- Auditbeat Reference: other versions:
- Overview
- Getting started with Auditbeat
- Setting up and running Auditbeat
- Upgrading Auditbeat
- Configuring Auditbeat
- Specify which modules to run
- Specify general settings
- Reload the configuration dynamically
- Configure the internal queue
- Configure the output
- Configure index lifecycle management
- Specify SSL settings
- Filter and enhance the exported data
- Define processors
- Add cloud metadata
- Add fields
- Add labels
- Add the local time zone
- Add tags
- Decode JSON fields
- Drop events
- Drop fields from events
- Keep fields from events
- Rename fields from events
- Add Kubernetes metadata
- Add Docker metadata
- Add Host metadata
- Dissect strings
- DNS Reverse Lookup
- Add process metadata
- Parse data by using ingest node
- Enrich events with geoIP information
- Configure project paths
- Configure the Kibana endpoint
- Load the Kibana dashboards
- Load the Elasticsearch index template
- Configure logging
- Use environment variables in the configuration
- YAML tips and gotchas
- Regular expression support
- HTTP Endpoint
- auditbeat.reference.yml
- Modules
- Exported fields
- Monitoring Auditbeat
- Securing Auditbeat
- Troubleshooting
- Contributing to Beats
Step 5: Start Auditbeat
editStep 5: Start Auditbeat
editRun Auditbeat by issuing the appropriate command for your platform. If you are accessing a secured Elasticsearch cluster, make sure you’ve configured credentials as described in Step 2: Configure Auditbeat.
If you use an init.d script to start Auditbeat on deb or rpm, you can’t specify command line flags (see Command reference). To specify flags, start Auditbeat in the foreground.
deb and rpm:
sudo service auditbeat start
mac and linux:
|
To monitor system files, you’ll be running Auditbeat as root, so you
need to change ownership of the configuration file, or run Auditbeat with
|
If you see a warning about too many open files, you need to increase the
ulimit. See the FAQ for more details.
brew:
To have launchd start elastic/tap/auditbeat and then restart it at login,
run:
brew services start elastic/tap/auditbeat
To run Auditbeat in the foreground instead of running it as a background service, run:
auditbeat -e
win:
PS C:\Program Files\Auditbeat> Start-Service auditbeat
By default the log files are stored in C:\ProgramData\auditbeat\Logs.
Test the Auditbeat installation
editTo verify that your server’s statistics are present in Elasticsearch, issue the following command:
curl -XGET 'http://localhost:9200/auditbeat-*/_search?pretty'
Make sure that you replace localhost:9200 with the address of your Elasticsearch
instance.
On Windows, if you don’t have cURL installed, simply point your browser to the URL.
On this page