Lab 4.2 - Auditbeat with Logstash

Auditbeat is another Elastic Beat - and is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your Linux systems. You can also use Auditbeat to detect changes to critical files, like binaries and configuration files, and identify potential security policy violations. For this lab, instead of having Auditbeat outputting directly to Elasticsearch, you will configure to output to Logstash which will then send to Elasticsearch.

Setup

• To have Logstash read out config on startup, it needs to be copied into the /etc/logstash/conf.d directory.

sudo cp /usr/share/logstash/first-pipeline.conf /etc/logstash/conf.d/first-pipeline.conf

• Now start Logstash up with sudo systemctl start logstash

Installation and Configuration

• Install Auditbeat with sudo apt-get install auditbeat
• Edit the /etc/auditbeat/auditbeat.yml file by commenting out the Elasticsearch output and host lines, and uncomment the Logstash output and update the host lines to have your IP.
• Now build the Auditbeat index in Elasticsearch:

sudo auditbeat setup --index-management -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["your_ip_address:9200"]'

• Load the Auditbeat dashboards into Kibana with

sudo auditbeat setup -e \
  -E output.logstash.enabled=false \
  -E output.elasticsearch.hosts=['your_ip_address:9200'] \
  -E output.elasticsearch.username=auditbeat_internal \
  -E setup.kibana.host=your_ip_address:5601

• Start the Auditbeat service with systemctl start auditbeat