We have been using Auditbeat for system calls. We are in the process of deploying Osquery for incident response and thus getting further visibility on servers. Long story short, we were wondering to throw away Auditbeat and only Osquery even for System Calls (execve for instance). For now, I have been comparing both and in a nutshell they are very similar in what we want to achieve (monitor execve system calls). It would allow us to have only one agent instead of 2 on servers.
I have just a couple of questions for you and looking for return of experience:
• What would be the pros of keeping Auditbeat for system calls and only Osquery for scheduled tasks?
• The main thing missing from Osquery process_events while comparing it to Auditbeat is the Selinux context. We use those intensively for whitelisting and few others things. Do you know any ways to get those? (eg. Process name A, PID, Selinux Context).
Thank you 🙂.