mirror of
https://github.com/Icinga/icingabeat.git
synced 2025-08-15 14:58:08 +02:00
34 lines
949 B
Plaintext
34 lines
949 B
Plaintext
[id="configuration-{beatname_lc}"]
|
|
== Specify which modules to run
|
|
|
|
To enable specific modules and metricsets, you add entries to the
|
|
`auditbeat.modules` list in the +{beatname_lc}.yml+ config file. Each entry in
|
|
the list begins with a dash (-) and is followed by settings for that module.
|
|
|
|
The following example shows a configuration that runs the `audit` module with
|
|
the `kernel` and `file` metricsets enabled:
|
|
|
|
[source,yaml]
|
|
----
|
|
auditbeat.modules:
|
|
|
|
- module: audit
|
|
metricsets: [kernel]
|
|
kernel.audit_rules: |
|
|
-w /etc/passwd -p wa -k identity
|
|
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
|
|
|
|
- module: audit
|
|
metricsets: [file]
|
|
file.paths:
|
|
- /bin
|
|
- /usr/bin
|
|
- /sbin
|
|
- /usr/sbin
|
|
- /etc
|
|
----
|
|
|
|
The configuration details vary by module. See the
|
|
<<{beatname_lc}-modules,module documentation>> for more detail about
|
|
configuring the available modules and metricsets.
|