Start Auditbeat
Before starting Auditbeat:
- Follow the steps in Quick start: installation and configuration to install, configure, and set up the Auditbeat environment.
- Make sure Kibana and Elasticsearch are running.
- Make sure the user specified in
auditbeat.yml
is authorized to publish events.
To start Auditbeat, run:
sudo service auditbeat start
Also see Auditbeat and systemd.
sudo service auditbeat start
Also see Auditbeat and systemd.
sudo chown root auditbeat.yml 1
sudo ./auditbeat -e
- You’ll be running Auditbeat as root, so you need to change ownership of the configuration file, or run Auditbeat with
--strict.perms=false
specified. See Config File Ownership and Permissions.
sudo chown root auditbeat.yml 1
sudo ./auditbeat -e
- You’ll be running Auditbeat as root, so you need to change ownership of the configuration file, or run Auditbeat with
--strict.perms=false
specified. See Config File Ownership and Permissions.
PS C:\Program Files\auditbeat> Start-Service auditbeat
By default, Windows log files are stored in C:\ProgramData\auditbeat\Logs
.