Update auditbeat config for the latest stable release
Change-Id: I468992009f562ca7d48fb88aab41edb552e23831 Signed-off-by: Kevin Carter <kevin@cloudnull.com>
This commit is contained in:
parent
c74eed3845
commit
280ff11746
@ -44,6 +44,9 @@ auditbeat.modules:
|
|||||||
include_warnings: true
|
include_warnings: true
|
||||||
|
|
||||||
{% if not apply_security_hardening | default(true) | bool %}
|
{% if not apply_security_hardening | default(true) | bool %}
|
||||||
|
audit_rule_files:
|
||||||
|
- '${path.config}/audit.rules.d/*.conf'
|
||||||
|
- '/etc/audit/rules.d/*.rules'
|
||||||
audit_rules: |
|
audit_rules: |
|
||||||
## Define audit rules here.
|
## Define audit rules here.
|
||||||
## Create file watches (-w) or syscall audits (-a or -A). Uncomment these
|
## Create file watches (-w) or syscall audits (-a or -A). Uncomment these
|
||||||
@ -127,6 +130,32 @@ auditbeat.modules:
|
|||||||
# Detect changes to files included in subdirectories. Disabled by default.
|
# Detect changes to files included in subdirectories. Disabled by default.
|
||||||
recursive: true
|
recursive: true
|
||||||
|
|
||||||
|
# The system module collects security related information about a host.
|
||||||
|
# All datasets send both periodic state information (e.g. all currently
|
||||||
|
# running processes) and real-time changes (e.g. when a new process starts
|
||||||
|
# or stops).
|
||||||
|
- module: system
|
||||||
|
datasets:
|
||||||
|
- host # General host information, e.g. uptime, IPs
|
||||||
|
- process # Started and stopped processes
|
||||||
|
- socket # Opened and closed sockets
|
||||||
|
- user # User information
|
||||||
|
|
||||||
|
# How often datasets send state updates with the
|
||||||
|
# current state of the system (e.g. all currently
|
||||||
|
# running processes, all open sockets).
|
||||||
|
state.period: 12h
|
||||||
|
|
||||||
|
# The state.period can be overridden for any dataset.
|
||||||
|
# host.state.period: 12h
|
||||||
|
# process.state.period: 12h
|
||||||
|
# socket.state.period: 12h
|
||||||
|
# user.state.period: 12h
|
||||||
|
|
||||||
|
# Enabled by default. Auditbeat will read password fields in
|
||||||
|
# /etc/passwd and /etc/shadow and store a hash locally to
|
||||||
|
# detect any changes.
|
||||||
|
user.detect_password_changes: true
|
||||||
|
|
||||||
#================================ General ======================================
|
#================================ General ======================================
|
||||||
|
|
||||||
@ -172,6 +201,66 @@ auditbeat.modules:
|
|||||||
# if the number of events stored in the queue is < min_flush_events.
|
# if the number of events stored in the queue is < min_flush_events.
|
||||||
#flush.timeout: 1s
|
#flush.timeout: 1s
|
||||||
|
|
||||||
|
# The spool queue will store events in a local spool file, before
|
||||||
|
# forwarding the events to the outputs.
|
||||||
|
#
|
||||||
|
# Beta: spooling to disk is currently a beta feature. Use with care.
|
||||||
|
#
|
||||||
|
# The spool file is a circular buffer, which blocks once the file/buffer is full.
|
||||||
|
# Events are put into a write buffer and flushed once the write buffer
|
||||||
|
# is full or the flush_timeout is triggered.
|
||||||
|
# Once ACKed by the output, events are removed immediately from the queue,
|
||||||
|
# making space for new events to be persisted.
|
||||||
|
#spool:
|
||||||
|
# The file namespace configures the file path and the file creation settings.
|
||||||
|
# Once the file exists, the `size`, `page_size` and `prealloc` settings
|
||||||
|
# will have no more effect.
|
||||||
|
#file:
|
||||||
|
# Location of spool file. The default value is ${path.data}/spool.dat.
|
||||||
|
#path: "${path.data}/spool.dat"
|
||||||
|
|
||||||
|
# Configure file permissions if file is created. The default value is 0600.
|
||||||
|
#permissions: 0600
|
||||||
|
|
||||||
|
# File size hint. The spool blocks, once this limit is reached. The default value is 100 MiB.
|
||||||
|
#size: 100MiB
|
||||||
|
|
||||||
|
# The files page size. A file is split into multiple pages of the same size. The default value is 4KiB.
|
||||||
|
#page_size: 4KiB
|
||||||
|
|
||||||
|
# If prealloc is set, the required space for the file is reserved using
|
||||||
|
# truncate. The default value is true.
|
||||||
|
#prealloc: true
|
||||||
|
|
||||||
|
# Spool writer settings
|
||||||
|
# Events are serialized into a write buffer. The write buffer is flushed if:
|
||||||
|
# - The buffer limit has been reached.
|
||||||
|
# - The configured limit of buffered events is reached.
|
||||||
|
# - The flush timeout is triggered.
|
||||||
|
#write:
|
||||||
|
# Sets the write buffer size.
|
||||||
|
#buffer_size: 1MiB
|
||||||
|
|
||||||
|
# Maximum duration after which events are flushed, if the write buffer
|
||||||
|
# is not full yet. The default value is 1s.
|
||||||
|
#flush.timeout: 1s
|
||||||
|
|
||||||
|
# Number of maximum buffered events. The write buffer is flushed once the
|
||||||
|
# limit is reached.
|
||||||
|
#flush.events: 16384
|
||||||
|
|
||||||
|
# Configure the on-disk event encoding. The encoding can be changed
|
||||||
|
# between restarts.
|
||||||
|
# Valid encodings are: json, ubjson, and cbor.
|
||||||
|
#codec: cbor
|
||||||
|
#read:
|
||||||
|
# Reader flush timeout, waiting for more events to become available, so
|
||||||
|
# to fill a complete batch, as required by the outputs.
|
||||||
|
# If flush_timeout is 0, all available events are forwarded to the
|
||||||
|
# outputs immediately.
|
||||||
|
# The default value is 0s.
|
||||||
|
#flush.timeout: 0s
|
||||||
|
|
||||||
# Sets the maximum number of CPUs that can be executing simultaneously. The
|
# Sets the maximum number of CPUs that can be executing simultaneously. The
|
||||||
# default is the number of logical CPUs available in the system.
|
# default is the number of logical CPUs available in the system.
|
||||||
#max_procs:
|
#max_procs:
|
||||||
@ -185,8 +274,8 @@ auditbeat.modules:
|
|||||||
#
|
#
|
||||||
# event -> filter1 -> event1 -> filter2 ->event2 ...
|
# event -> filter1 -> event1 -> filter2 ->event2 ...
|
||||||
#
|
#
|
||||||
# The supported processors are drop_fields, drop_event, include_fields, and
|
# The supported processors are drop_fields, drop_event, include_fields,
|
||||||
# add_cloud_metadata.
|
# decode_json_fields, and add_cloud_metadata.
|
||||||
#
|
#
|
||||||
# For example, you can use the following processors to keep the fields that
|
# For example, you can use the following processors to keep the fields that
|
||||||
# contain CPU load percentages, but remove the fields that contain CPU ticks
|
# contain CPU load percentages, but remove the fields that contain CPU ticks
|
||||||
@ -206,6 +295,22 @@ auditbeat.modules:
|
|||||||
# equals:
|
# equals:
|
||||||
# http.code: 200
|
# http.code: 200
|
||||||
#
|
#
|
||||||
|
# The following example renames the field a to b:
|
||||||
|
#
|
||||||
|
#processors:
|
||||||
|
#- rename:
|
||||||
|
# fields:
|
||||||
|
# - from: "a"
|
||||||
|
# to: "b"
|
||||||
|
#
|
||||||
|
# The following example tokenizes the string into fields:
|
||||||
|
#
|
||||||
|
#processors:
|
||||||
|
#- dissect:
|
||||||
|
# tokenizer: "%{key1} - %{key2}"
|
||||||
|
# field: "message"
|
||||||
|
# target_prefix: "dissect"
|
||||||
|
#
|
||||||
# The following example enriches each event with metadata from the cloud
|
# The following example enriches each event with metadata from the cloud
|
||||||
# provider about the host machine. It works on EC2, GCE, DigitalOcean,
|
# provider about the host machine. It works on EC2, GCE, DigitalOcean,
|
||||||
# Tencent Cloud, and Alibaba Cloud.
|
# Tencent Cloud, and Alibaba Cloud.
|
||||||
@ -232,6 +337,7 @@ auditbeat.modules:
|
|||||||
# match_source_index: 4
|
# match_source_index: 4
|
||||||
# match_short_id: false
|
# match_short_id: false
|
||||||
# cleanup_timeout: 60
|
# cleanup_timeout: 60
|
||||||
|
# labels.dedot: false
|
||||||
# # To connect to Docker over TLS you must specify a client and CA certificate.
|
# # To connect to Docker over TLS you must specify a client and CA certificate.
|
||||||
# #ssl:
|
# #ssl:
|
||||||
# # certificate_authority: "/etc/pki/root/ca.pem"
|
# # certificate_authority: "/etc/pki/root/ca.pem"
|
||||||
@ -244,6 +350,31 @@ auditbeat.modules:
|
|||||||
#
|
#
|
||||||
#processors:
|
#processors:
|
||||||
#- add_docker_metadata: ~
|
#- add_docker_metadata: ~
|
||||||
|
#
|
||||||
|
# The following example enriches each event with host metadata.
|
||||||
|
#
|
||||||
|
#processors:
|
||||||
|
#- add_host_metadata:
|
||||||
|
# netinfo.enabled: false
|
||||||
|
#
|
||||||
|
# The following example enriches each event with process metadata using
|
||||||
|
# process IDs included in the event.
|
||||||
|
#
|
||||||
|
#processors:
|
||||||
|
#- add_process_metadata:
|
||||||
|
# match_pids: ["system.process.ppid"]
|
||||||
|
# target: system.process.parent
|
||||||
|
#
|
||||||
|
# The following example decodes fields containing JSON strings
|
||||||
|
# and replaces the strings with valid JSON objects.
|
||||||
|
#
|
||||||
|
#processors:
|
||||||
|
#- decode_json_fields:
|
||||||
|
# fields: ["field1", "field2", ...]
|
||||||
|
# process_array: false
|
||||||
|
# max_depth: 1
|
||||||
|
# target: ""
|
||||||
|
# overwrite_keys: false
|
||||||
processors:
|
processors:
|
||||||
- add_host_metadata: ~
|
- add_host_metadata: ~
|
||||||
|
|
||||||
@ -603,6 +734,14 @@ processors:
|
|||||||
# Boolean flag to enable or disable the output module.
|
# Boolean flag to enable or disable the output module.
|
||||||
#enabled: true
|
#enabled: true
|
||||||
|
|
||||||
|
# Configure JSON encoding
|
||||||
|
#codec.json:
|
||||||
|
# Pretty print json event
|
||||||
|
#pretty: false
|
||||||
|
|
||||||
|
# Configure escaping html symbols in strings.
|
||||||
|
#escape_html: true
|
||||||
|
|
||||||
# Path to the directory where to save the generated files. The option is
|
# Path to the directory where to save the generated files. The option is
|
||||||
# mandatory.
|
# mandatory.
|
||||||
#path: "/tmp/auditbeat"
|
#path: "/tmp/auditbeat"
|
||||||
@ -630,8 +769,13 @@ processors:
|
|||||||
# Boolean flag to enable or disable the output module.
|
# Boolean flag to enable or disable the output module.
|
||||||
#enabled: true
|
#enabled: true
|
||||||
|
|
||||||
# Pretty print json event
|
# Configure JSON encoding
|
||||||
#pretty: false
|
#codec.json:
|
||||||
|
# Pretty print json event
|
||||||
|
#pretty: false
|
||||||
|
|
||||||
|
# Configure escaping html symbols in strings.
|
||||||
|
#escape_html: true
|
||||||
|
|
||||||
#================================= Paths ======================================
|
#================================= Paths ======================================
|
||||||
|
|
||||||
@ -659,6 +803,10 @@ processors:
|
|||||||
# the default for the logs path is a logs subdirectory inside the home path.
|
# the default for the logs path is a logs subdirectory inside the home path.
|
||||||
#path.logs: ${path.home}/logs
|
#path.logs: ${path.home}/logs
|
||||||
|
|
||||||
|
#================================ Keystore ==========================================
|
||||||
|
# Location of the Keystore containing the keys and their sensitive values.
|
||||||
|
#keystore.path: "${path.config}/beats.keystore"
|
||||||
|
|
||||||
#============================== Dashboards =====================================
|
#============================== Dashboards =====================================
|
||||||
{{ elk_macros.setup_dashboards('auditbeat') }}
|
{{ elk_macros.setup_dashboards('auditbeat') }}
|
||||||
|
|
||||||
@ -690,3 +838,8 @@ processors:
|
|||||||
|
|
||||||
# Port on which the HTTP endpoint will bind. Default is 5066.
|
# Port on which the HTTP endpoint will bind. Default is 5066.
|
||||||
#http.port: 5066
|
#http.port: 5066
|
||||||
|
|
||||||
|
#============================= Process Security ================================
|
||||||
|
|
||||||
|
# Enable or disable seccomp system call filtering on Linux. Default is enabled.
|
||||||
|
#seccomp.enabled: true
|
||||||
|
Loading…
x
Reference in New Issue
Block a user