In Ubuntu 18.04 auditbeat logs goes to syslog than /var/log/auditbeat

Hi All,
Good morning
I am using Ubuntu 18.04 I have auditbeat installed and running on my system, in the auditbeat.yml files I have given the following

logging.level: info
path.logs: /var/log/auditbeat

When I check for the logs, the logs file are not created in "/var/log/auditbeat" instead I see them on
/var/log/syslog . Doubting permission issues I have given chmod 777 to /var/log/auditbeat [ not a good idea, but for troubleshooting]

Guidance requested to send the logs to /var/log/auditbeat than to syslog
Joseph John

Kibana version:
Elasticsearch version:
APM Server version:
**filebeat version **
APM Agent language and version:
Logstash version

Like to update and give this feedback
while giving
auditbeat -c /etc/auditbeat/auditbeat.yml
the logs goes to the specified log dir
I also did my package update, now my package details are

ElasticSearch 7.4.2, Kibana 7.4.2 , Auditbeat 7.4.2 , FileBeat 7.4.2, LogStash 7.4.2-1 , Metricbeat 7.4.2

Any one facing the same issues with Ubuntu 18.04
Joseph John

Hi Joseph,

To make sure I understand, auditbeat -c /etc/auditbeat/auditbeat.yml works as expected but when you start it via systemctl or similar it logs to syslog?

Can you try also setting logging.to_files: true?

With systemd the logs automatically output to stderr so that they are picked up in journald (all beats behave this way with their default systemd unit file). See for details, include how to change the behavior.


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.