Send data via Auditbeat to your Logstash instance provided by


A log shipper designed for audit data.

Auditbeat is an open source shipping agent that lets you ship audit data to one or more destinations, including Logstash.

Step 1 - Install Auditbeat

deb (Debian/Ubuntu/Mint)

sudo apt-get install apt-transport-https
wget -qO - | sudo apt-key add -
echo 'deb stable main' | sudo tee /etc/apt/sources.list.d/beats.list

sudo apt-get update && sudo apt-get install auditbeat

rpm (CentOS/RHEL/Fedora)

sudo rpm --import
echo "[elastic-6.x]
name=Elastic repository for 6.x packages
type=rpm-md" | sudo tee /etc/yum.repos.d/elastic-beats.repo

sudo yum install auditbeat


curl -L -O 
tar xzvf auditbeat-oss-6.7.1-darwin-x86_64.tar.gz


  • Download the Auditbeat Windows zip file from the official downloads page.
  • Extract the contents of the zip file into C:\Program Files.
  • Rename the auditbeat-<version>-windows directory to Auditbeat.
  • Open a PowerShell prompt as an Administrator (right-click the PowerShell icon and select Run As Administrator). If you are running Windows XP, you may need to download and install PowerShell.
  • Run the following commands to install Auditbeat as a Windows service:
PS > cd 'C:\Program Files\Auditbeat'
PS C:\Program Files\Auditbeat> .\install-service-auditbeat.ps1`
If script execution is disabled on your system, you need to set the execution policy for the current session to allow the script to run. For example: PowerShell.exe -ExecutionPolicy UnRestricted -File .\install-service-auditbeat.ps1.
My OS isn't here! Don't see your system? Check out the official downloads page for more options (including 32-bit versions).

Step 2 - Locate the configuration file

deb/rpm /etc/auditbeat/auditbeat.yml
mac/win <EXTRACTED_ARCHIVE>/auditbeat.yml

Step 3 - Configure the modules

By default these modules are enabled

- module: file_integrity
  - /bin
  - /usr/bin
  - /sbin
  - /usr/sbin
  - /etc
- module: system
    - host    # General host information, e.g. uptime, IPs
    - process # Started and stopped processes
    - socket  # Opened and closed sockets
    - user    # User information
There's also a full example configuration file called auditbeat.reference.yml that shows all the possible options.

Step 4 - Configure output

We'll be shipping to Logstash so that we have the option to run filters before the data is indexed.
Comment out the elasticsearch output block.

## Comment out elasticsearch output
#  hosts: ["localhost:9200"]

Uncomment and change the logstash output to match below.

    hosts: ["your-logstash-host:your-port"]
    loadbalance: true
    ssl.enabled: true

Step 5 - Validate configuration

Let's check the configuration file is syntactically correct.


sudo auditbeat -e -c /etc/auditbeat/auditbeat.yml


./auditbeat -e -c auditbeat.yml


auditbeat.exe -e -c auditbeat.yml

Step 6 - Start auditbeat

Ok, time to start ingesting data!


sudo systemctl enable auditbeat
sudo systemctl start auditbeat




Start-Service auditbeat
expand view

Expand View

compact view

Compact View

Return to Search
Sign up to get started Return to Search