diff --git a/README.md b/README.md
new file mode 100644
index 0000000000000000000000000000000000000000..0cdb8704842a17575c902c450af4a15119c3a528
--- /dev/null
+++ b/README.md
@@ -0,0 +1 @@
+https://www.elastic.co/guide/en/beats/auditbeat/7.4/auditbeat-getting-started.html
diff --git a/handlers/main.yml b/handlers/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..5a635ca70c55fd7c22ec4d69e697f05609ee583e
--- /dev/null
+++ b/handlers/main.yml
@@ -0,0 +1,19 @@
+---
+# file: roles/auditbeat/handlers/main.yml
+
+- name: Add Auditbeat to Boot-List
+  systemd:
+    name: auditbeat
+    state: started
+    daemon_reload: yes
+    enabled: yes
+
+- name: Start Auditbeat
+  service:
+    name: auditbeat
+    state: started
+
+- name: Restart Auditbeat
+  service:
+    name: auditbeat
+    state: restarted
diff --git a/meta/main.yml b/meta/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..55ae93d549abe3d417c9dbffd4e1a1c143e12c4a
--- /dev/null
+++ b/meta/main.yml
@@ -0,0 +1,4 @@
+---
+
+dependencies:
+  - { role: kibana }
diff --git a/tasks/config.yml b/tasks/config.yml
new file mode 100644
index 0000000000000000000000000000000000000000..f7d6620cc39b8a7a3730177dc2e51e528ec46c19
--- /dev/null
+++ b/tasks/config.yml
@@ -0,0 +1,12 @@
+---
+# file: roles/auditbeat/tasks/config.yml
+
+- name: Configure auditbeat
+  template:
+    src: auditbeat.yml
+    dest: /etc/auditbeat/auditbeat.yml
+    owner: root
+    group: root
+    mode: 0600
+  notify:
+    - Restart auditbeat
diff --git a/tasks/install.yml b/tasks/install.yml
new file mode 100644
index 0000000000000000000000000000000000000000..3053652dd1ce38b8a0e1ae5dd4a1d0ae44689785
--- /dev/null
+++ b/tasks/install.yml
@@ -0,0 +1,22 @@
+---
+# file: roles/auditbeat/tasks/install.yml
+
+- name: Apt Key
+  apt_key:
+    url: 'https://artifacts.elastic.co/GPG-KEY-elasticsearch'
+    state: present
+
+- name: Apt Repository
+  apt_repository:
+    repo: 'deb https://artifacts.elastic.co/packages/7.x/apt stable main'
+    state: present
+    mode: 0644
+
+- name: Install Auditbeat
+  apt:
+    pkg: auditbeat
+    state: present
+    update_cache: yes
+  notify:
+    - Add auditbeat to Boot-List
+    - Start auditbeat
diff --git a/tasks/main.yml b/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..c856472b9b92c3dcd2e159d40bc47e471266fa8e
--- /dev/null
+++ b/tasks/main.yml
@@ -0,0 +1,16 @@
+---
+# file: roles/auditbeat/tasks/main.yml
+
+- name: Auditbeat Role
+  set_fact:
+    role_auditbeat_started: yes
+  tags:
+    - always
+
+- block:
+
+    - include_tasks: install.yml
+
+    - include_tasks: config.yml
+
+  when: not excluded_roles or "auditbeat" not in excluded_roles
diff --git a/templates/auditbeat.yml b/templates/auditbeat.yml
new file mode 100644
index 0000000000000000000000000000000000000000..d175696ba8918f07a8db23a7c9fe02b5fccff8d0
--- /dev/null
+++ b/templates/auditbeat.yml
@@ -0,0 +1,212 @@
+###################### Auditbeat Configuration Example #########################
+
+# This is an example configuration file highlighting only the most common
+# options. The auditbeat.reference.yml file from the same directory contains all
+# the supported options with more comments. You can use it as a reference.
+#
+# You can find the full configuration reference here:
+# https://www.elastic.co/guide/en/beats/auditbeat/index.html
+
+#==========================  Modules configuration =============================
+auditbeat.modules:
+
+  - module: auditd
+    # Load audit rules from separate files. Same format as audit.rules(7).
+    audit_rule_files: [ '${path.config}/audit.rules.d/*.conf' ]
+    audit_rules: |
+      ## Define audit rules here.
+      ## Create file watches (-w) or syscall audits (-a or -A). Uncomment these
+      ## examples or add your own rules.
+
+      ## If you are on a 64 bit platform, everything should be running
+      ## in 64 bit mode. This rule will detect any use of the 32 bit syscalls
+      ## because this might be a sign of someone exploiting a hole in the 32
+      ## bit API.
+      #-a always,exit -F arch=b32 -S all -F key=32bit-abi
+
+      ## Executions.
+      #-a always,exit -F arch=b64 -S execve,execveat -k exec
+
+      ## External access (warning: these can be expensive to audit).
+      #-a always,exit -F arch=b64 -S accept,bind,connect -F key=external-access
+
+      ## Identity changes.
+      #-w /etc/group -p wa -k identity
+      #-w /etc/passwd -p wa -k identity
+      #-w /etc/gshadow -p wa -k identity
+
+      ## Unauthorized access attempts.
+      #-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
+      #-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
+
+  - module: file_integrity
+    paths:
+      - /bin
+      - /usr/bin
+      - /sbin
+      - /usr/sbin
+      - /etc
+
+  - module: system
+    datasets:
+      - host    # General host information, e.g. uptime, IPs
+      - login   # User logins, logouts, and system boots.
+      - package # Installed, updated, and removed packages
+      - process # Started and stopped processes
+      - socket  # Opened and closed sockets
+      - user    # User information
+
+    # How often datasets send state updates with the
+    # current state of the system (e.g. all currently
+    # running processes, all open sockets).
+    state.period: 12h
+
+    # Enabled by default. Auditbeat will read password fields in
+    # /etc/passwd and /etc/shadow and store a hash locally to
+    # detect any changes.
+    user.detect_password_changes: true
+
+    # File patterns of the login record files.
+    login.wtmp_file_pattern: /var/log/wtmp*
+    login.btmp_file_pattern: /var/log/btmp*
+
+#==================== Elasticsearch template setting ==========================
+setup.template.settings:
+  index.number_of_shards: 1
+  #index.codec: best_compression
+  #_source.enabled: false
+
+#================================ General =====================================
+
+# The name of the shipper that publishes the network data. It can be used to group
+# all the transactions sent by a single shipper in the web interface.
+#name:
+
+# The tags of the shipper are included in their own field with each
+# transaction published.
+#tags: ["service-X", "web-tier"]
+
+# Optional fields that you can specify to add additional information to the
+# output.
+#fields:
+#  env: staging
+
+
+#============================== Dashboards =====================================
+# These settings control loading the sample dashboards to the Kibana index. Loading
+# the dashboards is disabled by default and can be enabled either by setting the
+# options here or by using the `setup` command.
+#setup.dashboards.enabled: false
+
+# The URL from where to download the dashboards archive. By default this URL
+# has a value which is computed based on the Beat name and version. For released
+# versions, this URL points to the dashboard archive on the artifacts.elastic.co
+# website.
+#setup.dashboards.url:
+
+#============================== Kibana =====================================
+
+# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
+# This requires a Kibana endpoint configuration.
+setup.kibana:
+
+# Kibana Host
+# Scheme and port can be left out and will be set to the default (http and 5601)
+# In case you specify and additional path, the scheme is required: http://localhost:5601/path
+# IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
+#host: "localhost:5601"
+
+# Kibana Space ID
+# ID of the Kibana Space into which the dashboards should be loaded. By default,
+# the Default Space will be used.
+#space.id:
+
+#============================= Elastic Cloud ==================================
+
+# These settings simplify using Auditbeat with the Elastic Cloud (https://cloud.elastic.co/).
+
+# The cloud.id setting overwrites the `output.elasticsearch.hosts` and
+# `setup.kibana.host` options.
+# You can find the `cloud.id` in the Elastic Cloud web UI.
+#cloud.id:
+
+# The cloud.auth setting overwrites the `output.elasticsearch.username` and
+# `output.elasticsearch.password` settings. The format is `<user>:<pass>`.
+#cloud.auth:
+
+#================================ Outputs =====================================
+
+# Configure what output to use when sending the data collected by the beat.
+
+#-------------------------- Elasticsearch output ------------------------------
+
+{% if 'logserver' in groups and inventory_hostname in groups.logserver %}
+output.elasticsearch:
+  # Array of hosts to connect to.
+  hosts: ["localhost:9200"]
+
+  # Optional protocol and basic auth credentials.
+  #protocol: "https"
+  username: "elastic"
+  password: "{{ elasticsearch.users.elastic|default("") }}"
+{% else %}
+#----------------------------- Logstash output --------------------------------
+output.logstash:
+  # The Logstash hosts
+  hosts: ["localhost:5044"]
+
+  # Optional SSL. By default is off.
+  # List of root certificates for HTTPS server verifications
+  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
+
+  # Certificate for SSL client authentication
+  #ssl.certificate: "/etc/pki/client/cert.pem"
+
+  # Client Certificate Key
+  #ssl.key: "/etc/pki/client/cert.key"
+{% endif %}
+#================================ Processors =====================================
+
+# Configure processors to enhance or manipulate events generated by the beat.
+
+processors:
+  - add_host_metadata: ~
+  - add_cloud_metadata: ~
+
+#================================ Logging =====================================
+
+# Sets log level. The default log level is info.
+# Available log levels are: error, warning, info, debug
+#logging.level: debug
+
+# At debug level, you can selectively enable logging only for some components.
+# To enable all selectors use ["*"]. Examples of other selectors are "beat",
+# "publish", "service".
+#logging.selectors: ["*"]
+
+#============================== X-Pack Monitoring ===============================
+# auditbeat can export internal metrics to a central Elasticsearch monitoring
+# cluster.  This requires xpack monitoring to be enabled in Elasticsearch.  The
+# reporting is disabled by default.
+
+# Set to true to enable the monitoring reporter.
+#monitoring.enabled: false
+
+# Sets the UUID of the Elasticsearch cluster under which monitoring data for this
+# Auditbeat instance will appear in the Stack Monitoring UI. If output.elasticsearch
+# is enabled, the UUID is derived from the Elasticsearch cluster referenced by output.elasticsearch.
+#monitoring.cluster_uuid:
+
+# Uncomment to send the metrics to Elasticsearch. Most settings from the
+# Elasticsearch output are accepted here as well.
+# Note that the settings should point to your Elasticsearch *monitoring* cluster.
+# Any setting that is not set is automatically inherited from the Elasticsearch
+# output configuration, so if you have the Elasticsearch output configured such
+# that it is pointing to your Elasticsearch monitoring cluster, you can simply
+# uncomment the following line.
+#monitoring.elasticsearch:
+
+#================================= Migration ==================================
+
+# This allows to enable 6.7 migration aliases
+#migration.6_to_7.enabled: true