Auditbeat Configuration

Configuration

This is a example configuration for Auditbeat. You can use it as a starting point to further define which data you want to gather.

Please be aware of the fact that more data needs more storage space and that you might need to order additional space or bigger instances.

The following configuration file does not need to be adjusted with username and password:

auditbeat.modules:

- module: file_integrity
  enabled: true
  paths:
    - C:/Windows
    - C:/Windows/system32
    - C:/Program Files
    - C:/Program Files (x86)
    - C:/ProgramData
      scan_at_startup: true

output.elasticsearch:
hosts: ["Insights URL"]
protocol: "HTTP"
username: "Authentication Name"
password: "Authentication PW"
index: "auditbeat"
xpack.enabled: false
bulk_max_size: 800
worker: 2
compression_level: 9

setup.ilm.enabled: false
setup.ilm.check_exists: false
setup.dashboards.enabled: false
setup.template.enabled: false
setup.template.overwrite: false

processors:
- add_host_metadata: ~
- add_cloud_metadata: ~
- add_docker_metadata: ~
- add_kubernetes_metadata: ~

You need to adjust username and password during group adjustment or when you add the application to a group. Refer to example below:

Screenshot