--- title: Auditbeat command reference description: Auditbeat provides a command-line interface for starting Auditbeat and performing common tasks, like testing configuration files and loading dashboards... url: https://www.elastic.co/elastic/docs-builder/docs/3028/reference/beats/auditbeat/command-line-options products: - Auditbeat - Beats applies_to: - Elastic Cloud Serverless: Generally available - Elastic Stack: Generally available --- # Auditbeat command reference Auditbeat provides a command-line interface for starting Auditbeat and performing common tasks, like testing configuration files and loading dashboards. The command-line also supports [global flags](#global-flags) for controlling global behaviors. Use `sudo` to run the following commands if: - the config file is owned by `root`, or - Auditbeat is configured to capture data that requires `root` access Some of the features described here require an Elastic license. For more information, see [[https://www.elastic.co/subscriptions](https://www.elastic.co/subscriptions)](https://www.elastic.co/subscriptions) and [License Management](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3028/deploy-manage/license/manage-your-license-in-self-managed-cluster). | Commands | | |---------------------------------|------------------------------------------------------------------------------------------------------------------------------------| | [`export`](#export-command) | Exports the configuration, index template, ILM policy, or a dashboard to stdout. | | [`help`](#help-command) | Shows help for any command. | | [`keystore`](#keystore-command) | Manages the [secrets keystore](https://www.elastic.co/elastic/docs-builder/docs/3028/reference/beats/auditbeat/keystore). | | [`run`](#run-command) | Runs Auditbeat. This command is used by default if you start Auditbeat without specifying a command. | | [`setup`](#setup-command) | Sets up the initial environment, including the index template, ILM policy and write alias, and Kibana dashboards (when available). | | [`test`](#test-command) | Tests the configuration. | | [`version`](#version-command) | Shows information about the current version. | Also see [Global flags](#global-flags). ## `export` command Exports the configuration, index template, ILM policy, or a dashboard to stdout. You can use this command to quickly view your configuration, see the contents of the index template and the ILM policy, or export a dashboard from Kibana. **SYNOPSIS** ```sh auditbeat export SUBCOMMAND [FLAGS] ``` **SUBCOMMANDS** Exports the current configuration to stdout. If you use the `-c` flag, this command exports the configuration that’s defined in the specified file. Exports a dashboard. You can use this option to store a dashboard on disk in a module and load it automatically. For example, to export the dashboard to a JSON file, run: ```shell auditbeat export dashboard --id="DASHBOARD_ID" > dashboard.json ``` To find the `DASHBOARD_ID`, look at the URL for the dashboard in Kibana. By default, `export dashboard` writes the dashboard to stdout. The example shows how to write the dashboard to a JSON file so that you can import it later. The JSON file will contain the dashboard with all visualizations and searches. You must load the index pattern separately for Auditbeat. To load the dashboard, copy the generated `dashboard.json` file into the `kibana/6/dashboard` directory of Auditbeat, and run `auditbeat setup --dashboards` to import the dashboard. If Kibana is not running on `localhost:5061`, you must also adjust the Auditbeat configuration under `setup.kibana`. Exports the index template to stdout. You can specify the `--es.version` flag to further define what gets exported. Furthermore you can export the template to a file instead of `stdout` by defining a directory via `--dir`. Exports the index lifecycle management policy to stdout. You can specify the `--es.version` and a `--dir` to which the policy should be exported as a file rather than exporting to `stdout`. **FLAGS** When used with [`template`](#template-subcommand), exports an index template that is compatible with the specified version. When used with [`ilm-policy`](#ilm-policy-subcommand), exports the ILM policy if the specified ES version is enabled for ILM. Shows help for the `export` command. Define a directory to which the template, pipelines, and ILM policy should be exported to as files instead of printing them to `stdout`. When used with [`dashboard`](#dashboard-subcommand), specifies the dashboard ID. Also see [Global flags](#global-flags). **EXAMPLES** ```sh auditbeat export config auditbeat export template --es.version 9.3.2 auditbeat export dashboard --id="a7b35890-8baa-11e8-9676-ef67484126fb" > dashboard.json ``` ## `help` command Shows help for any command. If no command is specified, shows help for the `run` command. **SYNOPSIS** ```sh auditbeat help COMMAND_NAME [FLAGS] ``` Specifies the name of the command to show help for. **FLAGS** Shows help for the `help` command. Also see [Global flags](#global-flags). **EXAMPLE** ```sh auditbeat help export ``` ## `keystore` command Manages the [secrets keystore](https://www.elastic.co/elastic/docs-builder/docs/3028/reference/beats/auditbeat/keystore). **SYNOPSIS** ```sh auditbeat keystore SUBCOMMAND [FLAGS] ``` **SUBCOMMANDS** Adds the specified key to the keystore. Use the `--force` flag to overwrite an existing key. Use the `--stdin` flag to pass the value through `stdin`. Creates a keystore to hold secrets. Use the `--force` flag to overwrite the existing keystore. Lists the keys in the keystore. Removes the specified key from the keystore. **FLAGS** Valid with the `add` and `create` subcommands. When used with `add`, overwrites the specified key. When used with `create`, overwrites the keystore. When used with `add`, uses the stdin as the source of the key’s value. Shows help for the `keystore` command. Also see [Global flags](#global-flags). **EXAMPLES** ```sh auditbeat keystore create auditbeat keystore add ES_PWD auditbeat keystore remove ES_PWD auditbeat keystore list ``` See [Secrets keystore](https://www.elastic.co/elastic/docs-builder/docs/3028/reference/beats/auditbeat/keystore) for more examples. ## `run` command Runs Auditbeat. This command is used by default if you start Auditbeat without specifying a command. **SYNOPSIS** ```sh auditbeat run [FLAGS] ``` Or: ```sh auditbeat [FLAGS] ``` **FLAGS** Disables publishing for testing purposes. This option disables all outputs except the [File output](https://www.elastic.co/elastic/docs-builder/docs/3028/reference/beats/auditbeat/file-output). Writes CPU profile data to the specified file. This option is useful for troubleshooting Auditbeat. Shows help for the `run` command. Starts an http server for profiling. This option is useful for troubleshooting and profiling Auditbeat. Writes memory profile data to the specified output file. This option is useful for troubleshooting Auditbeat. Specifies the mount point of the host’s filesystem for use in monitoring a host. This flag is depricated, and an alternate hostfs should be specified via the `hostfs` module config value. Also see [Global flags](#global-flags). **EXAMPLE** ```sh auditbeat run -e ``` Or: ```sh auditbeat -e ``` ## `setup` command Sets up the initial environment, including the index template, ILM policy and write alias, and Kibana dashboards (when available) - The index template ensures that fields are mapped correctly in Elasticsearch. If index lifecycle management is enabled it also ensures that the defined ILM policy and write alias are connected to the indices matching the index template. The ILM policy takes care of the lifecycle of an index, when to do a rollover, when to move an index from the hot phase to the next phase, etc. - The Kibana dashboards make it easier for you to visualize Auditbeat data in Kibana. This command sets up the environment without actually running Auditbeat and ingesting data. Specify optional flags to set up a subset of assets. **SYNOPSIS** ```sh auditbeat setup [FLAGS] ``` **FLAGS** Sets up the Kibana dashboards (when available). This option loads the dashboards from the Auditbeat package. For more options, such as loading customized dashboards, see [Importing Existing Beat Dashboards](https://www.elastic.co/elastic/docs-builder/docs/3028/extend/beats/import-dashboards). Shows help for the `setup` command. Sets up components related to Elasticsearch index management including template, ILM policy, and write alias (if supported and configured). Also see [Global flags](#global-flags). **EXAMPLES** ```sh auditbeat setup --dashboards auditbeat setup --index-management ``` ## `test` command Tests the configuration. **SYNOPSIS** ```sh auditbeat test SUBCOMMAND [FLAGS] ``` **SUBCOMMANDS** Tests the configuration settings. Tests that Auditbeat can connect to the output by using the current settings. **FLAGS** Shows help for the `test` command. Also see [Global flags](#global-flags). **EXAMPLE** ```sh auditbeat test config ``` ## `version` command Shows information about the current version. **SYNOPSIS** ```sh auditbeat version [FLAGS] ``` **FLAGS** Shows help for the `version` command. Also see [Global flags](#global-flags). **EXAMPLE** ```sh auditbeat version ``` ## Global flags These global flags are available whenever you run Auditbeat. Overrides a specific configuration setting. You can specify multiple overrides. For example: ```sh auditbeat -E "name=mybeat" -E "output.elasticsearch.hosts=['http://myhost:9200']" ``` This setting is applied to the currently running Auditbeat process. The Auditbeat configuration file is not changed. Specifies the configuration file to use for Auditbeat. The file you specify here is relative to `path.config`. If the `-c` flag is not specified, the default config file, `auditbeat.yml`, is used. Enables debugging for the specified selectors. For the selectors, you can specify a comma-separated list of components, or you can use `-d "*"` to enable debugging for all components. For example, `-d "publisher"` displays all the publisher-related messages. Logs to stderr and disables syslog/file output. For logging purposes, specifies the environment that Auditbeat is running in. This setting is used to select a default log output when no log output is configured. Supported values are: `systemd`, `container`, `macos_service`, and `windows_service`. If `systemd` or `container` is specified, Auditbeat will log to stdout and stderr by default. Sets the path for configuration files. See the [Directory layout](https://www.elastic.co/elastic/docs-builder/docs/3028/reference/beats/auditbeat/directory-layout) section for details. Sets the path for data files. See the [Directory layout](https://www.elastic.co/elastic/docs-builder/docs/3028/reference/beats/auditbeat/directory-layout) section for details. Sets the path for miscellaneous files. See the [Directory layout](https://www.elastic.co/elastic/docs-builder/docs/3028/reference/beats/auditbeat/directory-layout) section for details. Sets the path for log files. See the [Directory layout](https://www.elastic.co/elastic/docs-builder/docs/3028/reference/beats/auditbeat/directory-layout) section for details. Sets strict permission checking on configuration files. The default is `--strict.perms=true`. See [Config file ownership and permissions](https://www.elastic.co/elastic/docs-builder/docs/3028/reference/beats/libbeat/config-file-permissions) for more information. Logs INFO-level messages.