Step 5: Start Auditbeatedit

Run Auditbeat by issuing the appropriate command for your platform. If you are accessing a secured Elasticsearch cluster, make sure you’ve configured credentials as described in Step 2: Configure Auditbeat.

If you use an init.d script to start Auditbeat on deb or rpm, you can’t specify command line flags (see Command reference). To specify flags, start Auditbeat in the foreground.


sudo service auditbeat start


sudo service auditbeat start


sudo chown root auditbeat.yml 
sudo ./auditbeat -e -c auditbeat.yml -d "publish"

To monitor system files, you’ll be running Auditbeat as root, so you need to change ownership of the configuration file, or run Auditbeat with -strict.perms=false specified. See Config File Ownership and Permissions in the Beats Platform Reference.

If you see a warning about too many open files, you need to increase the ulimit. See the FAQ for more details.


PS C:\Program Files\Auditbeat> Start-Service auditbeat

By default the log files are stored in C:\ProgramData\auditbeat\Logs.

Test the Auditbeat installationedit

To verify that your server’s statistics are present in Elasticsearch, issue the following command:

curl -XGET 'http://localhost:9200/auditbeat-*/_search?pretty'

Make sure that you replace localhost:9200 with the address of your Elasticsearch instance.

On Windows, if you don’t have cURL installed, simply point your browser to the URL.