11:08:38 +01:00
[id="configuration-{beatname_lc}"]
== Specify which modules to run
To enable specific modules you add entries to the `auditbeat.modules` list in
the +{beatname_lc}.yml+ config file. Each entry in the list begins with a dash
(-) and is followed by settings for that module.
The following example shows a configuration that runs the `auditd` and
`file_integrity` moduled.
[source,yaml]
----
auditbeat.modules:
- module: auditd
audit_rules: |
-w /etc/passwd -p wa -k identity
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
- module: file_integrity
paths:
- /bin
- /usr/bin
- /sbin
- /usr/sbin
- /etc
----
The configuration details vary by module. See the
<<{beatname_lc}-modules,module documentation>> for more detail about configuring
the available modules.