6.7.0 A lightweight shipper to audit the activities of users and processes on your systems

A lightweight shipper to audit the activities of users and processes on your systems


Auditbeat is a lightweight shipper to audit the activities of users and processes on your systems, so that you can identify potential security policy violations. You can use Auditbeat to collect audit events from the Linux Audit Framework. You can also use Auditbeat for file integrity check, that is to detect changes to critical files, like binaries and configuration files.


This chart deploys auditbeat agents to all the nodes in your cluster via a DaemonSet.

By default this chart only ships a single output to a file on the local system. Users should set config.output.file.enabled=false and configure their own outputs as documented


  • Kubernetes 1.9+

Installing the Chart

To install the chart with the release name my-release, run:

$ helm install --name my-release <helm-repo>/auditbeat

After a few minutes, you should see service statuses being written to the configured output, which is a log file inside the auditbeat container.

Tip: List all releases using helm list

Uninstalling the Chart

To uninstall/delete the my-release deployment:

$ helm delete my-release

The command removes all the Kubernetes components associated with the chart and deletes the release.


The following table lists the configurable parameters of the auditbeat chart and their default values.

Parameter Description Default
image.repository The image repository to pull from
image.tag The image tag to pull 6.7.0
image.pullPolicy Image pull policy IfNotPresent
rbac.create If true, create & use RBAC resources true
rbac.serviceAccount existing ServiceAccount to use (ignored if rbac.create=true) default
config The content of the configuration file consumed by auditbeat. See the auditbeat documentation for full details
plugins List of beat plugins
extraVars A map of additional environment variables
extraVolumes, extraVolumeMounts Additional volumes and mounts, for example to provide other configuration files
resources.requests.cpu CPU resource requests
resources.limits.cpu CPU resource limits
resources.requests.memory Memory resource requests
resources.limits.memory Memory resource limits

Specify each parameter using the --set key=value[,key=value] argument to helm install. For example,

$ helm install --name my-release \
    --set rbac.create=true \

Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example,

$ helm install --name my-release -f values.yaml <helm-repo>/auditbeat

Tip: You can use the default values.yaml