-
Notifications
You must be signed in to change notification settings - Fork 148
/
auditbeat.yml
98 lines (85 loc) · 2.24 KB
/
auditbeat.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
name: Auditbeat
cmd: auditbeat
args: [
"-c", "auditbeat.elastic-agent.yml",
"-E", "setup.ilm.enabled=false",
"-E", "setup.template.enabled=false",
"-E", "management.enabled=true",
"-E", "logging.level=debug",
"-E", "gc_percent=${AUDITBEAT_GOGC:100}",
"-E", "auditbeat.config.modules.enabled=false"
]
artifact: beats/auditbeat
restart_on_output_change: true
rules:
- fix_stream: {}
# All Auditbeat input types begin with 'audit/'.
- filter_values_with_regexp:
key: type
re: '^audit/.+'
selector: inputs
# Adds 'index: logs-{data_stream.dataset}-{data_stream.namespace}' to each input.
- inject_index:
type: logs
# Adds two add_fields processors - one for event.dataset and one for
# data_stream.dataset, data_stream.type, and data_stream.namespace.
- inject_stream_processor:
on_conflict: insert_after
type: logs
# Convert input[].streams[] into inputs[].
- extract_list_items:
path: inputs
item: streams
to: inputs
- map:
path: inputs
rules:
# Input types for Auditbeat begin with 'audit/'. Everything after that is
# treated as the module name.
- translate_with_regexp:
path: type
re: '^audit/(.+)'
with: $1
- rename:
from: type
to: module
# If a dataset is specified convert that into 'datasets: [$item]'.
- make_array:
item: dataset
to: datasets
- remove_key:
key: dataset
- remove_key:
key: enabled
- remove_key:
key: data_stream
- remove_key:
key: condition
# Require all config to come through the Agent (no local files).
- remove_key:
key: audit_rule_files
- filter_values:
selector: inputs
key: module
values:
- auditd
- file_integrity
- system
# Adds two add_fields processors - one for agent.id and one for
# elastic_agent.id, elastic_agent.snapshot, elastic_agent.version.
- inject_agent_info: {}
- copy:
from: inputs
to: auditbeat
- rename:
from: auditbeat.inputs
to: modules
- filter:
selectors:
- auditbeat
- output
- keystore
# Inject headers into the output configuration.
- inject_headers: {}
when: length(${auditbeat.modules}) > 0 and hasKey(${output}, 'elasticsearch',
'redis', 'kafka', 'logstash')