Step 5: Start Auditbeatedit

Run Auditbeat by issuing the appropriate command for your platform. If you are accessing a secured Elasticsearch cluster, make sure you’ve configured credentials as described in Step 2: Configure Auditbeat.

If you use an init.d script to start Auditbeat on deb or rpm, you can’t specify command line flags (see Command reference). To specify flags, start Auditbeat in the foreground.

deb and rpm:

sudo service auditbeat start

mac and linux:

sudo chown root auditbeat.yml 
sudo ./auditbeat -e

To monitor system files, you’ll be running Auditbeat as root, so you need to change ownership of the configuration file, or run Auditbeat with --strict.perms=false specified. See Config File Ownership and Permissions in the Beats Platform Reference.

If you see a warning about too many open files, you need to increase the ulimit. See the FAQ for more details.


To have launchd start elastic/tap/auditbeat and then restart it at login, run:

brew services start elastic/tap/auditbeat

To run Auditbeat in the foreground instead of running it as a background service, run:

auditbeat -e


PS C:\Program Files\Auditbeat> Start-Service auditbeat

By default the log files are stored in C:\ProgramData\auditbeat\Logs.

Test the Auditbeat installationedit

To verify that your server’s statistics are present in Elasticsearch, issue the following command:

curl -XGET 'http://localhost:9200/auditbeat-*/_search?pretty'

Make sure that you replace localhost:9200 with the address of your Elasticsearch instance.

On Windows, if you don’t have cURL installed, simply point your browser to the URL.