Is Auditbeat a replacement for auditd in Linux?

After reading this from the auditbeat docs it looks like it is saying it is a replacement for auditd in Linux. Is this the intended use case for auditbeat?

When running Auditbeat with the auditd module enabled, you might find that other monitoring tools interfere with Auditbeat.

For example, you might encounter errors if another process, such as auditd , is registered to receive data from the Linux Audit Framework. You can use these commands to see if the auditd service is running and stop it

It can be used along side auditd (assuming you have a new enough kernel version) or as an alternative to auditd.

Great. Thanks. Out of the box how does the data collection compare to a standard install of say, CentOS and what the base config of what auditd collects?

Auditbeat can do more that things that auditd. For example Auditbeat has a separate module for monitoring the integrity of files (it was send a file hash of each file). And more modules are being added.

In terms of auditd rules, I'm not sure what CentOS ships with. Auditbeat has a few minimal example rules that are commented out by default. Both tools share the same rule format so you can find many examples on the internet of auditd rules that you can use with Auditbeat. These are some good ones that are mapped to the ATTACK framework.

1 Like

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.