Auditbeat vs Filebeat with auditd module

Hi - I'm trying to understand the different uses of the Beats agents and have hit a bit of a wall with this one. Functionally what is the difference between the Auditbeat agent watching Linux audit logs and a Filebeat agent watching the same log files. To me it seems like they would accomplish the same task, but wanted to hear from those more experienced than i.

Auditbeat will understand and structure auditd data better out of the box, and can also monitor general file issues (as opposed to simply tailing logs like filebeat) and include metadata that might be useful in incident analysis, etc.

That said, filebeat is the simplest place to start, and it's good enough for many typical cases, so if you aren't sure which you need I'd say start with Filebeat and consider adding Auditbeat if / when you have specific uses for it or want to migrate from an existing auditd configuration.

1 Like

Gotcha thanks for the detailed answer!

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.