All Collections
SIEM
How to install Auditbeat on Linux
How to install Auditbeat on Linux

This guide will walk you through installing the auditbeat agent on Linux, for use with our SIEM service.

Matthew Elliott avatar
Written by Matthew Elliott
Updated over a week ago

Auditbeat is an agent that collects system-level data and sends this to our SIEM platform for storage and analysis. This software is different from the log collector we asked you to configure in this guide.

During your SIEM onboarding, our Platform Engineering team will send you a deployment pack containing all of the software you need for us to start collecting your logs. This pack will contain a folder called auditbeat, which is what you'll need for this guide.

Install scripts are provided for both CentOS/RHEL and Ubuntu/Debian. The correct script for your operating system should be copied to the target server, made executable, and run as root. For example, on a machine running CentOS:

# Make the script executable
sudo chmod +x auditbeat-install-centos.sh
# Run the script
sudo ./auditbeat-install-centos.sh


The script adds the correct repository for your operating system, installs auditbeat, and sets the configuration files.

Once the script has finished, you'll need to edit one of the configuration files, to point it to the correct collector IP address. Run the below command to start editing (feel free to use your editor of choice if nano isn't for you)

nano /etc/auditbeat/auditbeat.yml

Find the Logstash output section of the file and change the below line, replacing 192.168.0.1 with the IP address of your collector:

hosts: ["192.168.0.1:5044"]

After making any config changes, always make sure you restart the service using the below command:

systemctl restart auditbeat.service

And that's it! Auditbeat should start forwarding logs to your collector and you can ask your Customer Success Executive to verify if we're receiving your logs.

Did this answer your question?