CentOS 7
Sponsored Link

Elastic Stack 6 : Install Auditbeat
2018/02/12
 
Install Auditbeat that can monitor Audit actions.
[1] Install Auditbeat. Configure Elasticsearch repository before it.
[root@dlp ~]#
yum -y install auditbeat
[2] Configure basic settings and start Auditbeat.
[root@dlp ~]#
vi /etc/auditbeat/auditbeat.yml

- module: auditd
  audit_rules: |
    ## Define audit rules here.
    ## Create file watches (-w) or syscall audits (-a or -A). Uncomment these
    ## examples or add your own rules.

    ## If you are on a 64 bit platform, everything should be running
    ## in 64 bit mode. This rule will detect any use of the 32 bit syscalls
    ## because this might be a sign of someone exploiting a hole in the 32
    ## bit API.
    #-a always,exit -F arch=b32 -S all -F key=32bit-abi

    ## Executions.
    #-a always,exit -F arch=b64 -S execve,execveat -k exec

    ## External access (warning: these can be expensive to audit).
    #-a always,exit -F arch=b64 -S accept,bind,connect -F key=external-access

    ## Identity changes.
    #-w /etc/group -p wa -k identity
    #-w /etc/passwd -p wa -k identity
    #-w /etc/gshadow -p wa -k identity

.....
.....

# line 88: if use Kibana, uncomment and specify output host

# if SSL is enabled on Kibana, hostname should be the same with the hostname in certs

setup.kibana:
.....
  host: "https://dlp.srv.world:5601"

# line 114: specify output host

# the default is localhost's Elasticsearch

# if output to Logstash, comment out Elasticsearch and uncomment logstash lines

output.elasticsearch:
  # Array of hosts to connect to.l
  hosts: ["localhost:9200"]

.....
.....

#output.logstash:
  # The Logstash hosts
  #hosts: ["localhost:5044"]

[root@dlp ~]#
vi /etc/auditbeat/auditbeat.reference.yml
# line 34: basic settings for auditd module

- module: auditd
  resolve_ids: true
  failure_mode: silent
  backlog_limit: 8196
  rate_limit: 0
  include_raw_message: false
  include_warnings: false
  audit_rules: |

.....
.....

[root@dlp ~]#
systemctl start auditbeat

[root@dlp ~]#
systemctl enable auditbeat
[3] Make sure the data has been collected normally.
# index list

[root@dlp ~]#
curl localhost:9200/_cat/indices?v

health status index                       uuid     pri rep docs.count docs.deleted store.size pri.store.size
yellow open   filebeat-6.2.1-2018.02.14   uzqg8...   3   1      30107            0        4mb            4mb
yellow open   sshd_fail-2018.02           ghhQe...   5   1         69            0    265.9kb        265.9kb
yellow open   packetbeat-6.2.1-2018.02.14 -O8vG...   3   1       8182            0      2.1mb          2.1mb
green  open   .kibana                     sV0Ds...   1   0        412            0    497.1kb        497.1kb
yellow open   auditbeat-6.2.1-2018.02.14  aECFl...   3   1       1384            0    734.7kb        734.7kb
yellow open   test_index                  CIPjY...   5   1          1            0        6kb            6kb
yellow open   heartbeat-6.2.1-2018.02.14  29OqT...   1   1        206            0    126.6kb        126.6kb
yellow open   metricbeat-6.2.1-2018.02.14 OhrZT...   1   1      32561            0      5.9mb          5.9mb

# document list on the index

[root@dlp ~]#
curl localhost:9200/auditbeat-6.2.1-2018.02.14/_search?pretty

{
  "took" : 4,
  "timed_out" : false,
  "_shards" : {
    "total" : 3,
    "successful" : 3,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : 1384,
    "max_score" : 1.0,
    "hits" : [
      {
        "_index" : "auditbeat-6.2.1-2018.02.14",
        "_type" : "doc",
.....
.....
[4] If Kibana is running, it's possible to import data to sample Dashboards.
[root@dlp ~]#
auditbeat setup --dashboards

Loaded dashboards
 
Tweet