Back to top
This guide will show you how to integrate File Integrity Monitoring (FIM) and audit logs into the Secure60 platform.
This guide will explain how to setup File Integrity Monitoring on either Linux or Windows operatiing systems. This provides an essential component to wholistic visibilty of your environment. File changes (and other permission changes) are a key event that may indicate malicious behaviour.
In this guide we leverage Auditbeat (A light weight, Open source FIM and audit product) to send logs to a Secure60 collector instance. As always if you have any additional questions, don’t hessitate to contact Secure60 Support.
This guide walks you through installing and configuring Auditbeat to monitor system and security events on your machine.
Prerequisites
1.061. Install Auditbeat
Download the latest Auditbeat version for your operating system from the official Elastic website: https://www.elastic.co/downloads/beats/auditbeat
Follow the installation instructions specific to your OS:
curl -L -O https://artifacts.elastic.co/downloads/beats/auditbeat/auditbeat-8.13.2-amd64.debsudo dpkg -i auditbeat-8.13.2-amd64.deb.msi installer.2. Configure Auditbeat
Open the Auditbeat configuration file for editing:
/etc/auditbeat/auditbeat.ymlC:\Program Files\auditbeat\auditbeat.ymlNote: You can specify which files and folders you want File Integrity Monitoring (FIM) to track, and which ones you prefer to exclude at file_integrity section.
Configure Logstash Output:
We leverage the Logstash protocol to send data to the Secure60 Collector (The Secure60 Collector by default can listen as a Logstash processor).
Add the following configuration under the output.logstash section:
output.logstash:
hosts: ["<S60_COLLECTOR_IP_ADDRESS>:5044"]
Ensure you replace <S60_COLLECTOR_IP_ADDRESS> with the actual IP address of your Secure60 collector.
To enable Syslog integration in the S60-collector, modify the .env file as follows:
ENABLE_AUDITBEAT=true
Logs can be viewed in the Secure60 portal.