Beats: Auditbeat

Coralogix provides seamless integration with Auditbeat so you can send your audit data from anywhere into Coralogix.

Prerequisites

This document includes cluster dependent URL’s. Each URL has a variable part (in Italic). Please match this part with a row entry within the following table. Copy the table row entry located under the column that matches the top level domain of your Coralogix account (.com, .in etc.). Replace the variable part of the URL with this entry.

 .com.us.in
Elasticsearch-APIhttps://coralogix-esapi.coralogix.com:9443https://esapi.coralogix.us:9443https://es-api.app.coralogix.in:9443
SSL Certificateshttps://coralogix-public.s3-eu-west-1.amazonaws.com/certificate/Coralogix-EU.crthttps://www.amazontrust.com/repository/AmazonRootCA1.pemhttps://coralogix-public.s3-eu-west-1.amazonaws.com/certificate/Coralogix-IN
.pem
Cluster URLcoralogix.comcoralogix.usapp.coralogix.in

General

Private Key – A unique ID which represents your company, this Id will be sent to your mail once you register to Coralogix.

Company Id – A unique number which represents your company. You can get your company id from the settings tab in the Coralogix dashboard.

Application Name – The name of your main application, for example, a company named “SuperData” would probably insert the “SuperData” string parameter or if they want to debug their test environment they might insert the “SuperData– Test”.

SubSystem Name – Your application probably has multiple subsystems, for example: Backend servers, Middleware, Frontend servers etc. in order to help you examine the data you need, inserting the subsystem parameter is vital.

Configuration

At the Host machine

Open your Auditbeat configuration file and configure it to use Logstash. For more information about configuring Auditbeat to use Logstash please refer to: https://www.elastic.co/guide/en/beats/auditbeat/current/logstash-output.html

Point your Auditbeat to output to Coralogix logstash server:

If your Coralogix account URL ends with ‘.com’ use:

logstashserver.coralogix.com:5015

If your Coralogix account URL ends with ‘.in’ use:

logstashserver.app.coralogix.in:5015

In addition you should add Coralogix configuration from the General section.

Here is a basic example of an auditbeat.yml file for watching some folders on your server:

#============================= Auditbeat Modules ===============================

auditbeat.modules:
- module: file_integrity
  enabled: true
  paths:
  - /bin
  - /usr/bin
  - /sbin
  - /usr/sbin
  - /etc

fields_under_root: true
fields:
  PRIVATE_KEY: "YOUR_PRIVATE_KEY"
  COMPANY_ID: YOUR_COMPANY_ID
  APP_NAME: "APP_NAME"
  SUB_SYSTEM: "SUB_NAME"

#----------------------------- Logstash output --------------------------------

output.logstash:
  enabled: true
# If your account URL ends with '.com' use logstashserver.coralogix.com:5015
# If your account URL ends with '.in' use logstashserver.app.coralogix.in:5015
  hosts: ["appropriate-log-stash-server"]
  ssl.certificate_authorities: ["<path to folder with certificates>/ca.crt"]

Using Docker

Build a Docker image with your auditbeat.yml:

FROM docker.elastic.co/beats/auditbeat:6.6.2

LABEL description="Auditbeat filesystem audit data collector"

# Adding configuration file and SSL certificates for Auditbeat
COPY auditbeat.yml /usr/share/auditbeat/auditbeat.yml
COPY ca.crt /etc/ssl/certs/Coralogix.crt

# Changing permission of configuration file
USER root
RUN chown root:auditbeat /usr/share/auditbeat/auditbeat.yml

# Return to deploy user
USER auditbeat

Usage

You can deploy with Docker-compose:

version: '3.6'
services:
  auditbeat:
    image: docker.elastic.co/beats/auditbeat:6.6.2
    container_name: auditbeat
    volumes:
      - ./auditbeat.yml:/usr/share/auditbeat/auditbeat.yml:ro
      - ./ca.crt:/etc/ssl/certs/Coralogix.crt:ro

Important: Don’t forget to change the owner of auditbeat.yml file to root (uid=1000).