Start free trial Contact Sales

Auditbeat quick start: installation and configuration

This guide describes how to get started quickly with audit data collection. You’ll learn how to:

install Auditbeat on each system you want to monitor
specify the location of your audit data
parse log data into fields and send it to {es}
visualize the log data in {kib}

Auditbeat Auditd dashboard

Before you begin

You need Elasticsearch for storing and searching your data, and Kibana for visualizing and managing it.

Elasticsearch Service

To get started quickly, spin up a deployment of our hosted Elasticsearch Service. The Elasticsearch Service is available on AWS, GCP, and Azure. Try it out for free.

Self-managed

To install and run Elasticsearch and Kibana, see Installing the Elastic Stack.

Step 1: Install Auditbeat

Install Auditbeat on all the servers you want to monitor.

To download and install Auditbeat, use the commands that work with your system:

DEB

Version 9.0.0-beta1 of Auditbeat has not yet been released.

RPM

Version 9.0.0-beta1 of Auditbeat has not yet been released.

MacOS

Version 9.0.0-beta1 of Auditbeat has not yet been released.

Linux

Version 9.0.0-beta1 of Auditbeat has not yet been released.

Windows

Version 9.0.0-beta1 of Auditbeat has not yet been released.

The commands shown are for AMD platforms, but ARM packages are also available. Refer to the download page for the full list of available packages.

Other installation options

Step 2: Connect to the Elastic Stack

Connections to Elasticsearch and Kibana are required to set up Auditbeat.

Set the connection information in auditbeat.yml. To locate this configuration file, see Directory layout.

Elasticsearch Service

Specify the cloud.id of your Elasticsearch Service, and set cloud.auth to a user who is authorized to set up Auditbeat. For example:

		cloud.id: "staging:dXMtZWFzdC0xLmF3cy5mb3VuZC5pbyRjZWM2ZjI2MWE3NGJmMjRjZTMzYmI4ODExYjg0Mjk0ZiRjNmMyY2E2ZDA0MjI0OWFmMGNjN2Q3YTllOTYyNTc0Mw=="
cloud.auth: "auditbeat_setup:{pwd}" 1

This examples shows a hard-coded password, but you should store sensitive values in the secrets keystore.

Self-managed

Set the host and port where Auditbeat can find the Elasticsearch installation, and set the username and password of a user who is authorized to set up Auditbeat. For example:
```
output.elasticsearch:
  hosts: ["https://myEShost:9200"]
  username: "auditbeat_internal"
  password: "{pwd}" 1
  ssl:
    enabled: true
    ca_trusted_fingerprint: "b9a10bbe64ee9826abeda6546fc988c8bf798b41957c33d05db736716513dc9c" 2
```
1. This example shows a hard-coded password, but you should store sensitive values in the secrets keystore.
2. This example shows a hard-coded fingerprint, but you should store sensitive values in the secrets keystore. The fingerprint is a HEX encoded SHA-256 of a CA certificate, when you start Elasticsearch for the first time, security features such as network encryption (TLS) for Elasticsearch are enabled by default. If you are using the self-signed certificate generated by Elasticsearch when it is started for the first time, you will need to add its fingerprint here. The fingerprint is printed on Elasticsearch start up logs, or you can refer to connect clients to Elasticsearch documentation for other options on retrieving it. If you are providing your own SSL certificate to Elasticsearch refer to Auditbeat documentation on how to setup SSL.
If you plan to use our pre-built Kibana dashboards, configure the Kibana endpoint. Skip this step if Kibana is running on the same host as Elasticsearch.
```
setup.kibana:
  host: "mykibanahost:5601" 1
  username: "my_kibana_user" <2> 23
  password: "{pwd}"
```
1. The hostname and port of the machine where Kibana is running, for example, mykibanahost:5601. If you specify a path after the port number, include the scheme and port: http://mykibanahost:5601/path.
2. The username and password settings for Kibana are optional. If you don’t specify credentials for Kibana, Auditbeat uses the username and password specified for the Elasticsearch output.
3. To use the pre-built Kibana dashboards, this user must be authorized to view dashboards or have the kibana_admin built-in role.

To learn more about required roles and privileges, see Grant users access to secured resources.

Note

You can send data to other outputs, such as Logstash, but that requires additional configuration and setup.

Step 3: Configure data collection modules

Auditbeat uses modules to collect audit information.

By default, Auditbeat uses a configuration that’s tailored to the operating system where Auditbeat is running.

To use a different configuration, change the module settings in auditbeat.yml.

The following example shows the file_integrity module configured to generate events whenever a file in one of the specified paths changes on disk:

		auditbeat.modules:

- module: file_integrity
  paths:
  - /bin
  - /usr/bin
  - /sbin
  - /usr/sbin
  - /etc

	

Tip

To test your configuration file, change to the directory where the Auditbeat binary is installed, and run Auditbeat in the foreground with the following options specified: ./auditbeat test config -e. Make sure your config files are in the path expected by Auditbeat (see Directory layout), or use the -c flag to specify the path to the config file.

For more information about configuring Auditbeat, also see:

Configure Auditbeat
Config file format
auditbeat.reference.yml: This reference configuration file shows all non-deprecated options. You’ll find it in the same location as auditbeat.yml.

Step 4: Set up assets

Auditbeat comes with predefined assets for parsing, indexing, and visualizing your data. To load these assets:

Make sure the user specified in auditbeat.yml is authorized to set up Auditbeat.
From the installation directory, run:

DEB

		auditbeat setup -e
```

RPM

		auditbeat setup -e
```

MacOS

		./auditbeat setup -e
```

Linux

		./auditbeat setup -e
```

Windows

		PS > .\auditbeat.exe setup -e
```

DEB

sudo service auditbeat start

Note

If you use an init.d script to start Auditbeat, you can’t specify command line flags (see Command reference). To specify flags, start Auditbeat in the foreground.

Also see Auditbeat and systemd.

RPM

sudo service auditbeat start

Note

If you use an init.d script to start Auditbeat, you can’t specify command line flags (see Command reference). To specify flags, start Auditbeat in the foreground.

Also see Auditbeat and systemd.

MacOS

		sudo chown root auditbeat.yml 1
sudo ./auditbeat -e

You’ll be running Auditbeat as root, so you need to change ownership of the configuration file, or run Auditbeat with --strict.perms=false specified. See Config File Ownership and Permissions.

Linux

		sudo chown root auditbeat.yml 1
sudo ./auditbeat -e

You’ll be running Auditbeat as root, so you need to change ownership of the configuration file, or run Auditbeat with --strict.perms=false specified. See Config File Ownership and Permissions.

Windows

PS C:\Program Files\auditbeat> Start-Service auditbeat

By default, Windows log files are stored in C:\ProgramData\auditbeat\Logs.

Auditbeat should begin streaming events to Elasticsearch.

If you see a warning about too many open files, you need to increase the ulimit. See the FAQ for more details.

Step 6: View your data in Kibana

To make it easier for you to start auditing the activities of users and processes on your system, Auditbeat comes with pre-built Kibana dashboards and UIs for visualizing your data.

To open the dashboards:

Launch Kibana:

<div class="tabs" data-tab-group="host">
<div role="tablist" aria-label="Open Kibana">
<button role="tab"
aria-selected="true"
aria-controls="cloud-tab-open-kibana"
id="cloud-open-kibana">
Elasticsearch Service
</button>
<button role="tab"
aria-selected="false"
aria-controls="self-managed-tab-open-kibana"
id="self-managed-open-kibana"
tabindex="-1">
Self-managed
</button>
</div>
<div tabindex="0"
role="tabpanel"
id="cloud-tab-open-kibana"
aria-labelledby="cloud-open-kibana">
1. Log in to your Elastic Cloud account.
2. Navigate to the Kibana endpoint in your deployment.
</div>
<div tabindex="0"
role="tabpanel"
id="self-managed-tab-open-kibana"
aria-labelledby="self-managed-open-kibana"
hidden="">
Point your browser to http://localhost:5601, replacing localhost with the name of the Kibana host.

</div>
</div>
In the side navigation, click Discover. To see Auditbeat data, make sure the predefined auditbeat-* data view is selected.

Tip

If you don’t see data in Kibana, try changing the time filter to a larger range. By default, Kibana shows the last 15 minutes.
In the side navigation, click Dashboard, then select the dashboard that you want to open.

The dashboards are provided as examples. We recommend that you customize them to meet your needs.

What’s next?

Now that you have audit data streaming into Elasticsearch, learn how to unify your logs, metrics, uptime, and application performance data.

Ingest data from other sources by installing and configuring other Elastic Beats:

Elastic Beats To capture

Metricbeat Infrastructure metrics

Filebeat Logs

Winlogbeat Windows event logs

Heartbeat Uptime information

APM Application performance metrics

Use the Observability apps in Kibana to search across all your data:

Elastic apps	Use to
Metrics app	Explore metrics about systems and services across your ecosystem
Logs app	Tail related log data in real time
Uptime app	Monitor availability issues across your apps and services
APM app	Monitor application performance
SIEM app	Analyze security events