Start Auditbeat
Stack
Before starting Auditbeat:
- Follow the steps in Quick start: installation and configuration to install, configure, and set up the Auditbeat environment.
- Make sure Kibana and Elasticsearch are running.
- Make sure the user specified in
auditbeat.ymlis authorized to publish events.
To start Auditbeat, run:
sudo service auditbeat start
Also see Auditbeat and systemd.
sudo service auditbeat start
Also see Auditbeat and systemd.
sudo chown root auditbeat.yml
sudo ./auditbeat -e
- You’ll be running Auditbeat as root, so you need to change ownership of the configuration file, or run Auditbeat with
--strict.perms=falsespecified. See Config File Ownership and Permissions.
sudo chown root auditbeat.yml
sudo ./auditbeat -e
- You’ll be running Auditbeat as root, so you need to change ownership of the configuration file, or run Auditbeat with
--strict.perms=falsespecified. See Config File Ownership and Permissions.
PS C:\Program Files\auditbeat> Start-Service auditbeat
The default location where Windows log files are stored varies:
-
Stack
C:\Program Files\Auditbeat-Data\logs -
Stack
C:\ProgramData\auditbeat\logs