Migrate from Auditbeat to Elastic Agent

edit

Before you begin, read Migrate from Beats to Elastic Agent to learn how to deploy Elastic Agent and install integrations.

Then come back to this page to learn about the integrations available to replace functionality provided by Auditbeat.

Compatibility

edit

The integrations that provide replacements for auditd and file_integrity modules are only available in Elastic Stack version 8.3 and later.

Replace Auditbeat modules with Elastic Agent integrations

edit

The following table describes the integrations you can use instead of Auditbeat modules and datasets.

If you use…​ You can use this instead…​ Notes

Auditd module

Auditd Manager integration

This integration is a direct replacement of the module. You can port rules and configuration to this integration. Starting in Elastic Stack 8.4, you can also set the immutable flag in the audit configuration.

Auditd Logs integration

Use this integration if you don’t need to manage rules. It only parses logs from the audit daemon auditd. Please note that the events created by this integration are different than the ones created by Auditd Manager, since the latter merges all related messages in a single event while Auditd Logs creates one event per message.

File Integrity module

File Integrity Monitoring integration

This integration is a direct replacement of the module. It reports real-time events, but cannot report who made the changes. If you need to track this information, use Elastic Defend instead.

System module

It depends…​

There is not a single integration that collects all this information.

System.host dataset

Osquery or Osquery Manager integration

Schedule collection of information like:

System.login dataset

Endpoint

Report login events.

Osquery or Osquery Manager integration

Use the last table for Linux and macOS.

Fleet system integration

Collect login events for Windows through the Security event log.

System.package dataset

Osquery or Osquery Manager integration

Schedule collection of information like:

System.process dataset

Endpoint

Best replacement because out of the box it reports events for every process in ECS format and has excellent integration in Kibana.

Custom Windows event log and Sysmon integrations

Provide process data.

Osquery or Osquery Manager integration

Collect data from the process table on some OSes without polling.

System.socket dataset

Endpoint

Best replacement because it supports monitoring network connections on Linux, Windows, and MacOS. Includes process and user metadata. Currently does not do flow accounting (byte and packet counts) or domain name enrichment (but does collect DNS queries separately).

Osquery or Osquery Manager integration

Monitor socket events via the socket_events table for Linux and MacOS.

System.user dataset

Osquery or Osquery Manager integration

Monitor local users via the user table for Linux, Windows, and MacOS.