Run Auditbeat by issuing the appropriate command for your platform. If you are accessing a secured Elasticsearch cluster, make sure you’ve configured credentials as described in Step 2: Configure Auditbeat.
If you use an init.d script to start Auditbeat on deb or rpm, you can’t specify command line flags (see Command reference). To specify flags, start Auditbeat in the foreground.
deb and rpm:
sudo service auditbeat start
mac and linux:
To monitor system files, you’ll be running Auditbeat as root, so you
need to change ownership of the configuration file, or run Auditbeat with
If you see a warning about too many open files, you need to increase the
ulimit. See the FAQ for more details.
To have launchd start
elastic/tap/auditbeat and then restart it at login,
brew services start elastic/tap/auditbeat-full
To run Auditbeat in the foreground instead of running it as a background service, run:
PS C:\Program Files\Auditbeat> Start-Service auditbeat
By default the log files are stored in
To verify that your server’s statistics are present in Elasticsearch, issue the following command:
curl -XGET 'http://localhost:9200/auditbeat-*/_search?pretty'
Make sure that you replace
localhost:9200 with the address of your Elasticsearch
On Windows, if you don’t have cURL installed, simply point your browser to the URL.