Posted January 19Jan 19 You are reading Part 35 of the 57-part series: Harden and Secure Linux Servers. [Level 4]This series covers progressive security measures, from fundamental hardening techniques to enterprise-grade defense strategies. Each article delves into a specific security practice, explaining its importance and providing step-by-step guidance for implementation.To explore more security best practices, visit the main guide for a full breakdown of all levels and recommendations.Auditbeat and Filebeat are part of Elastic's Beats suite, providing advanced logging, auditing, and real-time monitoring of system activity. These tools help:✅ Monitor file integrity and detect unauthorized changes.✅ Track login attempts and privilege escalations.✅ Integrate with the ELK stack (Elasticsearch, Logstash, Kibana) for real-time security insights.By deploying Auditbeat and Filebeat, you improve system visibility and detect security threats before they escalate.How to Install and Configure Auditbeat and Filebeat1. Install Auditbeat and FilebeatFor Debian/Ubuntu:sudo apt update sudo apt install auditbeat filebeat -y For CentOS/RHEL:sudo yum install auditbeat filebeat -y 2. Configure Auditbeat for File Integrity MonitoringAuditbeat can track file modifications, login attempts, and process activity.Modify the Auditbeat Configuration Filesudo nano /etc/auditbeat/auditbeat.yml Enable File Integrity MonitoringModify the file integrity module to monitor critical directories:file_integrity: paths: - /etc/ - /var/log/ - /home/user/Documents/ Monitor User Login Activity and Privilege EscalationEnable audit rules to track login events and sudo commands:audit_rules: - 'w /var/log/auth.log -p wa -k auth_changes' - 'w /etc/passwd -p wa -k passwd_changes' - 'w /etc/sudoers -p wa -k sudo_changes' 3. Configure Filebeat for Log ForwardingFilebeat collects system logs and sends them to Elasticsearch, Logstash, or another SIEM.Modify the Filebeat Configuration Filesudo nano /etc/filebeat/filebeat.yml Enable System Logs MonitoringModify the inputs section to collect authentication and security logs:filebeat.inputs: - type: log enabled: true paths: - /var/log/auth.log - /var/log/syslog - /var/log/audit/audit.log Enable Output to Elasticsearch or LogstashIf using Elasticsearch:output.elasticsearch: hosts: ["localhost:9200"] If using Logstash:output.logstash: hosts: ["localhost:5044"] 4. Start and Enable Servicessudo systemctl enable auditbeat filebeat sudo systemctl start auditbeat filebeat 5. Verify That Auditbeat and Filebeat Are Runningsudo systemctl status auditbeat filebeat sudo auditbeat test config sudo filebeat test config 6. Integrate with ELK Stack for Advanced Log AnalysisTo visualize logs and security events, integrate Auditbeat and Filebeat with Elasticsearch, Logstash, and Kibana (ELK).Install Elasticsearch, Logstash, and Kibana:sudo apt install elasticsearch logstash kibana -y Enable ELK services:sudo systemctl enable elasticsearch logstash kibana sudo systemctl start elasticsearch logstash kibana Open Kibana (Web Interface):Visit: http://your-server-ip:5601Add filebeat-* and auditbeat-* as data sources.7. Test and Validate the SetupCheck logs collected by Auditbeat:sudo cat /var/log/audit/audit.log | grep sudo Check logs collected by Filebeat:sudo journalctl -u filebeat --no-pager | tail -n 20 Search logs in Kibana under Discover → filebeat- or auditbeat-**.Best Practices for Advanced Auditing✅ Monitor critical files and user actions to detect unauthorized changes.✅ Set up real-time alerts in Kibana to notify administrators of suspicious activity.✅ Rotate logs and configure retention policies to optimize storage (logrotate -d /var/log/).✅ Combine with SIEM tools like Wazuh for advanced threat detection.By implementing Auditbeat and Filebeat, you gain deep visibility into system activity, prevent security breaches, and maintain compliance with security policies.
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.