Migrate from Auditbeat to Elastic Agent
Before you begin, read Migrate from Beats to Elastic Agent to learn how to deploy Elastic Agent and install integrations.
Then come back to this page to learn about the integrations available to replace functionality provided by Auditbeat.
The integrations that provide replacements for auditd and file_integrity modules are only available in Elastic Stack version 8.3 and later.
The following table describes the integrations you can use instead of Auditbeat modules and datasets.
| If you use… | You can use this instead… | Notes |
|---|---|---|
| Auditd module | Auditd Manager integration | This integration is a direct replacement of the module. You can port rules andconfiguration to this integration. Starting in Elastic Stack 8.4, you can also set theimmutable flag in the audit configuration. |
| Auditd Logs integration | Use this integration if you don’t need to manage rules. It only parses logs fromthe audit daemon auditd. Please note that the events created by this integrationare different than the ones created byAuditd Manager, since the latter merges allrelated messages in a single event while Auditd Logscreates one event per message. |
|
| File Integrity module | File Integrity Monitoring integration | This integration is a direct replacement of the module. It reports real-timeevents, but cannot report who made the changes. If you need to track thisinformation, use Elastic Defendinstead. |
| System module | It depends… | There is not a single integration that collects all this information. |
| System.host dataset | Osquery or Osquery Manager integration | Schedule collection of information like: * system_info for hostname, unique ID, and architecture * os_version * interface_addresses for IPs and MACs |
| System.login dataset | Endpoint | Report login events. |
| Osquery or Osquery Manager integration | Use the last table for Linux and macOS. | |
| Fleet system integration | Collect login events for Windows through the Security event log. | |
| System.package dataset | System Audit integration | This integration is a direct replacement of the System Package dataset. Starting in Elastic Stack 8.7, you can port rules and configuration settings to this integration. This integration currently schedules collection of information such as: * rpm_packages * deb_packages * homebrew_packages |
| Osquery or Osquery Manager integration | Schedule collection of information like: * rpm_packages * deb_packages * homebrew_packages * apps (MacOS) * programs (Windows) * npm_packages * atom_packages * chocolatey_packages * portage_packages * python_packages |
|
| System.process dataset | Endpoint | Best replacement because out of the box it reports events forevery process in ECS format and has excellentintegration in Kibana. |
| Custom Windows event log andhttps://docs.elastic.co/en/integrations/windows#sysmonoperational[Sysmon] integrations | Provide process data. | |
| Osquery orOsquery Manager integration | Collect data from the process table on some OSeswithout polling. | |
| System.socket dataset | Endpoint | Best replacement because it supports monitoring network connections on Linux,Windows, and MacOS. Includes process and user metadata. Currently does notdo flow accounting (byte and packet counts) or domain name enrichment (but doescollect DNS queries separately). |
| Osquery or Osquery Manager integration | Monitor socket events via the socket_events tablefor Linux and MacOS. | |
| System.user dataset | Osquery or Osquery Manager integration | Monitor local users via the user table for Linux, Windows, and MacOS. |