Skip to main content

Module Reference


The following Filebeat modules are most relevant to CPT missions. Each module handles log parsing, field normalization to ECS, and Kibana dashboard setup automatically β€” prefer modules over raw filebeat.inputs configs where available.

For full documentation on any module: filebeat modules <module-name> or the Filebeat Modules Reference.


System (Linux)​

Module: system Purpose: Collects Linux auth.log/secure (authentication events) and syslog/messages (general system log). Essential for Linux host visibility.

filebeat.modules:
- module: system
auth:
enabled: true
var.paths: ["/var/log/secure*"] # RHEL/CentOS
# var.paths: ["/var/log/auth.log*"] # Debian/Ubuntu
syslog:
enabled: true
var.paths: ["/var/log/messages*"] # RHEL/CentOS
# var.paths: ["/var/log/syslog*"] # Debian/Ubuntu
LogHigh-Value Events
auth.log / secureSSH logins (success/failure), sudo usage, PAM authentication, su usage
syslog / messagesService starts/stops, kernel messages, cron execution, systemd unit activity
OS-Specific Paths
DistributionAuth LogSyslog
RHEL / CentOS / Fedora/var/log/secure/var/log/messages
Debian / Ubuntu/var/log/auth.log/var/log/syslog
SUSE/var/log/messages/var/log/messages

Auditd (Linux)​

Module: auditd Purpose: Parses the Linux Audit daemon log (/var/log/audit/audit.log). Provides kernel-level syscall auditing β€” the deepest available Linux host visibility.

filebeat.modules:
- module: auditd
log:
enabled: true
var.paths: ["/var/log/audit/audit.log*"]
Auditd Rules Required

Auditd generates events based on configured audit rules (/etc/audit/rules.d/). Without meaningful rules, only basic system events are logged. Common high-value rules include syscall auditing for execve (process execution), file access on sensitive paths, and privilege escalation.


Apache / HTTPD​

Module: apache Purpose: Parses Apache HTTP Server access and error logs.

filebeat.modules:
- module: apache
access:
enabled: true
var.paths:
- /var/log/httpd/access_log* # RHEL/CentOS
- /var/log/httpd/ssl_access_log* # RHEL/CentOS SSL
# - /var/log/apache2/access.log* # Debian/Ubuntu
error:
enabled: true
var.paths:
- /var/log/httpd/error_log*
# - /var/log/apache2/error.log*

Default Apache log format fields: client IP, auth user, timestamp, request line, status code, response size, referer, user-agent.


Nginx​

Module: nginx Purpose: Parses Nginx access and error logs.

filebeat.modules:
- module: nginx
access:
enabled: true
var.paths: ["/var/log/nginx/access.log*"]
error:
enabled: true
var.paths: ["/var/log/nginx/error.log*"]
ingress_controller:
enabled: false

IIS (Windows)​

Module: iis Purpose: Parses Internet Information Services (IIS) access and error logs on Windows.

filebeat.modules:
- module: iis
access:
enabled: true
var.paths: ["C:/inetpub/logs/LogFiles/*/*.log"]
error:
enabled: true

osquery​

Module: osquery Purpose: Collects osquery result log output. Useful when osquery is deployed alongside other agents for scheduled host interrogation.

filebeat.modules:
- module: osquery
result:
enabled: true
var.paths: ["/var/log/osquery/osqueryd.results.log*"]

Logstash / Elasticsearch / Kibana​

Useful for collecting operational logs from the DIP stack itself when troubleshooting pipeline issues.

filebeat.modules:
- module: logstash
log:
enabled: true
var.paths: ["/var/log/logstash/logstash-plain.log*"]
slowlog:
enabled: false

- module: elasticsearch
server:
enabled: true
var.paths: ["/var/log/elasticsearch/*.log"]
gc:
enabled: false
audit:
enabled: false
slowlog:
enabled: false

- module: kibana
log:
enabled: true
var.paths: ["/var/log/kibana/kibana.log*"]