diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index f3e9438e7dee..e85dcb6a479f 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -82,6 +82,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - Process dataset: Fixed a memory leak under Windows. {pull}12100[12100]
 - Login dataset: Fix re-read of utmp files. {pull}12028[12028]
 - Package dataset: Fixed a crash inside librpm after Auditbeat has been running for a while. {issue}12147[12147] {pull}12168[12168]
+- Fix formatting of config files on macOS and Windows. {pull}12148[12148]
 
 *Filebeat*
 
diff --git a/auditbeat/docs/modules/auditd.asciidoc b/auditbeat/docs/modules/auditd.asciidoc
index d8221159386a..8868fc75b5a2 100644
--- a/auditbeat/docs/modules/auditd.asciidoc
+++ b/auditbeat/docs/modules/auditd.asciidoc
@@ -298,5 +298,6 @@ auditbeat.modules:
     #-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
     #-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
 
+
 ----
 
diff --git a/auditbeat/module/auditd/_meta/config.yml.tmpl b/auditbeat/module/auditd/_meta/config.yml.tmpl
index be1e73d152ef..fae5d6a09250 100644
--- a/auditbeat/module/auditd/_meta/config.yml.tmpl
+++ b/auditbeat/module/auditd/_meta/config.yml.tmpl
@@ -41,4 +41,5 @@
     ## Unauthorized access attempts.
     #-a always,exit -F arch=b{{call .ArchBits .GOARCH}} -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
     #-a always,exit -F arch=b{{call .ArchBits .GOARCH}} -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
+
 {{ end }}
diff --git a/auditbeat/module/file_integrity/_meta/config.yml.tmpl b/auditbeat/module/file_integrity/_meta/config.yml.tmpl
index 0784375155c7..b8902d70f60a 100644
--- a/auditbeat/module/file_integrity/_meta/config.yml.tmpl
+++ b/auditbeat/module/file_integrity/_meta/config.yml.tmpl
@@ -1,9 +1,9 @@
-{{ if .Reference -}}
+{{- if .Reference -}}
 # The file integrity module sends events when files are changed (created,
 # updated, deleted). The events contain file metadata and hashes.
 {{ end -}}
 - module: file_integrity
-  {{ if eq .GOOS "darwin" -}}
+  {{- if eq .GOOS "darwin" }}
   paths:
   - /bin
   - /usr/bin
@@ -11,33 +11,34 @@
   - /sbin
   - /usr/sbin
   - /usr/local/sbin
-  {{ else if eq .GOOS "windows" -}}
+{{ else if eq .GOOS "windows" }}
   paths:
   - C:/windows
   - C:/windows/system32
   - C:/Program Files
   - C:/Program Files (x86)
-  {{ else -}}
+{{ else }}
   paths:
   - /bin
   - /usr/bin
   - /sbin
   - /usr/sbin
   - /etc
-  {{- end }}
-{{ if .Reference }}
+{{ end -}}
+
+{{- if .Reference }}
   # List of regular expressions to filter out notifications for unwanted files.
   # Wrap in single quotes to workaround YAML escaping rules. By default no files
   # are ignored.
-  {{ if eq .GOOS "darwin" -}}
+  {{- if eq .GOOS "darwin" }}
   exclude_files:
   - '\.DS_Store$'
   - '\.swp$'
-  {{ else if eq .GOOS "windows" -}}
+  {{- else if eq .GOOS "windows" }}
   exclude_files:
   - '(?i)\.lnk$'
   - '(?i)\.swp$'
-  {{ else -}}
+  {{- else }}
   exclude_files:
   - '(?i)\.sw[nop]$'
   - '~$'
@@ -46,10 +47,10 @@
 
   # List of regular expressions used to explicitly include files. When configured,
   # Auditbeat will ignore files unless they match a pattern.
-  {{ if eq .GOOS "windows" -}}
+  {{- if eq .GOOS "windows" }}
   #include_files:
   #- '\\\.ssh($|\\)'
-  {{ else -}}
+  {{- else }}
   #include_files:
   #- '/\.ssh($|/)'
   {{- end }}
diff --git a/x-pack/auditbeat/module/system/_meta/config.yml.tmpl b/x-pack/auditbeat/module/system/_meta/config.yml.tmpl
index 47583a5bd52d..67aacb6a6865 100644
--- a/x-pack/auditbeat/module/system/_meta/config.yml.tmpl
+++ b/x-pack/auditbeat/module/system/_meta/config.yml.tmpl
@@ -7,14 +7,14 @@
 - module: system
   datasets:
     - host    # General host information, e.g. uptime, IPs
-    {{ if eq .GOOS "linux" -}}
+    {{- if eq .GOOS "linux" }}
     - login   # User logins, logouts, and system boots.
-    {{- end }}
-    {{ if ne .GOOS "windows" -}}
+    {{- end -}}
+    {{- if ne .GOOS "windows" }}
     - package # Installed, updated, and removed packages
     {{- end }}
     - process # Started and stopped processes
-    {{ if eq .GOOS "linux" -}}
+    {{- if eq .GOOS "linux" }}
     - socket  # Opened and closed sockets
     - user    # User information
     {{- end }}
@@ -28,11 +28,11 @@
 
   # The state.period can be overridden for any dataset.
   # host.state.period: 12h
-  {{ if ne .GOOS "windows" -}}
+  {{- if ne .GOOS "windows" }}
   # package.state.period: 12h
   {{- end }}
   # process.state.period: 12h
-  {{ if eq .GOOS "linux" -}}
+  {{- if eq .GOOS "linux" }}
   # socket.state.period: 12h
   # user.state.period: 12h
   {{- end }}