I'm testing the auditbeat docker image using the kubernetes manifest linked from here:
It appears the auditbeat logs are being written to a file, /usr/share/auditbeat/logs/auditbeat
Filebeat/metricbeat docker images write to stdout, so are available using
kubectl logs <image>
The manifest is missing an arguement, "-e", to send the logs to stdout.
args: [ "-c", "/etc/auditbeat.yml", "-e" ]
Says to logs bugs here before creating an issue.