Auditbeat Equivalent for Elastic Agent

When will there be an Auditbeat-equivalent Integration for Elastic Agent? We are trying to move exclusively to Elastic Agent, but the same monitoring done by Auditbeat is still not yet available that I can see.


There is some documentation on that topic. Have you seen Migrate from Auditbeat to Elastic Agent | Fleet and Elastic Agent Guide [8.6] | Elastic?

1 Like

I have not seen that, but it does not quite appear to be a direct replacement for Auditbeat. Most everything says to use Endpoint or Osquery to gather the same data. We cannot deploy Endpoint, and Osquery is not real-time and quite clunky. Auditbeat was simple and did everything we needed. Has there been any discussion on creating an Auditbeat equivalent Integration?

1 Like

The first line of the table posted in the link above is the Auditd module from Auditbeat.

1 Like

We cannot deploy Endpoint, and Osquery is not real-time and quite clunky.

The Endpoint (rebranded as Elastic Defend) and Osquery integrations are bundled into the Elastic Agent binary. So they will be there if you enable the features through Fleet and already have Elastic Agent installed.

The system.package dataset that's in Auditbeat is going to be exposed through Fleet. So those docs will be updated.

For system.{process,socket,login} I think the data from Elastic Defend is going to be better and it works on more operating systems than Auditbeat. For example Elastic Defend has better ways of getting process data by hooking into the kernel whereas Auditbeat gets process data by periodically grabbing a list of the processes.

And the auditd and file integrity parts are already exposed through Agent.

Hi Andrew,

We cannot deploy Elastic Defend because we already have a corporate anti-virus, and knowing my management, they will not allow two A/V to be installed side-by-side. I tested installing it in my lab environment, but disabled the Malware protections, and it does not appear to record login activity. The settings for Elastic Defend only show File, Network, and Process events for Linux.


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.