diff --git a/filebeat.yml b/filebeat.yml
index 398af52..ffd30bc 100644
--- a/filebeat.yml
+++ b/filebeat.yml
@@ -19,6 +19,7 @@ output.elasticsearch:
   index: "vault-audit-%{+yyyy.MM.dd}"
 
 path.home: /opt/filebeat
+path.data: /var/log/vault/es-audit
 
 setup.template.enabled: true
 setup.template.name: "vault-audit"