You are looking at preliminary documentation for a future release. Not what you want? See the current release documentation.
Because of the way file monitoring is implemented on macOS, you may see a warning similar to the following:
eventreader_fsnotify.go:42: WARN [audit.file] Failed to watch /usr/bin: too many open files (check the max number of open files allowed with 'ulimit -a')
To resolve this issue, run Auditbeat with the
ulimit set to a larger
value, for example:
sudo sh -c 'ulimit -n 8192 && ./Auditbeat -e
sudo su ulimit -n 8192 ./auditbeat -e