Install and configure insights.XO

In order to use insights.XO you will need the OpenSearch beats in the OSS version on your client.

For each beat you will find an OSS version at the very end at the point “Notes” on the download page of Elastic. Or you’ll just follow the link below to download the Auditbeat:

We are also offering PSADT packages in order to install the beats:

  1. Download the Auditbeat Windows zip file from the download page.
  2. Extract the contents of the zip file into C:\Program Files.
  3. Rename the auditbeat-“version”-windows directory to “Auditbeat”.
  4. Open a PowerShell prompt as an Administrator (right-click the PowerShell icon and select Run As Administrator).
  5. From the PowerShell prompt, run the following commands to install Auditbeat as a Windows service:
PS > cd 'C:\Program Files\Auditbeat'
PS C:\Program Files\Auditbeat> .\install-service-auditbeat.ps1

Example Configuration

The configuration file e.g. for Auditbeat needs to contain your created OpenSearch URL and authentication credentials.

This is a basic configuration for the Auditbeat which has to be placed in the “auditbeat.yml” of the installation folder.
Events will be generated if a file changed in one of the paths specified.

  • C:/windows
  • C:/windows/system32
  • C:/Program Files
  • C:/Program Files (x86)
auditbeat.modules:
- module: file_integrity
  paths:
  - C:/windows
  - C:/windows/system32
  - C:/Program Files
  - C:/Program Files (x86)

output.elasticsearch:
  hosts: ["Insights URL"]
  protocol: "HTTP"
  username: "Authentication Name"
  password: "Authentication PW"
  xpack.enabled: false
setup.ilm.enabled: false

processors:
  - add_host_metadata: ~
  - add_cloud_metadata: ~
  - add_docker_metadata: ~
  - add_kubernetes_metadata: ~

If you want to know more on how to configure the beats in general follow the links below: