# Beats: Auditbeat

Copy as Markdown[Open in ChatGPT](https://chatgpt.com/?q=Read%20https%3A%2F%2Fcoralogix.com%2Fdocs%2Fintegrations%2Fsecurity%2Fbeats-auditbeat.md%20and%20help%20me%20with%20my%20question%20about%20this%20Coralogix%20documentation%20page.)[Open in Claude](https://claude.ai/new?q=Read%20https%3A%2F%2Fcoralogix.com%2Fdocs%2Fintegrations%2Fsecurity%2Fbeats-auditbeat.md%20and%20help%20me%20with%20my%20question%20about%20this%20Coralogix%20documentation%20page.)

Coralogix provides seamless integration with `Auditbeat` so you can send your audit data from anywhere into Coralogix.

## [](https://github.com/coralogix/integrations-docs/blob/master/integrations/auditbeat/README.rst#prerequisites)Prerequisites[​](#prerequisites "Direct link to prerequisites")

* Select the URLs in the table associated with your Coralogix [domain](https://coralogix.com/docs/docs/user-guides/account-management/account-settings/coralogix-domain/.md).

\[table id=51 /]

* [Install](https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-installation.html) `Auditbeat`.

* Install our SSL certificate to your system for providing a secure connection. You can download it by following table in this section (Column SSL Certificate).

## [](https://github.com/coralogix/integrations-docs/blob/master/integrations/auditbeat/README.rst#general)General[​](#general "Direct link to general")

**Private Key** – Your [Send Your Data - API Key](https://coralogix.com/docs/docs/user-guides/account-management/api-keys/send-your-data-api-key/.md) is a unique ID that represents your company.

**Company Id** – A unique number which represents your company. You can get your company id from the settings tab in the *Coralogix* dashboard.

**Application Name** – The name of your main application, for example, a company named *"SuperData"* would probably insert the *"SuperData"* string parameter or if they want to debug their test environment they might insert the *"SuperData– Test"*.

**SubSystem Name** – Your application probably has multiple subsystems, for example: Backend servers, Middleware, Frontend servers etc. in order to help you examine the data you need, inserting the subsystem parameter is vital.

## [](https://github.com/coralogix/integrations-docs/blob/master/integrations/auditbeat/README.rst#configuration)Configuration[​](#configuration "Direct link to configuration")

### [](https://github.com/coralogix/integrations-docs/blob/master/integrations/auditbeat/README.rst#on-host-machine)At the Host machine[​](#at-the-host-machine "Direct link to at-the-host-machine")

Open your `Auditbeat` configuration file and configure it to use `Logstash`. For more information about configuring `Auditbeat` to use `Logstash` please refer to: <https://www.elastic.co/guide/en/beats/auditbeat/current/logstash-output.html>

Point your `Auditbeat` to output to *Coralogix* logstash server:

If your Coralogix [domain](https://coralogix.com/docs/docs/user-guides/account-management/account-settings/coralogix-domain/.md) ends with '.com' use:

```
logstashserver.coralogix.com:5015
```

If your Coralogix [domain](https://coralogix.com/docs/docs/user-guides/account-management/account-settings/coralogix-domain/.md) ends with '.in' use:

```
logstashserver.app.coralogix.in:5015
```

In addition, you should add *Coralogix* configuration from the **General** section.

Here is a basic example of an **auditbeat.yml** file for watching some folders on your server:

```
#============================= Auditbeat Modules ===============================



auditbeat.modules:

- module: file_integrity

  enabled: true

  paths:

  - /bin

  - /usr/bin

  - /sbin

  - /usr/sbin

  - /etc



fields_under_root: true

fields:

  PRIVATE_KEY: "YOUR_PRIVATE_KEY"

  COMPANY_ID: YOUR_COMPANY_ID

  APP_NAME: "APP_NAME"

  SUB_SYSTEM: "SUB_NAME"



#----------------------------- Logstash output --------------------------------



output.logstash:

  enabled: true

# If your Coralogix domain ends with '.com' use logstashserver.coralogix.com:5015

# If your Coralogix domain ends with '.in' use logstashserver.app.coralogix.in:5015

  hosts: ["appropriate-log-stash-server"]

  ttl: 60s

  ssl.certificate_authorities: ["<path to folder with certificates>/ca.crt"]
```

### [](https://github.com/coralogix/integrations-docs/blob/master/integrations/auditbeat/README.rst#with-docker)Using Docker[​](#using-docker "Direct link to using-docker")

Build a Docker image with your **auditbeat.yml**:

```
FROM docker.elastic.co/beats/auditbeat:6.6.2



LABEL description="Auditbeat filesystem audit data collector"



# Adding configuration file and SSL certificates for Auditbeat

COPY auditbeat.yml /usr/share/auditbeat/auditbeat.yml

COPY ca.crt /etc/ssl/certs/Coralogix.crt



# Changing permission of configuration file

USER root

RUN chown root:auditbeat /usr/share/auditbeat/auditbeat.yml



# Return to deploy user

USER auditbeat
```

## [](https://github.com/coralogix/integrations-docs/blob/master/integrations/auditbeat/README.rst#usage)Usage[​](#usage "Direct link to usage")

You can deploy with *Docker-compose*:

```
version: '3.6'

services:

  auditbeat:

    image: docker.elastic.co/beats/auditbeat:6.6.2

    container_name: auditbeat

    volumes:

      - ./auditbeat.yml:/usr/share/auditbeat/auditbeat.yml:ro

      - ./ca.crt:/etc/ssl/certs/Coralogix.crt:ro
```

Important: Don't forget to change the owner of **auditbeat.yml** file to *root* (uid=1000).
