New in 7.11: OOTB anomaly detections applying Linux data from Auditbeat or Endpoint Security on Elastic Agent.
Monitor user activity and processes, and analyze your event data in the Elastic Stack without touching auditd. Auditbeat communicates directly with the Linux audit framework, collects the same data as auditd, and sends the events to the Elastic Stack in real time. If you’re feeling nostalgic, you can run auditd alongside Auditbeat (in newer kernels).
Don’t rewrite what works. Use your existing audit rules to ingest data painlessly. Who was the actor? What action did they perform and when? Auditbeat retains all of the original syscall data and the associated paths so you have the context you need.
Avoid getting caught in the cross-hairs of split messages, duplicate events, and meaningless ID numbers. Unlike auditd, Auditbeat groups related messages into a single event. It also handles the parsing and normalizing of the messages, delivering structured data to Elasticsearch — like converting numeric IDs to names. And with the processors that are a part of every Beat, you can filter and amend data easily.
Auditbeat allows you to carefully watch lists of directories for any funny business on Linux, macOS, and Windows. File changes are sent in real time to Elasticsearch, each message containing metadata and cryptographic hashes of the file contents for further analysis.
Simply specify the paths to the directories you want Auditbeat to watch and take a congratulatory sip of coffee.
Auditbeat is part of the Elastic Stack, meaning it works seamlessly with Logstash, Elasticsearch, and Kibana. Whether you want to transform or enrich your metrics with Logstash, fiddle with some analytics in Elasticsearch, or build and share dashboards in Kibana, Auditbeat makes it easy to ship your data to where it matters most.