My systems are required to have auditd operating and immutable. Can auditbeat be configured to work with immutable auditd? If so, how?
If you need to keep the auditd daemon running then I would recommend using Auditbeat with
socket_type: multicast (docs). In this mode it will receive a copy of the audit events from the kernel, and the
auditd process can be left as is.
That will work while auditd is set to immutable?
It should. It doesn't modify any kernel rules or set itself as the audit PID.