Auditbeat running with Auditd

Looking for some feedback on running auditbeat with auditd.

Seems these two data points contradict each other.

Blog says they run side by side

6.3 Docs Say turn it off

Can someone explain what will happen or why it's recommended to turn auditd off? I am currently running with both on and all seems fine but don' want to move to production and find out something is going to crash.

Read through the description of socket_type on the docs page you linked above.

To run the two simultaneously you must use the multicast socket_type in Auditbeat and you must not set any audit_rules in your Auditbeat config (they will be managed by auditd).

auditbeat.modules:
- module: auditd
  socket_type: multicast

This let's Auditbeat receive a broadcast of the audit messages (just like journald does).

If you don't define any rules AND you have kernel 3.16+ then Auditbeat will use multicast by default, but it's best to be explicit in your config IMO.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.