> sysdig requires a kernel module be loaded on each machine.
Why is that an issue?
There’s a tremendous advantage of sysdig over auditd: sysdig can capture all the arguments to syscalls, including string buffers. This is enormously valuable for performing post mortems, as you can look at all unencrypted communications taking place on the server.
See, e.g., https://sysdig.com/blog/fishing-for-hackers/ for an example.