As its name suggests, auditd is a service that audits activities in a Linux environment. It’s available for most major Linux distributions.
This page gives instructions for replacing auditd with Auditbeat so you can easily ship your audit logs to Logz.io.
Configuration
Before you begin, you’ll need: auditd, root access
Download the Logz.io certificate
For HTTPS shipping, download the Logz.io public certificate to your certificate authority folder.
sudo wget https://raw.githubusercontent.com/logzio/public-certificates/master/COMODORSADomainValidationSecureServerCA.crt -P /etc/pki/tls/certs/
Install Auditbeat
Download and install Auditbeat 6.8.
Copy auditd rules
You need root privileges to interact with the auditd rules file.
Create a new audit.rules
file to hold your audit rules for Auditbeat:
sudo touch /etc/auditbeat/audit.rules.d/audit.rules
Copy the auditd rules to your newly created Auditbeat rules file:
sudo su
cat /etc/audit/rules.d/audit.rules > /etc/auditbeat/audit.rules.d/audit.rules
exit
Add auditd as a source input
Open the Auditbeat configuration file (/etc/auditbeat/auditbeat.yml
).
Paste this code block at the top of the file.
Replace <<SHIPPING-TOKEN>>
with the token of the account you want to ship to.
# ...
fields:
type: auditd
logzio_codec: json
token: <<SHIPPING-TOKEN>>
fields_under_root: true
processors:
- rename:
fields:
- from: "agent"
to: "beat_agent"
ignore_missing: true
- rename:
fields:
- from: "log.file.path"
to: "source_auditd"
ignore_missing: true
Configure Auditbeat to use the new rules file
In the auditbeat.modules
object, find the auditd
module.
Replace the audit_rule_files
array with this:
audit_rule_files: [ '/etc/auditbeat/audit.rules.d/audit.rules' ]
Set Logz.io as the output
Remove the output section in the configuration, and replace it with this code block.
Replace <<LISTENER-HOST>>
with your region’s listener host (for example, listener.logz.io
). For more information on finding your account’s region, see Account region.
# ...
output.logstash:
hosts: ["<<LISTENER-HOST>>:5015"]
ssl:
certificate_authorities: ['/etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt']
Start Auditbeat
Stop auditd, and then start Auditbeat.
Check Logz.io for your logs
Give your logs some time to get from your system to ours, and then open Kibana.
If you still don’t see your logs, see log shipping troubleshooting.