Before you begin, read [migrate-beats-to-agent] to learn how to deploy {agent} and install integrations.
Then come back to this page to learn about the integrations available to replace functionality provided by {auditbeat}.
The integrations that provide replacements for auditd and file_integrity
modules are only available in {stack} version 8.3 and later.
The following table describes the integrations you can use instead of {auditbeat} modules and datasets.
| If you use… | You can use this instead… | Notes |
|---|---|---|
{auditbeat-ref}/auditbeat-module-auditd.html[Auditd] module |
{integrations-docs}/auditd_manager[Auditd Manager] integration |
This integration is a direct replacement of the module. You can port rules and
configuration to this integration. Starting in {stack} 8.4, you can also set the
|
{integrations-docs}/auditd[Auditd Logs] integration |
Use this integration if you don’t need to manage rules. It only parses logs from
the audit daemon |
|
{auditbeat-ref}/auditbeat-module-file_integrity.html[File Integrity] module |
{integrations-docs}/fim[File Integrity Monitoring] integration |
This integration is a direct replacement of the module. It reports real-time events, but cannot report who made the changes. If you need to track this information, use {security-guide}/install-endpoint.html[{elastic-defend}] instead. |
{auditbeat-ref}/auditbeat-module-system.html[System] module |
It depends… |
There is not a single integration that collects all this information. |
{auditbeat-ref}/auditbeat-dataset-system-host.html[System.host] dataset |
{integrations-docs}/osquery[Osquery] or {integrations-docs}/osquery_manager[Osquery Manager] integration |
Schedule collection of information like:
|
{auditbeat-ref}/auditbeat-dataset-system-login.html[System.login] dataset |
{security-guide}/install-endpoint.html[Endpoint] |
Report login events. |
{integrations-docs}/osquery[Osquery] or {integrations-docs}/osquery_manager[Osquery Manager] integration |
Use the last table for Linux and macOS. |
|
{fleet} {integrations-docs}/system[system] integration |
Collect login events for Windows through the {integrations-docs}/system#security[Security event log]. |
|
{auditbeat-ref}/auditbeat-dataset-system-package.html[System.package] dataset |
{integrations-docs}/system_audit[System Audit] integration |
This integration is a direct replacement of the System Package dataset. Starting in {stack} 8.7, you can port rules and configuration settings to this integration. This integration currently schedules collection of information such as: |
{integrations-docs}/osquery[Osquery] or {integrations-docs}/osquery_manager[Osquery Manager] integration |
Schedule collection of information like: |
|
{auditbeat-ref}/auditbeat-dataset-system-process.html[System.process] dataset |
{security-guide}/install-endpoint.html[Endpoint] |
Best replacement because out of the box it reports events for every process in {ecs-ref}/index.html[ECS] format and has excellent integration in {kibana-ref}/index.html[Kibana]. |
{integrations-docs}/winlog[Custom Windows event log] and {integrations-docs}/windows#sysmonoperational[Sysmon] integrations |
Provide process data. |
|
{integrations-docs}/osquery[Osquery] or {integrations-docs}/osquery_manager[Osquery Manager] integration |
Collect data from the process table on some OSes without polling. |
|
{auditbeat-ref}/auditbeat-dataset-system-socket.html[System.socket] dataset |
{security-guide}/install-endpoint.html[Endpoint] |
Best replacement because it supports monitoring network connections on Linux, Windows, and MacOS. Includes process and user metadata. Currently does not do flow accounting (byte and packet counts) or domain name enrichment (but does collect DNS queries separately). |
{integrations-docs}/osquery[Osquery] or {integrations-docs}/osquery_manager[Osquery Manager] integration |
Monitor socket events via the socket_events table for Linux and MacOS. |
|
{auditbeat-ref}/auditbeat-dataset-system-user.html[System.user] dataset |
{integrations-docs}/osquery[Osquery] or {integrations-docs}/osquery_manager[Osquery Manager] integration |
Monitor local users via the user table for Linux, Windows, and MacOS. |