{"id":665,"date":"2022-02-05T13:38:05","date_gmt":"2022-02-05T13:38:05","guid":{"rendered":"http:\/\/www.canchito-dev.com\/public\/blog\/?p=665"},"modified":"2022-02-05T13:38:05","modified_gmt":"2022-02-05T13:38:05","slug":"audit-the-activities-of-users-and-processes-on-your-systems-with-auditbeat","status":"publish","type":"post","link":"http:\/\/www.canchito-dev.com\/public\/blog\/2022\/02\/05\/audit-the-activities-of-users-and-processes-on-your-systems-with-auditbeat\/","title":{"rendered":"Audit the activities of users and processes on your systems with Auditbeat"},"content":{"rendered":"<h1>Audit the activities of users and processes on your systems with Auditbeat<\/h1>\n<div class=\"perfect-pullquote vcard pullquote-align-full pullquote-border-placement-left\"><blockquote><p><\/p>\n<p>Get to know Auditbeat and learn how it can help you by auditing the activities of the users and processes on your systems. All within a dockerized enviroment.<\/p>\n<p><\/p><\/blockquote><\/div>\n<div><a class=\"donate-with-crypto\" href=\"https:\/\/commerce.coinbase.com\/checkout\/faf64f90-2e80-46ee-aeba-0fde14cbeb46\"><br \/>\nBuy Me a Coffee<br \/>\n<\/a><br \/>\n<script src=\"https:\/\/commerce.coinbase.com\/v1\/checkout.js?version=201807\">\n  <\/script><\/div>\n<div class=\"titlepage\">\n<div>\n<div>\n<h2 class=\"title\">Introduction<\/h2>\n<\/div>\n<\/div>\n<\/div>\n<p style=\"text-align: justify;\">Hi my friend! So far, we are almost done configuring our architecture. As a reminder,\u00a0 we <a href=\"http:\/\/www.canchito-dev.com\/public\/blog\/2021\/12\/26\/introduction-to-elastic-stack\/\">have learnt about Elasticsearch for storing the data that we collect and how to deploy it, Kibana as a Web UI for visualizing the collected data<\/a>, <a href=\"http:\/\/www.canchito-dev.com\/public\/blog\/2022\/01\/02\/elastic-stack-beats\/\">Filebeat for collecting data from our cluster<\/a>, we <a href=\"https:\/\/www.canchito-dev.com\/public\/blog\/2022\/01\/16\/getting-started-with-logstash\/\">saw what Logstash can do<\/a>, <a href=\"https:\/\/www.canchito-dev.com\/public\/blog\/2022\/01\/27\/collect-metrics-with-metricbet\/\">collected metrics from the system and services running on the server with the help of Metricbeat<\/a>, <a href=\"https:\/\/www.canchito-dev.com\/public\/blog\/2022\/01\/30\/know-if-your-service-is-available-with-heartbeat\/\">discover if your service is up thanks to Heartbeat<\/a>, and <a href=\"http:\/\/www.canchito-dev.com\/public\/blog\/2022\/01\/31\/capturing-the-network-traffic-with-packetbeat\">analyzed your network traffic with Packetbeat<\/a>. Now, let&#8217;s see how to audit the activities of the users and processes on your systems.<\/p>\n<h2>Overview<\/h2>\n<p style=\"text-align: justify;\">Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems, detect changes to critical files, and identify potential security policy violations.<\/p>\n<p style=\"text-align: justify;\">Just as any other Elastic Beat, Auditbeat is based on the <code class=\"literal\">libbeat<\/code> framework.<\/p>\n<h2>Deploying Auditbeat in Docker<\/h2>\n<p style=\"text-align: justify;\">Let&#8217;s begin by adding a folder which will have Pcketbeat&#8217;s files. The changes in the project should be highlighted.<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-highlight=\"3-5,36\">elastic-stack-demo\r\n  +- elasticsearch-single-node-cluster\r\n       +- auditbeat\r\n       |    +- Dockerfile\r\n       |    +- auditbeat.yml\r\n       +- elasticsearch\r\n       |    +- Dockerfile-elasticsearch-single-node\r\n       |    +- elasticsearch-single-node.yml\r\n       +-filebeat\r\n       |    +- Dockerfile\r\n       |    +- filebeat-to-elasticsearch.yml\r\n       |    +- filebeat-to-logstash.yml\r\n       +-heartbeat\r\n       |    +- Dockerfile\r\n       |    +- heartbeat.yml\r\n       |    +- http_dashboard.ndjson\r\n       +-kibana\r\n       |    +- Dockerfile-kibana-single-node\r\n       |    +- kibana-single-node.yml\r\n       +-logstash\r\n       |    +- config\r\n       |    |    +- logstash.yml\r\n       |    |    +- pipelines.yml\r\n       |    +- pipeline\r\n       |    |    +- beats-example.conf\r\n       |    |    +- data-stream-example.conf\r\n       |    |    +- output.conf\r\n       |    +- Dockerfile\r\n       +-metricbeat\r\n       |    +- Dockerfile\r\n       |    +- metricbeat.yml\r\n       +-packetbeat\r\n       |    +- Dockerfile\r\n       |    +- packetbeat.yml\r\n       +- .env\r\n       +- docker-compose-auditbeat.yml\r\n       +- docker-compose-es-single-node.yml\r\n       +- docker-compose-filebeat-to-elasticseach.yml\r\n       +- docker-compose-filebeat-to-logstash.yml\r\n       +- docker-compose-heartbeat.yml\r\n       +- docker-compose-logstash.yml\r\n       +- docker-compose-metricbeat.yml\r\n       +- docker-compose-packetbeat.yml\r\n<\/pre>\n<p style=\"text-align: justify;\">As we have been doing so far, the first file we will be creating is the <code class=\"EnlighterJSRAW\" data-enlighter-language=\"yaml\">Dockerfile<\/code>. Create it under <code class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\">elastic-stack-single-node-cluster\/auditbeat\/<\/code>, and paste the following code:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"yaml\">ARG ELK_VERSION\r\nFROM docker.elastic.co\/beats\/auditbeat:${ELK_VERSION}\r\n\r\n# add custom configuration\r\nCOPY --chown=root:auditbeat auditbeat.yml \/usr\/share\/auditbeat\/auditbeat.yml\r\n<\/pre>\n<p style=\"text-align: justify;\">The file has nothing extraordinary. It is just specifying the base image and copying the configuration <code class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\">YAML<\/code> file for Auditbeat. This configuration file looks like this:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"yaml\">########################## Auditbeat Configuration #############################\r\n# You can find the full configuration reference here:\r\n# https:\/\/www.elastic.co\/guide\/en\/beats\/auditbeat\/index.html\r\n\r\n# =========================== Modules configuration ============================\r\nauditbeat.modules:\r\n  # The auditd module collects events from the audit framework in the Linux\r\n  # kernel. You need to specify audit rules for the events that you want to audit.\r\n  - module: auditd\r\n    ## Define audit rules here.\r\n    audit_rules: |\r\n      -w \/etc\/passwd -p wa -k identity\r\n      -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access\r\n\r\n  # The file integrity module sends events when files are changed (created,\r\n  # updated, deleted). The events contain file metadata and hashes.\r\n  - module: file_integrity\r\n    paths:\r\n      - \/bin\r\n      - \/usr\/bin\r\n      - \/sbin\r\n      - \/usr\/sbin\r\n      - \/etc\r\n    # List of regular expressions to filter out notifications for unwanted files.\r\n    # Wrap in single quotes to workaround YAML escaping rules. By default no files\r\n    # are ignored.\r\n    exclude_files:\r\n      - '(?i)\\.sw[nop]$'\r\n      - '~$'\r\n      - '\/\\.git($|\/)'\r\n\r\n  - module: system\r\n    datasets:\r\n      - host # General host information, e.g. uptime, IPs\r\n      - user # User information\r\n    period: 1m\r\n    user.detect_password_changes: true\r\n\r\n  - module: system\r\n    datasets:\r\n      - process # Started and stopped processes\r\n#      - socket  # Opened and closed sockets\r\n    period: 1s\r\n\r\n# ================================= Processors =================================\r\n# Processors are used to reduce the number of fields in the exported event or to\r\n# enhance the event with external metadata. This section defines a list of\r\n# processors that are applied one by one and the first one receives the initial\r\n# event:\r\n#\r\n#   event -&gt; filter1 -&gt; event1 -&gt; filter2 -&gt;event2 ...\r\n#\r\n# The supported processors are drop_fields, drop_event, include_fields,\r\n# decode_json_fields, and add_cloud_metadata.\r\nprocessors:\r\n  # The following example enriches each event with docker metadata, it matches\r\n  # container id from log path available in `source` field (by default it expects\r\n  # it to be \/var\/lib\/docker\/containers\/*\/*.log).\r\n  - add_docker_metadata: ~\r\n  # The following example enriches each event with host metadata.\r\n  - add_host_metadata: ~\r\n\r\n# ================================== Outputs ===================================\r\n# Configure what output to use when sending the data collected by the beat.\r\n# ---------------------------- Elasticsearch Output ----------------------------\r\noutput.elasticsearch:\r\n  # Boolean flag to enable or disable the output module.\r\n  enabled: true\r\n  # Array of hosts to connect to.\r\n  # Scheme and port can be left out and will be set to the default (http and 9200)\r\n  # In case you specify and additional path, the scheme is required: http:\/\/localhost:9200\/path\r\n  # IPv6 addresses should always be defined as: https:\/\/[2001:db8::1]:9200\r\n  hosts: ['elasticsearch-demo:9200']\r\n\r\n# ================================= Dashboards =================================\r\n# These settings control loading the sample dashboards to the Kibana index. Loading\r\n# the dashboards are disabled by default and can be enabled either by setting the\r\n# options here, or by using the `-setup` CLI flag or the `setup` command.\r\nsetup.dashboards.enabled: true\r\n\r\n# =================================== Kibana ===================================\r\n# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.\r\n# This requires a Kibana endpoint configuration.\r\nsetup.kibana:\r\n  # Kibana Host\r\n  # Scheme and port can be left out and will be set to the default (http and 5601)\r\n  # In case you specify and additional path, the scheme is required: http:\/\/localhost:5601\/path\r\n  # IPv6 addresses should always be defined as: https:\/\/[2001:db8::1]:5601\r\n  host: \"kibana-demo:5601\"\r\n\r\n# ================================== Logging ===================================\r\n# There are four options for the log output: file, stderr, syslog, eventlog\r\n# The file output is the default.\r\n# Sets log level. The default log level is info.\r\n# Available log levels are: error, warning, info, debug\r\nlogging.level: info\r\n\r\n# Write auditbeat own logs only to file to avoid catching them with itself in docker log files\r\n# When true, writes all logging output to files. The log files are automatically rotated when the\r\n# log file size limit is reached.\r\nlogging.to_files: false\r\n\r\n# When true, writes all logging output to the syslog. This option is not supported on Windows.\r\nlogging.to_syslog: false\r\n\r\n# ============================= X-Pack Monitoring ==============================\r\n# auditbeat can export internal metrics to a central Elasticsearch monitoring\r\n# cluster.  This requires xpack monitoring to be enabled in Elasticsearch.  The\r\n# reporting is disabled by default.\r\n\r\n# Set to true to enable the monitoring reporter.\r\nmonitoring.enabled: true\r\n\r\n# Uncomment to send the metrics to Elasticsearch. Most settings from the\r\n# Elasticsearch output are accepted here as well.\r\n# Note that the settings should point to your Elasticsearch *monitoring* cluster.\r\n# Any setting that is not set is automatically inherited from the Elasticsearch\r\n# output configuration, so if you have the Elasticsearch output configured such\r\n# that it is pointing to your Elasticsearch monitoring cluster, you can simply\r\n# uncomment the following line.\r\nmonitoring.elasticsearch:\r\n  # Array of hosts to connect to.\r\n  # Scheme and port can be left out and will be set to the default (http and 9200)\r\n  # In case you specify and additional path, the scheme is required: http:\/\/localhost:9200\/path\r\n  # IPv6 addresses should always be defined as: https:\/\/[2001:db8::1]:9200\r\n  #hosts: [\"elasticsearch-demo:9200\"]\r\n\r\n# =============================== HTTP Endpoint ================================\r\n# Each beat can expose internal metrics through a HTTP endpoint. For security\r\n# reasons the endpoint is disabled by default. This feature is currently experimental.\r\n# Stats can be access through http:\/\/localhost:5066\/stats . For pretty JSON output\r\n# append ?pretty to the URL.\r\n# Defines if the HTTP endpoint is enabled.\r\nhttp.enabled: true\r\n\r\n# The HTTP endpoint will bind to this hostname, IP address, unix socket or named pipe.\r\n# When using IP addresses, it is recommended to only use localhost.\r\nhttp.host: auditbeat-demo\r\n\r\n# Port on which the HTTP endpoint will bind. Default is 5066.\r\nhttp.port: 5066\r\n<\/pre>\n<p style=\"text-align: justify;\">As you can see, we have included the description of each configuration option. Hopefully, it will be easier to understand it. However, the main idea behind it, is:<\/p>\n<ul>\n<li style=\"list-style-type: none;\">\n<ul>\n<li>Enable auditd module for collecting events from the audit framework in the Linux kernel.<\/li>\n<li>Enable file integrity module for sending events when files are changed<\/li>\n<li>Enable providers, which work by watching for events on the system and translating those events into internal autodiscover events with a common format.<\/li>\n<li>Send the collected data to Elasticsearch for indexing.<\/li>\n<li>Export internal metrics to a central Elasticsearch monitoring cluster, by enabling x-pack monitoring. In our case, we will be using the same cluster.<\/li>\n<li>Enable experimental HTTP endpoint, which exposes internal metrics.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>Now, we create a separate docker-compose file under <code class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\">elastic-stack-single-node-cluster\/<\/code> and name it <code class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\">docker-compose-auditbeat.yml<\/code>.<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"yaml\">version: '3.9'\r\nservices:\r\n  auditbeat-demo:\r\n    hostname: auditbeat-demo\r\n    container_name: auditbeat-demo\r\n    build:\r\n      context: .\/auditbeat\r\n      dockerfile: Dockerfile\r\n      args:\r\n        - ELK_VERSION=${ELK_VERSION}\r\n    ports:\r\n      - 5566:5066\r\n    # Need to override user so we can access the log files, and docker.sock\r\n    user: root\r\n    # https:\/\/www.elastic.co\/guide\/en\/beats\/auditbeat\/current\/running-on-docker.html#_special_requirements\r\n    # PID and CAP_ADD options are ignored as they are Not yet available in swarm mode at the moment.\r\n    # Eagerly waiting for Docker 19.06 release which will bring --privileged flag to Docker\r\n    # Swarm Mode https:\/\/github.com\/moby\/moby\/issues\/24862#issuecomment-451594187\r\n    # support for capabilities https:\/\/github.com\/moby\/moby\/pull\/38380\r\n    pid: host\r\n    cap_add:\r\n      - AUDIT_CONTROL\r\n      - AUDIT_READ\r\n    volumes:\r\n      - data_auditbeat_demo:\/usr\/share\/auditbeat\/data\r\n    # disable strict permission checks\r\n    command: [ '-e', '-v', '--strict.perms=false' ]\r\n    deploy:\r\n      mode: global\r\n    networks:\r\n      - elastic-stack-service-network\r\n\r\n# Networks to be created to facilitate communication between containers\r\nnetworks:\r\n  elastic-stack-service-network:\r\n    name: elastic-stack-service-network\r\n\r\n# Volumes\r\nvolumes:\r\n  data_auditbeat_demo:\r\n    driver: local\r\n<\/pre>\n<p style=\"text-align: justify;\">When deploying auditbeat in a dockerized environement, there are some special requirements. Auditbeat runs as a non-root user, but requires some privileged capabilities to operate correctly. That is why, we have included option <code class=\"literal\">cap_add: AUDIT_CONTROL<\/code> and <code>AUDIT_READ<\/code>. Furthermore, it is also essential to run Auditbeat in the host PID namespace.<\/p>\n<p style=\"text-align: justify;\">Great. We are ready to start Auditbeat, by executing the following command:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"shell\">$ docker-compose -f docker-compose-auditbeat.yml up -d --build<\/pre>\n<p>We are finally done deploying all the components of our architecture. If you go to <a href=\"http:\/\/localhost:5601\/app\/monitoring\">Management &gt; Stack Monitoring<\/a>, you can see the status of your cluster. It is quite a complet one, as we are monitoring almost every aspect of it.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"669\" data-permalink=\"http:\/\/www.canchito-dev.com\/public\/blog\/2022\/02\/05\/audit-the-activities-of-users-and-processes-on-your-systems-with-auditbeat\/stack_monitoring_whole_architecture\/\" data-orig-file=\"http:\/\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2022\/02\/stack_monitoring_whole_architecture.png\" data-orig-size=\"5090,2616\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"stack_monitoring_whole_architecture\" data-image-description=\"\" data-image-caption=\"&lt;p&gt;CANCHITO-DEV: Kibana&amp;#8217;s Management &gt; Stack Monitoring Complete&lt;\/p&gt;\n\" data-large-file=\"http:\/\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2022\/02\/stack_monitoring_whole_architecture-1024x526.png\" class=\"aligncenter wp-image-669 size-full\" src=\"http:\/\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2022\/02\/stack_monitoring_whole_architecture.png\" alt=\"CANCHITO-DEV: Kibana's Management &gt; Stack Monitoring Complete\" width=\"5090\" height=\"2616\" srcset=\"http:\/\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2022\/02\/stack_monitoring_whole_architecture.png 5090w, http:\/\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2022\/02\/stack_monitoring_whole_architecture-300x154.png 300w, http:\/\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2022\/02\/stack_monitoring_whole_architecture-1024x526.png 1024w, http:\/\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2022\/02\/stack_monitoring_whole_architecture-768x395.png 768w, http:\/\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2022\/02\/stack_monitoring_whole_architecture-1536x789.png 1536w, http:\/\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2022\/02\/stack_monitoring_whole_architecture-2048x1053.png 2048w, http:\/\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2022\/02\/stack_monitoring_whole_architecture-624x321.png 624w\" sizes=\"auto, (max-width: 5090px) 100vw, 5090px\" \/><\/p>\n<p style=\"text-align: justify;\">Now go to <a href=\"http:\/\/localhost:5601\/app\/dashboards#\/list\">Analytics &gt; Dashboards<\/a> and look for a dashboard called <code>[Auditbeat System]\u00a0 System Overview ECS<\/code>. Click it and you will see an overview of the network&#8217;s metrics:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" data-attachment-id=\"667\" data-permalink=\"http:\/\/www.canchito-dev.com\/public\/blog\/2022\/02\/05\/audit-the-activities-of-users-and-processes-on-your-systems-with-auditbeat\/auditbeat_system_dashboard_system_overview_ecs\/\" data-orig-file=\"http:\/\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2022\/02\/auditbeat_system_dashboard_system_overview_ecs.png\" data-orig-size=\"5098,2614\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"CANCHITO-DEV: [Auditbeat System] System Overview ECS\" data-image-description=\"\" data-image-caption=\"&lt;p&gt;CANCHITO-DEV: [Auditbeat System] System Overview ECS&lt;\/p&gt;\n\" data-large-file=\"http:\/\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2022\/02\/auditbeat_system_dashboard_system_overview_ecs-1024x525.png\" class=\"aligncenter wp-image-667 size-full\" src=\"http:\/\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2022\/02\/auditbeat_system_dashboard_system_overview_ecs.png\" alt=\"CANCHITO-DEV: [Auditbeat System] System Overview ECS\" width=\"5098\" height=\"2614\" srcset=\"http:\/\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2022\/02\/auditbeat_system_dashboard_system_overview_ecs.png 5098w, http:\/\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2022\/02\/auditbeat_system_dashboard_system_overview_ecs-300x154.png 300w, http:\/\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2022\/02\/auditbeat_system_dashboard_system_overview_ecs-1024x525.png 1024w, http:\/\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2022\/02\/auditbeat_system_dashboard_system_overview_ecs-768x394.png 768w, http:\/\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2022\/02\/auditbeat_system_dashboard_system_overview_ecs-1536x788.png 1536w, http:\/\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2022\/02\/auditbeat_system_dashboard_system_overview_ecs-2048x1050.png 2048w, http:\/\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2022\/02\/auditbeat_system_dashboard_system_overview_ecs-624x320.png 624w\" sizes=\"auto, (max-width: 5098px) 100vw, 5098px\" \/><\/p>\n<h2>Clean Up<\/h2>\n<p>To do a complete clean up, execute this command:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"shell\">$ docker-compose -f docker-compose-es-single-node.yml -f docker-compose-filebeat-to-elasticseach.yml -f docker-compose-filebeat-to-logstash.yml -f docker-compose-logstash.yml -f docker-compose-metricbeat.yml -f docker-compose-heartbeat.yml -f docker-compose-packetbeat.yml -f docker-compose-auditbeat.yml down -v<\/pre>\n<h2 style=\"text-align: justify;\">Summary<\/h2>\n<p style=\"text-align: justify;\">In this post, we learn about Auditbeat and how it can be deployed within a dockerized enviroment. Once deployed, Auditbeat can help you, by auditing the activities of users and processes on your systems, detect changes to critical files, and identify potential security policy violations.<\/p>\n<p style=\"text-align: justify;\">Please feel free to contact us. We will gladly response to any doubt or question you might have. In the mean time, you can download the source code from our official <a href=\"https:\/\/github.com\/canchito-dev\/elastic-stack-demo\">GitHub<\/a> repository.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Get to know Auditbeat and learn how it can help you by auditing the activities of the users and processes on your systems. All within a dockerized enviroment.<\/p>\n","protected":false},"author":1,"featured_media":608,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[99,94,62,74,88,84],"tags":[105,104,63,75,115,89],"class_list":["post-665","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-auditbeat","category-beat","category-docker","category-docker-compose","category-elastic-stack","category-elk","tag-auditbeat","tag-beat","tag-docker","tag-docker-compose","tag-elastic-stask","tag-elk"],"aioseo_notices":[],"jetpack_featured_media_url":"http:\/\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2021\/12\/beats-logo-color.png","jetpack_shortlink":"https:\/\/wp.me\/p8EwXo-aJ","jetpack-related-posts":[{"id":590,"url":"http:\/\/www.canchito-dev.com\/public\/blog\/2022\/01\/02\/elastic-stack-beats\/","url_meta":{"origin":665,"position":0},"title":"Introduction to Elastic Stack Beats","author":"canchitodev","date":"January 2, 2022","format":false,"excerpt":"How is information sent to Elasticsearch? The answer is simple, using Beats or Logstash. In this post, we will give a brief introduction to Beats.","rel":"","context":"In &quot;Auditbeat&quot;","block_context":{"text":"Auditbeat","link":"http:\/\/www.canchito-dev.com\/public\/blog\/category\/elk\/auditbeat\/"},"img":{"alt_text":"CANCHITO-DEV: Beats basic diagram","src":"https:\/\/i0.wp.com\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2021\/12\/beats_diagram.png?resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2021\/12\/beats_diagram.png?resize=350%2C200 1x, https:\/\/i0.wp.com\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2021\/12\/beats_diagram.png?resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2021\/12\/beats_diagram.png?resize=700%2C400 2x, https:\/\/i0.wp.com\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2021\/12\/beats_diagram.png?resize=1050%2C600 3x"},"classes":[]},{"id":564,"url":"http:\/\/www.canchito-dev.com\/public\/blog\/2021\/12\/26\/introduction-to-elastic-stack\/","url_meta":{"origin":665,"position":1},"title":"Introduction to Elastic Stack","author":"canchitodev","date":"December 26, 2021","format":false,"excerpt":"Hello friends! In this post, we will give you a small introduction to Elastic Stack including all the products that build it.","rel":"","context":"In &quot;Beat&quot;","block_context":{"text":"Beat","link":"http:\/\/www.canchito-dev.com\/public\/blog\/category\/elk\/beat\/"},"img":{"alt_text":"CANCHITO-DEV: Elastic Stack architecture in Docker","src":"https:\/\/i0.wp.com\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2021\/12\/docker_elastic_stack_architecture.png?resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2021\/12\/docker_elastic_stack_architecture.png?resize=350%2C200 1x, https:\/\/i0.wp.com\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2021\/12\/docker_elastic_stack_architecture.png?resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2021\/12\/docker_elastic_stack_architecture.png?resize=700%2C400 2x, https:\/\/i0.wp.com\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2021\/12\/docker_elastic_stack_architecture.png?resize=1050%2C600 3x"},"classes":[]},{"id":636,"url":"http:\/\/www.canchito-dev.com\/public\/blog\/2022\/01\/27\/collect-metrics-with-metricbet\/","url_meta":{"origin":665,"position":2},"title":"Collect Metrics with Metricbet","author":"canchitodev","date":"January 27, 2022","format":false,"excerpt":"Learn how you could use Metricbeat to monitor your servers by collecting metrics from the system and services running on the server.","rel":"","context":"In &quot;Beat&quot;","block_context":{"text":"Beat","link":"http:\/\/www.canchito-dev.com\/public\/blog\/category\/elk\/beat\/"},"img":{"alt_text":"CANCHITO-DEV: [Metricbeat System] Host overview ECS","src":"https:\/\/i0.wp.com\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2022\/01\/metricbeat_system_dashboard__host_overview_ecs.png?resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2022\/01\/metricbeat_system_dashboard__host_overview_ecs.png?resize=350%2C200 1x, https:\/\/i0.wp.com\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2022\/01\/metricbeat_system_dashboard__host_overview_ecs.png?resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2022\/01\/metricbeat_system_dashboard__host_overview_ecs.png?resize=700%2C400 2x, https:\/\/i0.wp.com\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2022\/01\/metricbeat_system_dashboard__host_overview_ecs.png?resize=1050%2C600 3x, https:\/\/i0.wp.com\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2022\/01\/metricbeat_system_dashboard__host_overview_ecs.png?resize=1400%2C800 4x"},"classes":[]},{"id":654,"url":"http:\/\/www.canchito-dev.com\/public\/blog\/2022\/01\/31\/capturing-the-network-traffic-with-packetbeat\/","url_meta":{"origin":665,"position":3},"title":"Capturing the network traffic with Packetbeat","author":"canchitodev","date":"January 31, 2022","format":false,"excerpt":"Discover how Packetbeat sniffs the traffic between your servers, parses the application-level protocols on the fly, and correlates the messages into transactions. All within a dockerized enviroment.","rel":"","context":"In &quot;Beat&quot;","block_context":{"text":"Beat","link":"http:\/\/www.canchito-dev.com\/public\/blog\/category\/elk\/beat\/"},"img":{"alt_text":"CANCHITO-DEV: [Packetbeat] Overview ECS","src":"https:\/\/i0.wp.com\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2022\/01\/packetbeat_dashboard_overview_ecs.png?resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2022\/01\/packetbeat_dashboard_overview_ecs.png?resize=350%2C200 1x, https:\/\/i0.wp.com\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2022\/01\/packetbeat_dashboard_overview_ecs.png?resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2022\/01\/packetbeat_dashboard_overview_ecs.png?resize=700%2C400 2x, https:\/\/i0.wp.com\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2022\/01\/packetbeat_dashboard_overview_ecs.png?resize=1050%2C600 3x, https:\/\/i0.wp.com\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2022\/01\/packetbeat_dashboard_overview_ecs.png?resize=1400%2C800 4x"},"classes":[]},{"id":588,"url":"http:\/\/www.canchito-dev.com\/public\/blog\/2021\/12\/31\/deploying-filebeat-in-docker\/","url_meta":{"origin":665,"position":4},"title":"Deploying Filebeat in docker","author":"canchitodev","date":"December 31, 2021","format":false,"excerpt":"Learn about Filebeat and how it interact with the rest of the Elastic Stack components while you deploy it using docker.","rel":"","context":"In &quot;Beat&quot;","block_context":{"text":"Beat","link":"http:\/\/www.canchito-dev.com\/public\/blog\/category\/elk\/beat\/"},"img":{"alt_text":"CANCHITO-DEV: Filebeat Overview","src":"https:\/\/i0.wp.com\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2021\/12\/filebeat_overview.png?resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2021\/12\/filebeat_overview.png?resize=350%2C200 1x, https:\/\/i0.wp.com\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2021\/12\/filebeat_overview.png?resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2021\/12\/filebeat_overview.png?resize=700%2C400 2x"},"classes":[]},{"id":647,"url":"http:\/\/www.canchito-dev.com\/public\/blog\/2022\/01\/31\/know-if-your-service-is-available-with-heartbeat\/","url_meta":{"origin":665,"position":5},"title":"Know if your Service is Available with Heartbeat","author":"canchitodev","date":"January 31, 2022","format":false,"excerpt":"Learn how Heartbeat periodically checks the status of your services and determine whether they are available. All within a dockerized enviroment.","rel":"","context":"In &quot;Beat&quot;","block_context":{"text":"Beat","link":"http:\/\/www.canchito-dev.com\/public\/blog\/category\/elk\/beat\/"},"img":{"alt_text":"CANCHITO-DEV: [Heartbeat] HTTP Monitoring","src":"https:\/\/i0.wp.com\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2022\/01\/heartbeat_dashboard_http_monitoring.png?resize=350%2C200","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2022\/01\/heartbeat_dashboard_http_monitoring.png?resize=350%2C200 1x, https:\/\/i0.wp.com\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2022\/01\/heartbeat_dashboard_http_monitoring.png?resize=525%2C300 1.5x, https:\/\/i0.wp.com\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2022\/01\/heartbeat_dashboard_http_monitoring.png?resize=700%2C400 2x, https:\/\/i0.wp.com\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2022\/01\/heartbeat_dashboard_http_monitoring.png?resize=1050%2C600 3x, https:\/\/i0.wp.com\/www.canchito-dev.com\/public\/blog\/wp-content\/uploads\/2022\/01\/heartbeat_dashboard_http_monitoring.png?resize=1400%2C800 4x"},"classes":[]}],"jetpack_likes_enabled":true,"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"http:\/\/www.canchito-dev.com\/public\/blog\/wp-json\/wp\/v2\/posts\/665","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.canchito-dev.com\/public\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.canchito-dev.com\/public\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.canchito-dev.com\/public\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.canchito-dev.com\/public\/blog\/wp-json\/wp\/v2\/comments?post=665"}],"version-history":[{"count":2,"href":"http:\/\/www.canchito-dev.com\/public\/blog\/wp-json\/wp\/v2\/posts\/665\/revisions"}],"predecessor-version":[{"id":670,"href":"http:\/\/www.canchito-dev.com\/public\/blog\/wp-json\/wp\/v2\/posts\/665\/revisions\/670"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/www.canchito-dev.com\/public\/blog\/wp-json\/wp\/v2\/media\/608"}],"wp:attachment":[{"href":"http:\/\/www.canchito-dev.com\/public\/blog\/wp-json\/wp\/v2\/media?parent=665"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.canchito-dev.com\/public\/blog\/wp-json\/wp\/v2\/categories?post=665"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.canchito-dev.com\/public\/blog\/wp-json\/wp\/v2\/tags?post=665"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}