I installed Elasticsearch and Auditbeat service version 8.15.2 for Ubuntu Server 22.04. After host reboot, auditbeat inactive and not send log to ELK node.
service auditbeat status
○ auditbeat.service - Audit the activities of users and processes on your system.
Loaded: loaded (/lib/systemd/system/auditbeat.service; disabled; vendor pre>
Active: inactive (dead)
Docs: https://www.elastic.co/beats/auditbeat
Hello and welcome?
Did you restart the service? What error did you get when you restart it?
The service is listed as disabled so it will not restart on reboots, you need to manually start it or enable it.
systemctl start auditbeat to start it
and systemctl enable auditbeat to enable it.
Error is auditbeat not working and it not send log to elastic.
I wanna restart auditbeat automationly, auditbeat can do it??
You didn't say if you restart it or not.
Did you run systemctl start auditbeat? Did it work? Did it give you any error?
The service is disabled, so it will not restart after a reboot, you need to enable it with the commands shared in the previous post.
To start it use systemctl start auditbeat.
To enable it so it will restart after a reboot use systemctl enable auditbeat.
Also, this seems unrelated to auditbeat, it seems just a systemd misconfiguration.
Edit: corrected the enable command.
Yeah, i forget it. Auditbeat actived, then i reboot host and auditbeat inactive.
Auditbeat not work normally, miss log for mornitoring system until i restart it manually. This is so inconvenient because i have many hosts.
So i should have a shell executing active Auditbeat whenever host reboot/ shutdown or configure of auditbeat can perform it to i not start it manually?
If you run systemctl enable auditbeat it should start when the host is rebooted.
Probleam was solved.
I'm really grateful for your help
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.