Auditbeat vs Winlogbeat

Hi There,

Today i tested install auditbeat on windows with default configuration. It seem like it works with few questions and notes.

  1. delivered dashboards are not so usable. I foud that user related audits are completely missing. Logon attempts etc. I tryed to find it in documentation but I failed. Informations are missing.

  2. file intergrity is also very usefull module, but there are some things that i am missing. One thing is who is owner of changed file and much more important information is who performed update / delete. This information is missing. Please add it. It will make a sense to use it.

  3. perfect information you can find with process monitoring.

  4. amazing feature would be get list of installed roles, subroles and features. For system audit very useful information.

it was my first touch with Auditbeat on windows. I am already using winlogbeat and metricbeat.
Except point 4, i am able to get all information from winlog. point one is default in security log, point 2 after enabling auditing in NTFS, point 3 you can uses sysmon and then read infos in log.
point 4 only not at all. So for point 1-3 why to use auditmon? I can imagine only if you are not windows admin and you dont understand to GPO, eventlog, sysmon it can be much more easier.
What am I missing?



Hi @Jan_Kaspar, I think it makes perfect sense to use Winlogbeat if you're happy with it. Auditbeat was developed for Linux first, and so not all functionality is available on Windows. The documentation should say which module/dataset supports which platforms.


thanks for the answer. I was asking because of SIEM module. I am very interested in it. I would like to use it as much as it is possible.


This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.