Start Auditbeat [auditbeat-starting]

Before starting Auditbeat:

• Follow the steps in Quick start: installation and configuration to install, configure, and set up the Auditbeat environment.
• Make sure {{kib}} and {{es}} are running.
• Make sure the user specified in auditbeat.yml is authorized to publish events.

To start Auditbeat, run:

:::::::{tab-set}

::::::{tab-item} DEB

sudo service auditbeat start

Also see Auditbeat and systemd. ::::::

::::::{tab-item} RPM

sudo service auditbeat start

Also see Auditbeat and systemd. ::::::

::::::{tab-item} MacOS

sudo chown root auditbeat.yml <1>
sudo ./auditbeat -e

1. You’ll be running Auditbeat as root, so you need to change ownership of the configuration file, or run Auditbeat with --strict.perms=false specified. See Config File Ownership and Permissions. ::::::

::::::{tab-item} Linux

sudo chown root auditbeat.yml <1>
sudo ./auditbeat -e

1. You’ll be running Auditbeat as root, so you need to change ownership of the configuration file, or run Auditbeat with --strict.perms=false specified. See Config File Ownership and Permissions. ::::::

::::::{tab-item} Windows

PS C:\Program Files\auditbeat> Start-Service auditbeat

By default Windows log files are stored in C:\Program Files\Auditbeat-Data\logs.

:::{note} In versions before 9.0.6, the default location for Windows log files was C:\ProgramData\auditbeat\logs. ::: ::::::

:::::::