Send data via Auditbeat to your Logstash instance provided by


A log shipper designed for audit data.

Auditbeat is an open source shipping agent that lets you ship audit data to one or more destinations, including Logstash.

Step 1 - Install Auditbeat

deb (Debian/Ubuntu/Mint)

curl -L -O
sudo dpkg -i auditbeat-oss-7.6.2-amd64.deb

rpm (CentOS/RHEL/Fedora)

curl -L -O
sudo rpm -vi auditbeat-oss-7.6.2-x86_64.rpm


curl -L -O 
tar xzvf auditbeat-oss-7.6.2-darwin-x86_64.tar.gz


  • Download the auditbeat Windows zip file from the official downloads page.
  • Extract the contents of the zip file into C:\Program Files.
  • Rename the auditbeat-<version>-windows directory to auditbeat.
  • Open a PowerShell prompt as an Administrator (right-click the PowerShell icon and select Run As Administrator). If you are running Windows XP, you may need to download and install PowerShell.
  • Run the following commands to install auditbeat as a Windows service:
PS > cd 'C:\Program Files\auditbeat'
PS C:\Program Files\auditbeat> .\install-service-auditbeat.ps1`
If script execution is disabled on your system, you need to set the execution policy for the current session to allow the script to run. For example: PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-auditbeat.ps1.
My OS isn't here! Don't see your system? Check out the official downloads page for more options (including 32-bit versions).

Step 2 - Locate the configuration file

deb/rpm /etc/auditbeat/auditbeat.yml
mac/win <EXTRACTED_ARCHIVE>/auditbeat.yml

Step 3 - Configure the modules

By default these modules are enabled

- module: file_integrity
  - /bin
  - /usr/bin
  - /sbin
  - /usr/sbin
  - /etc
- module: system
    - host    # General host information, e.g. uptime, IPs
    - process # Started and stopped processes
    - socket  # Opened and closed sockets
    - user    # User information
There's also a full example configuration file called auditbeat.reference.yml that shows all the possible options.

Step 4 - Configure output

We'll be shipping to Logstash so that we have the option to run filters before the data is indexed.
Comment out the elasticsearch output block.

## Comment out elasticsearch output
#  hosts: ["localhost:9200"]

Uncomment and change the logstash output to match below.

    hosts: ["your-logstash-host:your-port"]
    loadbalance: true
    ssl.enabled: true

Step 5 - Validate configuration

Let's check the configuration file is syntactically correct.


sudo auditbeat -e -c /etc/auditbeat/auditbeat.yml


./auditbeat -e -c auditbeat.yml


auditbeat.exe -e -c auditbeat.yml

Step 6 - Start auditbeat

Ok, time to start ingesting data!


sudo systemctl enable auditbeat
sudo systemctl start auditbeat




Start-Service auditbeat

Step 7 - Auditbeat Logging Overview

Auditbeat is one of the most recent additions to Elastic Stack’s Beats. It is primarily used to gather audit data on user activity and processes running on your server’s infrastructure. Additionally, Auditbeat can be used to detect crucial and unexpected changes to configuration files & binaries.

This can be key to helping you to identify compliance issues and security violations in your organisation. Once configured, changes to the file are updated in real-time to your output, allowing for optimised visibility of security-related instances. It can be used directly to undertake these processes & gather data without the need to access Linux’s Auditd.

Centralising your Auditbeat event data using a log management system such as provides a way of easily managing your ELK Stack overheads in one single platform.

If you need any further assistance with migrating your Auditbeat data to Logstash we're here to help you get started. Feel free to reach out by contacting our support team by visiting our dedicated Help Centre or via live chat & we'll be happy to assist.

expand view

Expand View

compact view

Compact View

Return to Search
Sign Up