Auditbeat not starting on Startup - Mac

Bill.S.Preston · February 11, 2020, 3:37pm

I can't seem to get my auditbeat to start sending data to my ElastaCloud from my Mac. Every time I start it I need to execute the following commands and it won't log until that point

./auditbeat setup
./auditbeat -e

Any idea what I need to do to get this running from Start up?

Michael_Madden · February 11, 2020, 4:06pm

Hello, when you installed auditbeat, did you use download the tar file for macOS or use brew?

https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-installation.html

If you use the version available in brew, it integrates with launchd to start the service.

https://www.elastic.co/guide/en/beats/auditbeat/current/auditbeat-starting.html

Bill.S.Preston · February 11, 2020, 4:21pm

Hi Michael,

I downloaded the tar file for macOS using the following commands from the Auditbeat setup on Elastacloud

curl -L -O https://artifacts.elastic.co/downloads/beats/auditbeat/auditbeat-7.5.2-darwin-x86_64.tar.gz
tar xzvf auditbeat-7.5.2-darwin-x86_64.tar.gz

I don't have brew on my Mac. I'm running this as a poc at the moment so reluctant to go down that route if I can avoid it

Michael_Madden · February 11, 2020, 5:51pm

Hi Bill,

The tarball for auditbeat on macOS does not include the plist file needed for launchd. There's a older thread that outlines setting up filebeat on macOS. The manual process should be pretty similar for auditbeat.

Additionally, you could review the brew forumla for auditbeat to find which steps are needed to manually create the needed plist file for auditbeat.

github.com

elastic/homebrew-tap/blob/master/Formula/auditbeat-full.rb

class AuditbeatFull < Formula
  desc "Lightweight Shipper for Audit Data"
  homepage "https://www.elastic.co/products/beats/auditbeat"
  url "https://artifacts.elastic.co/downloads/beats/auditbeat/auditbeat-7.15.2-darwin-x86_64.tar.gz?tap=elastic/homebrew-tap"
  version "7.15.2"
  sha256 "238022cb1a9e8af8353bf2e8865c76d9b871628641f82bd92e245b8513141514"
  conflicts_with "auditbeat"
  conflicts_with "auditbeat-oss"

  bottle :unneeded

  def install
    ["fields.yml", "ingest", "kibana", "module"].each { |d| libexec.install d if File.exist?(d) }
    (libexec/"bin").install "auditbeat"
    (etc/"auditbeat").install "auditbeat.yml"
    (etc/"auditbeat").install "modules.d" if File.exist?("modules.d")

    (bin/"auditbeat").write <<~EOS
      #!/bin/sh
      exec #{libexec}/bin/auditbeat \

This file has been truncated. show original

Please let us know if you have additional questions.

Bill.S.Preston · February 12, 2020, 8:34am

Thanks Michael. I will review the thread and the brew formula and see if I can figure out how to get this working.

Thanks for your assistance and the clarity on Auditbeat for Mac

Michael_Madden · February 16, 2020, 2:39am

Hello,

You're welcome. Please let us know if you hit any issues with the auditbeat setup for macOS.

system · March 8, 2020, 2:40am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat run at startup Beats filebeat	6	706	June 17, 2022
Deploying Filebeat on MacOS X Beats filebeat	15	11999	July 5, 2017
Ship Auditbeat logs directly to Elastic Cloud (MacOS) Beats auditbeat	2	323	March 18, 2020
[macOS 10.15.7] Cannot execute filebeat, auditbeat, or metricbeat Beats filebeat , metricbeat , auditbeat	3	340	June 13, 2023
Unable to start Auditbeat on LXC container Beats auditbeat	9	3953	November 4, 2022

Auditbeat not starting on Startup - Mac

Related topics