Looking for reasons to use osquery for FIM auditing when aud

Question

Looking for reasons to use osquery for FIM auditing when auditd is installed and running on all the servers I maintain Any thoughts

clong · Answer

osquery in fim audit mode is effectively a 1 1 replacement for auditd you can t run both at the same time because they both rely upon the linux audit system

clong · Answer

i ve found the output log format from osquery to be much more human readable than what auditd spits out and writing SQL is much easier than writing audit rules but YMMV

shed7 · Answer

Many thanks