Start Auditbeat
Before starting Auditbeat:
- Follow the steps in Quick start: installation and configuration to install, configure, and set up the Auditbeat environment.
- Make sure Kibana and Elasticsearch are running.
- Make sure the user specified in
auditbeat.ymlis authorized to publish events.
To start Auditbeat, run:
sudo service auditbeat start
Note
If you use an init.d script to start Auditbeat, you can’t specify command line flags (see Command reference). To specify flags, start Auditbeat in the foreground.
Also see Auditbeat and systemd.
sudo service auditbeat start
Note
If you use an init.d script to start Auditbeat, you can’t specify command line flags (see Command reference). To specify flags, start Auditbeat in the foreground.
Also see Auditbeat and systemd.
sudo chown root auditbeat.yml 1
sudo ./auditbeat -e
- You’ll be running Auditbeat as root, so you need to change ownership of the configuration file, or run Auditbeat with
--strict.perms=falsespecified. See Config File Ownership and Permissions.
sudo chown root auditbeat.yml 1
sudo ./auditbeat -e
- You’ll be running Auditbeat as root, so you need to change ownership of the configuration file, or run Auditbeat with
--strict.perms=falsespecified. See Config File Ownership and Permissions.
PS C:\Program Files\auditbeat> Start-Service auditbeat
By default, Windows log files are stored in C:\ProgramData\auditbeat\Logs.