Auditbeat란?
Linux 감사 프레임워크 데이터를 수집하고 파일 무결성을 모니터링과 이벤트를 Elastic Stack에 실시간으로 전송하여 추가적인 분석이 가능하도록 지원하는 경량 감사 데이터 수집기
설치
https://www.elastic.co/kr/downloads/beats/auditbeat
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -sudo apt-get install apt-transport-httpsecho "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.listsudo apt-get update && sudo apt-get install auditbeat수정
nano /etc/auditbeat/auditbeat.yml보안 기능 활성화 일 경우 주석 해체후 아이디, 비밀번호 기입
# =================================== Kibana ===================================
# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
# This requires a Kibana endpoint configuration.
setup.kibana:
# Kibana Host
# Scheme and port can be left out and will be set to the default (http and 5601)
# In case you specify and additional path, the scheme is required: http://localhost:5601/path
# IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
host: "localhost:5601" # 주석 해체
# Kibana Space ID
# ID of the Kibana Space into which the dashboards should be loaded. By default,
# the Default Space will be used.
#space.id:
# ---------------------------- Elasticsearch Output ----------------------------
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["localhost:9200"]
# Protocol - either `http` (default) or `https`.
#protocol: "https"
# Authentication credentials - either API key or username/password.
#api_key: "id:api_key"
username: "elastic"
password: "XwAvjFelq11RDZ1k2YEH"시작
sudo systemctl start auditbeat && sudo systemctl enable auditbeat확인
