In Ubuntu 18.04 auditbeat logs goes to syslog than /var/log/auditbeat

Elastic Security SIEM
1

Hi All,
Good morning
I am using Ubuntu 18.04 I have auditbeat installed and running on my system, in the auditbeat.yml files I have given the following

logging.level: info
path.logs: /var/log/auditbeat

When I check for the logs, the logs file are not created in "/var/log/auditbeat" instead I see them on
/var/log/syslog . Doubting permission issues I have given chmod 777 to /var/log/auditbeat [ not a good idea, but for troubleshooting]

Guidance requested to send the logs to /var/log/auditbeat than to syslog
thanks
Joseph John

Kibana version:
7.4.1
Elasticsearch version:
7.4.1
APM Server version:
7.4.1
**filebeat version **
7.4.1
APM Agent language and version:
NA
Logstash version
7.4.1-1

2

Like to update and give this feedback
while giving
auditbeat -c /etc/auditbeat/auditbeat.yml
the logs goes to the specified log dir
I also did my package update, now my package details are

Elasticsearch 7.4.2, Kibana 7.4.2 , Auditbeat 7.4.2 , FileBeat 7.4.2, LogStash 7.4.2-1 , Metricbeat 7.4.2

Any one facing the same issues with Ubuntu 18.04
Thanks
Joseph John

3

Hi Joseph,

To make sure I understand, auditbeat -c /etc/auditbeat/auditbeat.yml works as expected but when you start it via systemctl or similar it logs to syslog?

Can you try also setting logging.to_files: true?

4

With systemd the logs automatically output to stderr so that they are picked up in journald (all beats behave this way with their default systemd unit file). See https://www.elastic.co/guide/en/beats/auditbeat/7.4/running-with-systemd.html for details, include how to change the behavior.

2 Likes
5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.