Questions about Auditd Manager

Hi, a question on Auditd Manager Integration after reading the Overview:

  1. so it acts similarly to auditd service which reads and saves audit info from the kernel but instead of saving it to disk; it sends it to elastic.
  2. thus; auditd service should be disabled or else the two will just write similar data and waste space (one to disk and the other to elastic). worse is the elastic agent is also collecting auditd logs and sending them back to elastic.

so auditd manager is a replacement for auditd for this purpose?

The Audit Manager is effectively the auditd module from Auditbeat.

so it acts similarly to auditd service which reads and saves audit info from the kernel but instead of saving it to disk; it sends it to elastic.

Yes, it listens to the same kernel audit messages as the auditd daemon. It joins the individual messages that related to the same audit event ID into a single event and does some enrichment (similar to ausearch --interpret).

thus; auditd service should be disabled or else the two will just write similar data and waste space (one to disk and the other to elastic). worse is the elastic agent is also collecting auditd logs and sending them back to elastic.

It can run parallel to the Linux auditd daemon if used in a listen-only manner (i.e. elastic agent does not manage any kernel audit rules). Unless you have some requirement to keep the auditd daemon running and writing to disk, you should be able to use the integration on its own.

Thank you Andrew for your reply. It clarified a lot.