| navigation_title | Quick start | ||
|---|---|---|---|
| mapped_pages | |||
| applies_to |
|
This guide describes how to get started quickly with audit data collection. You’ll learn how to:
- install Auditbeat on each system you want to monitor
- specify the location of your audit data
- parse log data into fields and send it to {{es}}
- visualize the log data in {{kib}}
% TO DO: Update :class: screenshot

You need {{es}} for storing and searching your data, and {{kib}} for visualizing and managing it.
:::::::{applies-switch}
::::::{applies-item} ess: ga To get started quickly, spin up an {{ech}} deployment. {{ech}} is available on AWS, GCP, and Azure. Try it out for free. ::::::
::::::{applies-item} self: ga To install and run {{es}} and {{kib}}, see Installing the {{stack}}. ::::::
:::::::
Install Auditbeat on all the servers you want to monitor.
To download and install Auditbeat, use the commands that work with your system:
:::::::{tab-set} :group: platform
::::::{tab-item} DEB :sync: deb
curl -L -O https://artifacts.elastic.co/downloads/beats/auditbeat/auditbeat-{{version.stack}}-amd64.deb
sudo dpkg -i auditbeat-{{version.stack}}-amd64.deb::::::
::::::{tab-item} RPM :sync: rpm
curl -L -O https://artifacts.elastic.co/downloads/beats/auditbeat/auditbeat-{{version.stack}}-x86_64.rpm
sudo rpm -vi auditbeat-{{version.stack}}-x86_64.rpm::::::
::::::{tab-item} MacOS :sync: macos
curl -L -O https://artifacts.elastic.co/downloads/beats/auditbeat/auditbeat-{{version.stack}}-darwin-x86_64.tar.gz
tar xzvf auditbeat-{{version.stack}}-darwin-x86_64.tar.gz::::::
::::::{tab-item} Linux :sync: linux
curl -L -O https://artifacts.elastic.co/downloads/beats/auditbeat/auditbeat-{{version.stack}}-linux-x86_64.tar.gz
tar xzvf auditbeat-{{version.stack}}-linux-x86_64.tar.gz::::::
::::::{tab-item} Windows :sync: windows
-
Download the Auditbeat Windows zip file.
-
Extract the contents of the zip file into
C:\Program Files. -
Rename the
auditbeat-[version]-windows-x86_64directory toAuditbeat. -
Open a PowerShell prompt as an Administrator (right-click the PowerShell icon and select Run As Administrator).
-
From the PowerShell prompt, run the following commands to install Auditbeat as a Windows service:
PS > cd 'C:\Program Files\Auditbeat'
PS C:\Program Files\Auditbeat> .\install-service-auditbeat.ps1:::{note}
If script execution is disabled on your system, you need to set the execution policy for the current session to allow the script to run. For example: PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-auditbeat.ps1.
:::
:::{important} :applies_to: stack: ga 9.0.6+!
The base folder has changed from C:\ProgramData\ to C:\Program Files\
because the latter has stricter permissions. The home path (base for
state and logs) is now C:\Program Files\Auditbeat-Data.
The install script (install-service-auditbeat.ps1) will check whether
C:\ProgramData\Auditbeat exits and move it to C:\Program Files\Auditbeat-Data.
For more details on the installation script refer to: install script.
:::
:::::: :::::::
The commands shown are for AMD platforms, but ARM packages are also available. Refer to the download page for the full list of available packages.
Connections to {{es}} and {{kib}} are required to set up Auditbeat.
Set the connection information in auditbeat.yml. To locate this configuration file, see Directory layout.
:::::::{applies-switch}
::::::{applies-item} ess: ga Specify the cloud.id of your {{ech}} deployment, and set cloud.auth to a user who is authorized to set up Auditbeat. For example:
cloud.id: "staging:dXMtZWFzdC0xLmF3cy5mb3VuZC5pbyRjZWM2ZjI2MWE3NGJmMjRjZTMzYmI4ODExYjg0Mjk0ZiRjNmMyY2E2ZDA0MjI0OWFmMGNjN2Q3YTllOTYyNTc0Mw=="
cloud.auth: "auditbeat_setup:YOUR_PASSWORD" <1>- This examples shows a hard-coded password, but you should store sensitive values in the secrets keystore. ::::::
::::::{applies-item} self: ga
-
Set the host and port where Auditbeat can find the {{es}} installation, and set the username and password of a user who is authorized to set up Auditbeat. For example:
output.elasticsearch: hosts: ["https://myEShost:9200"] username: "auditbeat_internal" password: "YOUR_PASSWORD" <1> ssl: enabled: true ca_trusted_fingerprint: "b9a10bbe64ee9826abeda6546fc988c8bf798b41957c33d05db736716513dc9c" <2>
- This example shows a hard-coded password, but you should store sensitive values in the secrets keystore.
- This example shows a hard-coded fingerprint, but you should store sensitive values in the secrets keystore. The fingerprint is a HEX encoded SHA-256 of a CA certificate, when you start {{es}} for the first time, security features such as network encryption (TLS) for {{es}} are enabled by default. If you are using the self-signed certificate generated by {{es}} when it is started for the first time, you will need to add its fingerprint here. The fingerprint is printed on {{es}} start up logs, or you can refer to connect clients to {{es}} documentation for other options on retrieving it. If you are providing your own SSL certificate to {{es}} refer to Auditbeat documentation on how to setup SSL.
-
If you plan to use our pre-built {{kib}} dashboards, configure the {{kib}} endpoint. Skip this step if {{kib}} is running on the same host as {{es}}.
setup.kibana: host: "mykibanahost:5601" <1> username: "my_kibana_user" <2> <3> password: "YOUR_PASSWORD"
- The hostname and port of the machine where {{kib}} is running, for example,
mykibanahost:5601. If you specify a path after the port number, include the scheme and port:http://mykibanahost:5601/path. - The
usernameandpasswordsettings for {{kib}} are optional. If you don’t specify credentials for {{kib}}, Auditbeat uses theusernameandpasswordspecified for the {{es}} output. - To use the pre-built {{kib}} dashboards, this user must be authorized to view dashboards or have the
kibana_adminbuilt-in role.
- The hostname and port of the machine where {{kib}} is running, for example,
:::::: :::::::
To learn more about required roles and privileges, see Grant users access to secured resources.
::::{note} You can send data to other outputs, such as {{ls}}, but that requires additional configuration and setup. ::::
Auditbeat uses modules to collect audit information.
By default, Auditbeat uses a configuration that’s tailored to the operating system where Auditbeat is running.
To use a different configuration, change the module settings in auditbeat.yml.
The following example shows the file_integrity module configured to generate events whenever a file in one of the specified paths changes on disk:
auditbeat.modules:
- module: file_integrity
paths:
- /bin
- /usr/bin
- /sbin
- /usr/sbin
- /etc::::{tip}
To test your configuration file, change to the directory where the Auditbeat binary is installed, and run Auditbeat in the foreground with the following options specified: ./auditbeat test config -e. Make sure your config files are in the path expected by Auditbeat (see Directory layout), or use the -c flag to specify the path to the config file.
::::
For more information about configuring Auditbeat, also see:
- Configure Auditbeat
- Config file format
auditbeat.reference.yml: This reference configuration file shows all non-deprecated options. You’ll find it in the same location asauditbeat.yml.
Auditbeat comes with predefined assets for parsing, indexing, and visualizing your data. To load these assets:
-
Make sure the user specified in
auditbeat.ymlis authorized to set up Auditbeat. -
From the installation directory, run:
:::::::{tab-set} :group: platform
::::::{tab-item} DEB :sync: deb
auditbeat setup -e
::::::
::::::{tab-item} RPM :sync: rpm
auditbeat setup -e
::::::
::::::{tab-item} MacOS :sync: macos
./auditbeat setup -e
::::::
::::::{tab-item} Linux :sync: linux
./auditbeat setup -e
::::::
::::::{tab-item} Windows :sync: windows
PS > .\auditbeat.exe setup -e
:::::: :::::::
-eis optional and sends output to standard error instead of the configured log output.
By default Windows log files are stored in C:\Program Files\Auditbeat-Data\logs.
:::{note}
In versions before 9.0.6, the default location for Windows log files was C:\ProgramData\auditbeat\logs.
:::
This step loads the recommended index template for writing to {{es}} and deploys the sample dashboards for visualizing the data in {{kib}}.
:::{tip} A connection to {{es}} (or {{ech}}) is required to set up the initial environment. If you're using a different output, such as {{ls}}, see and . :::
Before starting Auditbeat, modify the user credentials in auditbeat.yml and specify a user who is authorized to publish events.
To start Auditbeat, run:
:::::::{tab-set} :group: platform
::::::{tab-item} DEB :sync: deb
sudo service auditbeat start:::{note}
If you use an init.d script to start Auditbeat, you can’t specify command line flags (see Command reference). To specify flags, start Auditbeat in the foreground.
:::
Also see Auditbeat and systemd. ::::::
::::::{tab-item} RPM :sync: rpm
sudo service auditbeat start:::{note}
If you use an init.d script to start Auditbeat, you can’t specify command line flags (see Command reference). To specify flags, start Auditbeat in the foreground.
:::
Also see Auditbeat and systemd. ::::::
::::::{tab-item} MacOS :sync: macos
sudo chown root auditbeat.yml <1>
sudo ./auditbeat -e- You’ll be running Auditbeat as root, so you need to change ownership of the configuration file, or run Auditbeat with
--strict.perms=falsespecified. See Config File Ownership and Permissions. ::::::
::::::{tab-item} Linux :sync: linux
sudo chown root auditbeat.yml <1>
sudo ./auditbeat -e- You’ll be running Auditbeat as root, so you need to change ownership of the configuration file, or run Auditbeat with
--strict.perms=falsespecified. See Config File Ownership and Permissions. ::::::
::::::{tab-item} Windows :sync: windows
PS C:\Program Files\auditbeat> Start-Service auditbeatBy default Windows log files are stored in C:\Program Files\Auditbeat-Data\logs.
:::{note}
In versions before 9.0.6, the default location for Windows log files was C:\ProgramData\auditbeat\logs.
:::
::::::
:::::::
Auditbeat should begin streaming events to {{es}}.
If you see a warning about too many open files, you need to increase the ulimit. See the FAQ for more details.
To make it easier for you to start auditing the activities of users and processes on your system, Auditbeat comes with pre-built {{kib}} dashboards and UIs for visualizing your data.
To open the dashboards:
-
Launch {{kib}}:
:::::::{applies-switch} :group: deployment
::::::{applies-item} ess: ga :sync: hosted
- Log in to your {{ecloud}} account.
- Navigate to the {{kib}} endpoint in your deployment. ::::::
::::::{applies-item} self: ga :sync: self Point your browser to http://localhost:5601, replacing
localhostwith the name of the {{kib}} host. :::::::::::::
-
In the side navigation, click Discover. To see Auditbeat data, make sure the predefined
auditbeat-*data view is selected.::::{tip} If you don’t see data in {{kib}}, try changing the time filter to a larger range. By default, {{kib}} shows the last 15 minutes. ::::
-
In the side navigation, click Dashboard, then select the dashboard that you want to open.
The dashboards are provided as examples. We recommend that you customize them to meet your needs.
Now that you have audit data streaming into {{es}}, learn how to unify your logs, metrics, uptime, and application performance data.
-
Ingest data from other sources by installing and configuring other Elastic {{beats}}:
Elastic {{beats}} To capture {{metricbeat}} Infrastructure metrics {{filebeat}} Logs {{winlogbeat}} Windows event logs {{heartbeat}} Uptime information APM Application performance metrics -
Use the Observability apps in {{kib}} to search across all your data:
Elastic apps Use to {{metrics-app}} Explore metrics about systems and services across your ecosystem {{logs-app}} Tail related log data in real time {{uptime-app}} Monitor availability issues across your apps and services APM app Monitor application performance {{siem-app}} Analyze security events