Auditbeat auditd module vs. elastic agent auditd integration

What is the difference between using the auditbeat auditd module and using the elastic agent auditd integration?

How can I use the elastic agent auditd integration with a custom auditd rules file or any other configuration option I can set in auditbeat.yml?

Did you look into documentation? Auditd module | Filebeat Reference [7.13] | Elastic

Although Filebeat is able to parse logs by using the auditd module, Auditbeat offers more advanced features for monitoring audit logs.

Speaking of elastic-agent, this is a bit different approach where you need to deploy an instance of elastic-agent and enroll with fleet in Kibana. Since then, you can change the auditd configuration using Kibana UI.

Thanks for the explanation.

Do I get it right: The elastic-agent auditd integration is using the filebeat auditd module under the hood and not the auditbeat auditd module?

Is there a documentation of what the elastic-agent integrations are doing and what beats they replace? For example, it seems that the elastic-agent "Windows" integration is using auditbeat? But is it also installing sysmon?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.