Introducing Auditbeat: Ship Linux Audit Logs to Elasticsearch and More

Auditbeat, a new addition to the Beats family introduced in version 6.0, is a tool aimed at auditing user and process activities on systems, currently in its beta stage with plans for future enhancements. It offers two primary monitoring capabilities: Linux audit framework monitoring and file integrity monitoring. The tool receives events from the Linux kernel's audit framework and sends them to Elasticsearch, automatically grouping and structuring messages for easier ingestion. For file integrity monitoring, Auditbeat can track changes to specified files or directories across Linux, macOS, and Windows, sending real-time events to Elasticsearch with metadata and cryptographic hashes. This functionality allows users to ensure compliance and identify potential malware. Users are encouraged to try Auditbeat and provide feedback as part of Elastic's Pioneer program.