Start Auditbeat
Before starting Auditbeat:
- Follow the steps in Quick start: installation and configuration to install, configure, and set up the Auditbeat environment.
- Make sure Kibana and Elasticsearch are running.
- Make sure the user specified in
auditbeat.ymlis authorized to publish events.
To start Auditbeat, run:
sudo service auditbeat start
Also see Auditbeat and systemd.
sudo service auditbeat start
Also see Auditbeat and systemd.
sudo chown root auditbeat.yml
sudo ./auditbeat -e
- You’ll be running Auditbeat as root, so you need to change ownership of the configuration file, or run Auditbeat with
--strict.perms=falsespecified. See Config File Ownership and Permissions.
sudo chown root auditbeat.yml
sudo ./auditbeat -e
- You’ll be running Auditbeat as root, so you need to change ownership of the configuration file, or run Auditbeat with
--strict.perms=falsespecified. See Config File Ownership and Permissions.
PS C:\Program Files\auditbeat> Start-Service auditbeat
By default Windows log files are stored in C:\Program Files\Auditbeat-Data\logs.
Note
In versions before 9.0.6, the default location for Windows log files was C:\ProgramData\auditbeat\logs.