Audit Beat - Log to a file

All,

First time working with anything from Elastic and I was starting with Auditbeat. I install the package and the default configuration works. But if I want to log to a file to test the FIM, auditbeats failes to start with this error

May 13 00:04:00 instance-1 systemd[1]: auditbeat.service: main process exited, code=exited, status=1/FAILURE
May 13 00:04:00 instance-1 systemd[1]: Unit auditbeat.service entered failed state.
May 13 00:04:00 instance-1 systemd[1]: auditbeat.service failed.
May 13 00:04:01 instance-1 systemd[1]: auditbeat.service holdoff time over, scheduling restart.
May 13 00:04:01 instance-1 systemd[1]: start request repeated too quickly for auditbeat.service
May 13 00:04:01 instance-1 systemd[1]: Failed to start auditbeat.
May 13 00:04:01 instance-1 systemd[1]: Unit auditbeat.service entered failed state.
May 13 00:04:01 instance-1 systemd[1]: auditbeat.service failed.

I copied the config directly from the manual so maybe I am misunderstanding how these configs are supposed to look.

#------------------------------- File output -----------------------------------
output.file:
enabled: true
path: "/tmp/auditbeat"
filename: auditbeat
rotate_every_kb: 10000
number_of_files: 7
permissions: 0600

Can you point me to where I might be going wrong on this one?

hey can you enable debug logging and review the auditbeat.log for what is causing such.
ref: https://www.elastic.co/guide/en/beats/auditbeat/current/configuration-logging.html

Thanks for replying so quickly. Found my problem shortly after posting. Seems you can't have the default output and a file output enabled at the same time. Once I disabled the default one it worked.

1 Like