After reading this from the auditbeat docs it looks like it is saying it is a replacement for auditd in Linux. Is this the intended use case for auditbeat?
When running Auditbeat with the
auditd module enabled, you might find that other monitoring tools interfere with Auditbeat.
For example, you might encounter errors if another process, such as
auditd , is registered to receive data from the Linux Audit Framework. You can use these commands to see if the
auditd service is running and stop it