Step 3: Load the index template in Elasticsearchedit

In Elasticsearch, index templates are used to define settings and mappings that determine how fields should be analyzed.

The recommended index template file for Auditbeat is installed by the Auditbeat packages. If you accept the default configuration for template loading in the auditbeat.yml config file, Auditbeat loads the template automatically after successfully connecting to Elasticsearch. If the template already exists, it’s not overwritten unless you configure Auditbeat to do so.

If you want to disable automatic template loading, or you want to load your own template, you can change the settings for template loading in the Auditbeat configuration file. If you choose to disable automatic template loading, you need to load the template manually. For more information, see:

Configure template loadingedit

By default, Auditbeat automatically loads the recommended template file, fields.yml, if Elasticsearch output is enabled. You can configure auditbeat to load a different template by adjusting the and setup.template.fields options in auditbeat.yml file: "auditbeat"
setup.template.fields: "path/to/fields.yml"
setup.template.overwrite: false

By default, if a template already exists in the index, it is not overwritten. To overwrite an existing template, set setup.template.overwrite: true in the configuration file.

To disable automatic template loading, set setup.template.enabled: false.

The options for auto loading the template are not supported if you are using the Logstash output.

Load the template manuallyedit

If you disable automatic template loading, you can run the setup command to load the template manually.

deb, rpm, and mac:

./auditbeat setup --template


Open a PowerShell prompt as an Administrator (right-click the PowerShell icon and select Run As Administrator). If you are running Windows XP, you may need to download and install PowerShell.

From the PowerShell prompt, change to the directory where you installed Auditbeat, and run:

PS > auditbeat setup --template

If you’ve already used Auditbeat to index data into Elasticsearch, the index may contain old documents. After you load the index template, you can delete the old documents from auditbeat-* to force Kibana to look at the newest documents. Use this command:

curl -XDELETE 'http://localhost:9200/auditbeat-*'

Pass credentialsedit

If you’ve secured Elasticsearch and Kibana, you need to pass credentials when you run Auditbeat commands. You can specify credentials from the command line, or in the config file. For example, from the command line, specify:

auditbeat setup --template -e -E output.elasticsearch.username=elastic -E output.elasticsearch.password=elastic

See Step 2: Configure Auditbeat for more information about specifying credentials in the config file.