Step 5: Start Auditbeatedit

Run Auditbeat by issuing the appropriate command for your platform.


If you use an init.d script to start Auditbeat on deb or rpm, you can’t specify command line flags (see Auditbeat commands). To specify flags, start Auditbeat in the foreground.


sudo service auditbeat start


sudo service auditbeat start


sudo chown root auditbeat.yml 
sudo ./auditbeat -e -c auditbeat.yml -d "publish"

To monitor system files, you’ll be running Auditbeat as root, so you need to change ownership of the configuration file, or run Auditbeat with -strict.perms=false specified. See Config File Ownership and Permissions in the Beats Platform Reference.

If you see a warning about too many open files, you need to increase the ulimit. See the FAQ for more details.


PS C:\Program Files\Auditbeat> Start-Service auditbeat

By default the log files are stored in C:\ProgramData\auditbeat\Logs.

Pass credentialsedit

If you’ve secured Elasticsearch and Kibana, you need to pass credentials when you run Auditbeat commands. You can specify credentials from the command line, or in the config file. For example, from the command line, specify:

auditbeat -e -c auditbeat.yml -d "publish" -E output.elasticsearch.username=elastic -E output.elasticsearch.password=elastic

If you start Auditbeat as a service instead of running it in the foreground, you must specify credentials in the config file.

See Step 2: Configure Auditbeat for more information about specifying credentials in the config file.

Test the Auditbeat installationedit

To verify that your server’s statistics are present in Elasticsearch, issue the following command:

curl -XGET 'http://localhost:9200/auditbeat-*/_search?pretty'

Make sure that you replace localhost:9200 with the address of your Elasticsearch instance.

On Windows, if you don’t have cURL installed, simply point your browser to the URL.