---
title: Auditd module
description: The auditd module collects and parses logs from the audit daemon (auditd). When you run the module, it performs a few tasks under the hood: Sets the default...
url: https://www.elastic.co/elastic/docs-builder/docs/3016/reference/beats/filebeat/filebeat-module-auditd
products:
  - Beats
  - Filebeat
applies_to:
  - Elastic Cloud Serverless: Generally available
  - Elastic Stack: Generally available
---

# Auditd module
<admonition title="Prefer to use Elastic Agent for this use case?">
  Refer to the [Elastic Integrations documentation](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/auditd).
  <dropdown title="Learn more">
    Elastic Agent is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to the documentation for a detailed [comparison of Beats and Elastic Agent](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/reference/fleet).
  </dropdown>
</admonition>

The `auditd` module collects and parses logs from the audit daemon (`auditd`).
<note>
  Although Filebeat is able to parse logs by using the `auditd` module, [Auditbeat](https://www.elastic.co/elastic/docs-builder/docs/3016/reference/beats/auditbeat/auditbeat-module-auditd) offers more advanced features for monitoring audit logs.
</note>

When you run the module, it performs a few tasks under the hood:
- Sets the default paths to the log files (but don’t worry, you can override the defaults)
- Makes sure each multiline log event gets sent as a single event
- Uses an Elasticsearch ingest pipeline to parse and process the log lines, shaping the data into a structure suitable for visualizing in Kibana
- Deploys dashboards for visualizing the log data

<tip>
  Read the [quick start](https://www.elastic.co/elastic/docs-builder/docs/3016/reference/beats/filebeat/filebeat-installation-configuration) to learn how to configure and run modules.
</tip>


## Compatibility

The `auditd` module was tested with logs from `auditd` on OSes like CentOS 6 and CentOS 7.
This module is not available for Windows.

## Configure the module

You can further refine the behavior of the `auditd` module by specifying [variable settings](#auditd-settings) in the `modules.d/auditd.yml` file, or overriding settings at the command line.
You must enable at least one fileset in the module. **Filesets are disabled by default.**
The following example shows how to set paths in the `modules.d/auditd.yml` file to override the default paths for logs:
```yaml
- module: auditd
  log:
    enabled: true
    var.paths: ["/path/to/log/audit/audit.log*"]
```

To specify the same settings at the command line, you use:
```sh
-M "auditd.log.var.paths=[/path/to/log/audit/audit.log*]"
```


### Variable settings

Each fileset has separate variable settings for configuring the behavior of the module. If you don’t specify variable settings, the `auditd` module uses the defaults.
For advanced use cases, you can also override input settings. See [Override input settings](https://www.elastic.co/elastic/docs-builder/docs/3016/reference/beats/filebeat/advanced-settings).
<tip>
  When you specify a setting at the command line, remember to prefix the setting with the module name, for example, `auditd.log.var.paths` instead of `log.var.paths`.
</tip>


### `log` fileset settings

<definitions>
  <definition term="var.paths">
    An array of glob-based paths that specify where to look for the log files. All patterns supported by [Go Glob](https://golang.org/pkg/path/filepath/#Glob) are also supported here. For example, you can use wildcards to fetch all files from a predefined level of subdirectories: `/path/to/log/*/*.log`. This fetches all `.log` files from the subfolders of `/path/to/log`. It does not fetch log files from the `/path/to/log` folder itself. If this setting is left empty, Filebeat will choose log paths based on your operating system.
  </definition>
</definitions>


## Example dashboard

This module comes with a sample dashboard showing an overview of the audit log data. You can build more specific dashboards that are tailored to the audit rules that you use on your systems.
![kibana audit auditd](https://www.elastic.co/elastic/docs-builder/docs/3016/reference/beats/filebeat/images/kibana-audit-auditd.png)

## Fields

For a description of each field in the module, see the [exported fields](https://www.elastic.co/elastic/docs-builder/docs/3016/reference/beats/filebeat/exported-fields-auditd) section.