Get Started with Auditbeat | Linux System Monitoring

Digital command center with technicians installing Auditbeat on Linux featuring security monitoring icons and network activity graphs

When monitoring and analyzing Linux systems at IOFLOOD, we rely on tools to provide insights into security events. We have found that Auditbeat, a lightweight open-source tool, is a valuable asset for collecting audit data from Linux systems. Today’s article has been carefully crafted to provide a concise tutorial on installing Auditbeat on Linux, empowering our cloud server hosting customers and fellow developers to enhance their system monitoring capabilities.

In this tutorial, we will guide you on how to install the Auditbeat command on your Linux system. We will show you methods for both APT and YUM-based distributions, delve into compiling Auditbeat from source, installing a specific version, and finally, how to use the Auditbeat command and ensure it’s installed correctly.

So, let’s dive in and begin installing Auditbeat on your Linux system!

TL;DR: How Do I Install Auditbeat on Linux?

To install Auditbeat, use sudo apt-get install auditbeat for Debian-based systems like Ubuntu or sudo yum install auditbeat for RPM-based systems like CentOS. After installation, configure Auditbeat by editing /etc/auditbeat/auditbeat.yml and start the service with sudo systemctl start auditbeat.

To install from a package, use the following:

# For Debian-based distributions
sudo dpkg -i auditbeat-7.12.1-amd64.deb

# For Red Hat-based distributions
sudo rpm -vi auditbeat-7.12.1-x86_64.rpm

# Output:
# Preparing...                          ################################# [100%]
# Updating / installing...
#    1:auditbeat-7.12.1-1               ################################# [100%]

This is a basic way to install Auditbeat on Linux, but there’s much more to learn about installing and using Auditbeat. Continue reading for more detailed information, advanced usage scenarios, and troubleshooting tips.

Basic Install Methods of Auditbeat

Auditbeat is a lightweight shipper that you can install on your servers to audit the activities of users and processes on your systems. It’s part of the Elastic Stack, designed to help you keep a close eye on your system’s integrity. With Auditbeat, you can monitor system changes, file integrity, and process activities, making it an essential tool for Linux systems administration.

Installing Auditbeat using APT

If you’re running a Debian-based distribution like Ubuntu, you can use the APT package manager to install Auditbeat. Here’s how you do it:

# First, download and install the Elastic PGP key
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -

# Install the `apt-transport-https` package
sudo apt-get install apt-transport-https

# Save the repository definition to /etc/apt/sources.list.d/elastic-7.x.list
echo "deb https://artifacts.elastic.co/packages/7.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-7.x.list

# Update your package lists
sudo apt-get update

# Install Auditbeat
sudo apt-get install auditbeat

# Output:
# Reading package lists... Done
# Building dependency tree
# Reading state information... Done
# auditbeat is already the newest version (7.12.1).
# 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

In this example, we first add the Elastic PGP key to our system. We then install the apt-transport-https package, which allows the APT package manager to retrieve packages over the https protocol. We then add the Elastic repository to our APT sources list and update our package lists. Finally, we install Auditbeat.

Installing Auditbeat using YUM

If you’re using a Red Hat-based distribution like CentOS or Fedora, you can use the YUM package manager to install Auditbeat. Here’s how:

# Download and install the Elastic PGP key
sudo rpm --import https://packages.elastic.co/GPG-KEY-elasticsearch

# Install the `yum-utils` package
sudo yum install yum-utils

# Add the Elastic repository definition to /etc/yum.repos.d/
sudo yum-config-manager --add-repo https://artifacts.elastic.co/packages/7.x/yum

# Update your package lists
sudo yum makecache

# Install Auditbeat
sudo yum install auditbeat

# Output:
# Loaded plugins: fastestmirror
# Loading mirror speeds from cached hostfile
#  * base: mirror.its.dal.ca
#  * extras: mirror.its.dal.ca
#  * updates: mirror.its.dal.ca
# Resolving Dependencies
# --> Running transaction check
# ---> Package auditbeat.x86_64 0:7.12.1-1 will be installed
# --> Finished Dependency Resolution

In this example, we first import the Elastic PGP key. We then install the yum-utils package, which provides the yum-config-manager utility. We use yum-config-manager to add the Elastic repository to our YUM configuration. We then update our package lists and install Auditbeat.

Installing Auditbeat from Source

If you prefer to install Auditbeat from source, you can do so by cloning the Auditbeat GitHub repository and compiling the source code. Here’s how you can do it:

# Install git
sudo apt-get install git

# Clone the Auditbeat repository
git clone https://github.com/elastic/beats.git

# Navigate into the beats directory
cd beats

# Build Auditbeat
make

# Output:
# go build
# echo Built auditbeat
# Built auditbeat

In this example, we first install git using the APT package manager. We then clone the Auditbeat repository from GitHub and navigate into the repository directory. Finally, we use the make command to compile the source code.

Installing Other Versions of Auditbeat

There might be scenarios where you need to install a specific version of Auditbeat, either for compatibility reasons or to use a feature that’s only available in that version.

Installing Specific Versions from Source

You can check out a specific version of Auditbeat from the GitHub repository and then compile it. Here’s how:

# Navigate into the beats directory
cd beats

# Check out a specific version
git checkout v7.12.1

# Build Auditbeat
make

# Output:
# go build
# echo Built auditbeat
# Built auditbeat

In this example, we navigate into the beats directory, check out the v7.12.1 version of Auditbeat using git, and then compile the source code.

Installing Specific Versions Using APT or YUM

You can also install a specific version of Auditbeat using the APT or YUM package manager. Here’s how:

# For APT
sudo apt-get install auditbeat=7.12.1

# For YUM
sudo yum install auditbeat-7.12.1

# Output:
# Reading package lists... Done
# Building dependency tree
# Reading state information... Done
# auditbeat is already the newest version (7.12.1).
# 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

In this example, we install the v7.12.1 version of Auditbeat using either the APT or YUM package manager.

Version Comparison

Here’s a quick comparison of the key features and compatibilities of different Auditbeat versions:

VersionKey FeaturesCompatibility
7.12.1Improved system monitoring, bug fixesCompatible with Elastic Stack 7.x
7.11.0Added process enrichment in system/socket datasetCompatible with Elastic Stack 7.x
7.10.0Added ECS categorization fields to system moduleCompatible with Elastic Stack 7.x

Basic Usage with Auditbeat

Once you’ve installed Auditbeat, you can use it to monitor your system’s activities. Here’s a basic example of how to use Auditbeat to monitor file changes in a directory:

# Start Auditbeat
sudo service auditbeat start

# Output:
# Starting auditbeat: auditbeat.

In this example, we start Auditbeat using the service command. You should see a message indicating that Auditbeat has started.

You can verify that Auditbeat is running and installed correctly using the status command:

# Verify Auditbeat status
sudo service auditbeat status

# Output:
# auditbeat is running.

In this example, we use the status command to check the status of Auditbeat. You should see a message indicating that Auditbeat is running.

Alternate System Monitoring Tools

While Auditbeat is a powerful tool for system monitoring, there are other alternatives available for Linux, such as Sysdig and Osquery. These tools provide similar functionalities and can be used depending on your specific needs.

Sysdig: A Powerful System Troubleshooting Tool

Sysdig is an open-source, cross-platform, multi-purpose troubleshooting tool. It delves into the system’s state and activity, offering rich insights.

# To install Sysdig on Ubuntu
sudo apt-get -y install sysdig

# Output:
# Reading package lists... Done
# Building dependency tree
# Reading state information... Done
# sysdig is already the newest version (0.27.1-1).
# 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

The above command installs Sysdig on an Ubuntu system. Once installed, you can use Sysdig to monitor system activity, much like Auditbeat.

Osquery: SQL Powered Operating System Instrumentation

Osquery exposes an operating system as a high-performance relational database, allowing you to write SQL-based queries to explore operating system data. With osquery, SQL tables represent abstract concepts such as running processes, loaded kernel modules, open network connections, browser plugins, hardware events, or file hashes.

# To install Osquery on Ubuntu
sudo apt-get install osquery

# Output:
# Reading package lists... Done
# Building dependency tree
# Reading state information... Done
# osquery is already the newest version (4.9.0-1.linux).
# 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

The above command installs Osquery on an Ubuntu system. After installation, you can use SQL queries to collect system information.

Making the Right Choice

While all three tools – Auditbeat, Sysdig, and Osquery – provide robust system monitoring capabilities, your choice depends on your specific needs and comfort with each tool. If you prefer a tool that integrates easily with the Elastic Stack, Auditbeat is the way to go. If you need deep system insights and love to troubleshoot, Sysdig can be your best bet. If you prefer to work with SQL queries for system monitoring, Osquery would be your ideal choice.

Installation Troubleshooting Auditbeat

While installing Auditbeat on a Linux system is typically a straightforward process, you may encounter some issues. Here are a few common problems and their solutions.

Issue: Failed Dependencies

When installing Auditbeat using the rpm or dpkg command, you might encounter an error about failed dependencies. This error typically occurs if the necessary dependencies are not installed on your system.

# Attempt to install Auditbeat
sudo rpm -i auditbeat-7.12.1-x86_64.rpm

# Output:
# error: Failed dependencies:
#       libsystemd.so.0()(64bit) is needed by auditbeat-7.12.1-1.x86_64

In this example, the rpm command fails to install Auditbeat because the libsystemd.so.0 dependency is missing.

To resolve this issue, you need to install the missing dependencies. On a Red Hat-based system, you can use the yum command to do this:

# Install the missing dependencies
sudo yum install systemd-libs

# Try to install Auditbeat again
sudo rpm -i auditbeat-7.12.1-x86_64.rpm

# Output:
# Preparing...                          ################################# [100%]
# Updating / installing...
#    1:auditbeat-7.12.1-1               ################################# [100%]

In this example, we use the yum command to install the systemd-libs package, which provides the missing libsystemd.so.0 library. We then attempt to install Auditbeat again, which now completes successfully.

Issue: Configuration Errors

After installing Auditbeat, you might encounter errors if the configuration file is not set up correctly. For example, you might see an error like this when you try to start Auditbeat:

# Attempt to start Auditbeat
sudo service auditbeat start

# Output:
# Job for auditbeat.service failed because the control process exited with error code.
# See "systemctl status auditbeat.service" and "journalctl -xe" for details.

In this example, the service command fails to start Auditbeat due to a configuration error.

To resolve this issue, you need to review the Auditbeat configuration file, which is typically located at /etc/auditbeat/auditbeat.yml. Make sure that all the configuration settings are correct, especially the output settings.

# Open the Auditbeat configuration file
sudo nano /etc/auditbeat/auditbeat.yml

# Make sure the output section is correct
output.elasticsearch:
  hosts: ["localhost:9200"]

In this example, we open the Auditbeat configuration file and ensure that the output.elasticsearch section is correct. We then save the configuration file and try to start Auditbeat again, which should now start successfully.

System Auditing in Linux Explained

In Linux, system auditing forms a vital part of maintaining system security and performance. It involves tracking and logging events happening in a computer system. These events can be anything from user logins, file access, system errors, or even attempts to access restricted areas.

Importance of System Auditing

System auditing is crucial for several reasons:

  1. Security: It helps detect unauthorized access or attempts to breach system security. By auditing system events, you can identify suspicious activities and take necessary actions.

  2. Accountability: It provides a record of actions performed by users, making it easier to hold individuals accountable for their activities on the system.

  3. System Optimization: By monitoring system activities, you can identify performance bottlenecks and optimize accordingly.

Role of Auditbeat in System Auditing

Auditbeat fits perfectly into the system auditing landscape. It’s a lightweight shipper that you can install on your servers to audit user and process activities. It collects data about these activities and sends them to Elasticsearch or Logstash for detailed analysis.

Installing Auditbeat

# For Debian-based distributions
sudo dpkg -i auditbeat-7.12.1-amd64.deb

# For Red Hat-based distributions
sudo rpm -vi auditbeat-7.12.1-x86_64.rpm

# Output:
# Preparing...                          ################################# [100%]
# Updating / installing...
#    1:auditbeat-7.12.1-1               ################################# [100%]

In this example, we install Auditbeat on a Linux system using either the dpkg command (for Debian-based distributions) or the rpm command (for Red Hat-based distributions). Once installed, Auditbeat can start auditing system activities.

Configuring Auditbeat

After installing Auditbeat, you need to configure it to monitor specific activities. This is done through the auditbeat.yml configuration file.

# Open the Auditbeat configuration file
sudo nano /etc/auditbeat/auditbeat.yml

# Make sure the output section is correct
output.elasticsearch:
  hosts: ["localhost:9200"]

In this example, we open the auditbeat.yml configuration file and set the output.elasticsearch section to send data to a local Elasticsearch instance. This configuration can be customized to suit your specific auditing needs.

In conclusion, system auditing is an essential part of Linux system administration, and tools like Auditbeat make the process easier and more efficient. By understanding how to install and use Auditbeat, you can significantly enhance your system’s security and performance.

Further Uses of System Monitoring

While Auditbeat is a powerful tool for auditing system activities, it’s just one piece of the puzzle when it comes to comprehensive system monitoring and security in Linux. There are other tools and concepts that you can explore to further enhance your system’s security and performance.

Network Monitoring with Packetbeat

Packetbeat is an open-source network packet analyzer from Elastic that captures network traffic between your application processes, typically between the tiers of your application, and correlates the different messages to transactions.

# Install Packetbeat
sudo apt-get install packetbeat

# Output:
# Reading package lists... Done
# Building dependency tree
# Reading state information... Done
# packetbeat is already the newest version (7.12.1).
# 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

In this example, we install Packetbeat using the APT package manager. Once installed, Packetbeat allows you to monitor your system’s network traffic in real time.

Log Monitoring with Filebeat

Filebeat is a lightweight shipper for forwarding and centralizing log data. Installed as an agent on your servers, Filebeat monitors the log files or locations that you specify, collects log events, and forwards them either to Elasticsearch or Logstash.

# Install Filebeat
sudo apt-get install filebeat

# Output:
# Reading package lists... Done
# Building dependency tree
# Reading state information... Done
# filebeat is already the newest version (7.12.1).
# 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

In this example, we install Filebeat using the APT package manager. Once installed, Filebeat can help you centralize and analyze your system’s log data.

Further Resources for Mastering Linux System Monitoring

  1. Elastic Stack Overview: This is a comprehensive guide to the Elastic Stack, which includes Auditbeat, Packetbeat, and Filebeat, among other tools.

  2. Linux System Monitoring: This resource provides an overview of various tools and techniques for system monitoring in Linux.

  3. Linux Security: This guide provides an introduction to Linux security, including user management, file permissions, and firewall configurations.

Recap: Auditbeat Installation Guide

In this comprehensive guide, we’ve navigated the process of installing and setting up Auditbeat on Linux, an essential tool for auditing system activities. This guide serves as a pathway to enhance your system’s security and performance.

We embarked on the journey with a simple installation of Auditbeat on Linux, providing a step-by-step guide for beginners. Diving deeper, we explored more advanced installation methods, such as compiling Auditbeat from source and installing specific versions. We also shed light on how to configure Auditbeat to monitor specific system activities.

Along the journey, we encountered common issues that users might face when installing Auditbeat and provided solutions to these challenges. We also took a detour to introduce alternative system monitoring tools like Sysdig and Osquery, giving you a broader perspective on Linux system monitoring.

Here’s a quick comparison of the tools we’ve discussed:

ToolEase of InstallationSystem Monitoring CapabilitiesCompatibility
AuditbeatModerateHighLinux, MacOS, Windows
SysdigEasyHighLinux, MacOS, Windows
OsqueryModerateHighLinux, MacOS, Windows

Whether you’re just starting out with Auditbeat or you’re looking to level up your system monitoring skills, we hope this guide has given you a deeper understanding of Auditbeat and its capabilities.

With its robust system monitoring capabilities and compatibility with various systems, Auditbeat is a powerful tool for Linux system administration. Now, you’re well equipped to install Auditbeat on Linux and enhance your system’s security and performance. Happy monitoring!