Step 5: Start Auditbeat
editStep 5: Start Auditbeat
editRun Auditbeat by issuing the appropriate command for your platform. If you are accessing a secured Elasticsearch cluster, make sure you’ve configured credentials as described in Step 2: Configure Auditbeat.
If you use an init.d script to start Auditbeat on deb or rpm, you can’t specify command line flags (see Command reference). To specify flags, start Auditbeat in the foreground.
deb and rpm:
sudo service auditbeat start
mac and linux:
To monitor system files, you’ll be running Auditbeat as root, so you
need to change ownership of the configuration file, or run Auditbeat with
|
If you see a warning about too many open files, you need to increase the
ulimit
. See the FAQ for more details.
brew:
To have launchd start elastic/tap/auditbeat
and then restart it at login,
run:
brew services start elastic/tap/auditbeat
To run Auditbeat in the foreground instead of running it as a background service, run:
auditbeat -e
win:
PS C:\Program Files\Auditbeat> Start-Service auditbeat
By default the log files are stored in C:\ProgramData\auditbeat\Logs
.
Test the Auditbeat installation
editTo verify that your server’s statistics are present in Elasticsearch, issue the following command:
curl -XGET 'http://localhost:9200/auditbeat-*/_search?pretty'
Make sure that you replace localhost:9200
with the address of your Elasticsearch
instance.
On Windows, if you don’t have cURL installed, simply point your browser to the URL.