Beginner Pro

Investigating File Integrity using Auditd

Investigate file integrity and detect unauthorized changes on a target Ubuntu machine using Auditd and ELK SIEM with Fleet (Elastic Agent). This guide will walk you through setting up Auditd to monitor file integrity, sending logs to Elasticsearch via Fleet, visualizing file changes in Kibana, and setting up alerts for suspicious activities like unauthorized file modifications.

Self-Paced by Rajneesh Gupta

Overview

This project focuses on detecting and investigating unauthorized file changes on an Ubuntu system using Auditd combined with the ELK SIEM platform managed through Fleet (Elastic Agent). Students will configure Auditd rules to monitor sensitive system directories and track file modifications, deletions, and permission changes in real time.

By forwarding Auditd events to Elasticsearch via the Elastic Agent, students gain centralized visibility into file integrity events, enabling powerful analysis, visualization, and alerting through Kibana. The project provides hands-on experience identifying unauthorized file activity, understanding attacker techniques targeting system files, and using SIEM capabilities to support detection and incident response.

Key Outcomes:

  • Configure Auditd for file integrity monitoring to track unauthorized modifications, deletions, renames, and permission changes across sensitive directories such as /etc/.

  • Deploy Elastic Agent with Fleet to collect Auditd logs and securely forward them to Elasticsearch for centralized analysis.

  • Ingest and normalize Auditd events within ELK SIEM, ensuring file integrity data is structured, indexed, and ready for threat detection.

  • Visualize file activity in Kibana dashboards

What You'll Learn

  • Configuring Auditd for Real-Time File Integrity Monitoring

    arn how to create Auditd rules to detect unauthorized file modifications, deletions, renames, and permission changes in sensitive directories like /etc/.

  • Forwarding Auditd Events with Elastic Agent

    Understand how to deploy Elastic Agent on Ubuntu and forward Auditd logs securely into Elasticsearch for centralized SIEM visibility.

  • Normalizing and Indexing Auditd Events in ELK

    Discover how Auditd logs are parsed, enriched, and stored in Elasticsearch to support analytics, dashboards, and threat detection workflows.

Prerequisites

  • Ubuntu system with Auditd installed
  • Elastic Stack (Elasticsearch, Kibana, Fleet) already deployed or accessible
  • Elastic Agent installed or ready to enroll with Fleet
  • Basic knowledge of Linux file permissions and directory structure
  • Familiarity with Auditd logs (/var/log/audit/audit.log)

About Trainer

Rajneesh Gupta

Rajneesh Gupta

Rajneesh Gupta is a seasoned cybersecurity professional with over 11 years of industry experience. With a remarkable career focused on incident response, penetration testing, security compliance, and risk management, Rajneesh has established himself as a leading expert in the field. He is also an accomplished author, having penned the book "Hands-on with Blockchain and Cybersecurity". As a dedicated educator, Rajneesh has made a significant impact on the cybersecurity community by training over 60,000 students globally.

LinkedIn YouTube GitHub

Related Projects

Apache Server Log Analysis using Splunk
Pro Intermediate

Apache Server Log Analysis using Splunk

Detecting Brute Force, SQL Injection, XSS, and Suspicious Web Activity from Apache Access Logs with Splunk SIEM

Practical AWS Cloud Security Posture Assessment Using Scout Suite
Free Beginner

Practical AWS Cloud Security Posture Assessment Using Scout Suite

Identify real-world AWS attack surfaces through visual security posture analysis.

Wazuh + n8n + Anyrun: Automated Malware Analysis
Pro Intermediate

Wazuh + n8n + Anyrun: Automated Malware Analysis

Automate malware analysis by sending Wazuh-detected suspicious files into ANY.RUN, retrieving detailed reports and IOCs, and integrating results back into your SOC workflow.