On CentOS 6, using beats 6.4.0, I create custom configs in /etc/"beat"/"beat".yml.
After deploying Filebeat and Packetbeat I end up with "beat".yml.rpmnew, and they work as intended.
But with Auditbeat, I end up with the default example auditbeat.yml only, having replaced my own auditbeat.yml. This in turn include the 32-bit sample rules in /etc/auditbeat/audit_rules.d/ effectively bricking the installation.
I use ansible to install my beats, and the Filebeat, Packetbeat and Auditbeat roles are identical in their setup, so I am pretty sure the problem is upstream..
Has anyone else seen this?