Looking for some feedback on running auditbeat with auditd.
Seems these two data points contradict each other.
Blog says they run side by side
Can someone explain what will happen or why it's recommended to turn auditd off? I am currently running with both on and all seems fine but don' want to move to production and find out something is going to crash.
Read through the description of socket_type on the docs page you linked above.
To run the two simultaneously you must use the multicast socket_type in Auditbeat and you must not set any audit_rules in your Auditbeat config (they will be managed by auditd).
auditbeat.modules:
- module: auditd
socket_type: multicast
This let's Auditbeat receive a broadcast of the audit messages (just like journald does).
If you don't define any rules AND you have kernel 3.16+ then Auditbeat will use multicast by default, but it's best to be explicit in your config IMO.
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.