Module Reference
The following Filebeat modules are most relevant to CPT missions. Each module handles log parsing, field normalization to ECS, and Kibana dashboard setup automatically β prefer modules over raw filebeat.inputs configs where available.
For full documentation on any module: filebeat modules <module-name> or the Filebeat Modules Reference.
System (Linux)β
Module: system
Purpose: Collects Linux auth.log/secure (authentication events) and syslog/messages (general system log). Essential for Linux host visibility.
filebeat.modules:
- module: system
auth:
enabled: true
var.paths: ["/var/log/secure*"] # RHEL/CentOS
# var.paths: ["/var/log/auth.log*"] # Debian/Ubuntu
syslog:
enabled: true
var.paths: ["/var/log/messages*"] # RHEL/CentOS
# var.paths: ["/var/log/syslog*"] # Debian/Ubuntu
| Log | High-Value Events |
|---|---|
auth.log / secure | SSH logins (success/failure), sudo usage, PAM authentication, su usage |
syslog / messages | Service starts/stops, kernel messages, cron execution, systemd unit activity |
| Distribution | Auth Log | Syslog |
|---|---|---|
| RHEL / CentOS / Fedora | /var/log/secure | /var/log/messages |
| Debian / Ubuntu | /var/log/auth.log | /var/log/syslog |
| SUSE | /var/log/messages | /var/log/messages |
Auditd (Linux)β
Module: auditd
Purpose: Parses the Linux Audit daemon log (/var/log/audit/audit.log). Provides kernel-level syscall auditing β the deepest available Linux host visibility.
filebeat.modules:
- module: auditd
log:
enabled: true
var.paths: ["/var/log/audit/audit.log*"]
Auditd generates events based on configured audit rules (/etc/audit/rules.d/). Without meaningful rules, only basic system events are logged. Common high-value rules include syscall auditing for execve (process execution), file access on sensitive paths, and privilege escalation.
Apache / HTTPDβ
Module: apache
Purpose: Parses Apache HTTP Server access and error logs.
filebeat.modules:
- module: apache
access:
enabled: true
var.paths:
- /var/log/httpd/access_log* # RHEL/CentOS
- /var/log/httpd/ssl_access_log* # RHEL/CentOS SSL
# - /var/log/apache2/access.log* # Debian/Ubuntu
error:
enabled: true
var.paths:
- /var/log/httpd/error_log*
# - /var/log/apache2/error.log*
Default Apache log format fields: client IP, auth user, timestamp, request line, status code, response size, referer, user-agent.
Nginxβ
Module: nginx
Purpose: Parses Nginx access and error logs.
filebeat.modules:
- module: nginx
access:
enabled: true
var.paths: ["/var/log/nginx/access.log*"]
error:
enabled: true
var.paths: ["/var/log/nginx/error.log*"]
ingress_controller:
enabled: false
IIS (Windows)β
Module: iis
Purpose: Parses Internet Information Services (IIS) access and error logs on Windows.
filebeat.modules:
- module: iis
access:
enabled: true
var.paths: ["C:/inetpub/logs/LogFiles/*/*.log"]
error:
enabled: true
osqueryβ
Module: osquery
Purpose: Collects osquery result log output. Useful when osquery is deployed alongside other agents for scheduled host interrogation.
filebeat.modules:
- module: osquery
result:
enabled: true
var.paths: ["/var/log/osquery/osqueryd.results.log*"]
Logstash / Elasticsearch / Kibanaβ
Useful for collecting operational logs from the DIP stack itself when troubleshooting pipeline issues.
filebeat.modules:
- module: logstash
log:
enabled: true
var.paths: ["/var/log/logstash/logstash-plain.log*"]
slowlog:
enabled: false
- module: elasticsearch
server:
enabled: true
var.paths: ["/var/log/elasticsearch/*.log"]
gc:
enabled: false
audit:
enabled: false
slowlog:
enabled: false
- module: kibana
log:
enabled: true
var.paths: ["/var/log/kibana/kibana.log*"]