What is the difference between using the auditbeat auditd module and using the elastic agent auditd integration?
How can I use the elastic agent auditd integration with a custom auditd rules file or any other configuration option I can set in auditbeat.yml?
Did you look into documentation? Auditd module | Filebeat Reference [8.11] | Elastic
Although Filebeat is able to parse logs by using the
auditdmodule, Auditbeat offers more advanced features for monitoring audit logs.
Speaking of elastic-agent, this is a bit different approach where you need to deploy an instance of elastic-agent and enroll with fleet in Kibana. Since then, you can change the auditd configuration using Kibana UI.
Thanks for the explanation.
Do I get it right: The elastic-agent auditd integration is using the filebeat auditd module under the hood and not the auditbeat auditd module?
Is there a documentation of what the elastic-agent integrations are doing and what beats they replace? For example, it seems that the elastic-agent "Windows" integration is using auditbeat? But is it also installing sysmon?
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.