Auditbeat 7.7.0 fails to start on Kubuntu

parthmaniar · May 30, 2020, 8:00am

I am trying to run auditbeat on Kubuntu (20.04 LTS), however it keeps crashing. There is no configuration inside audit.rules.d/. However crash reason seems to be something else:

    May 30 13:13:01 HOSTNAME auditbeat[11745]: 2020-05-30T13:13:01.411+0530#011INFO#011instance/beat.go:411#011auditbeat stopped.
    May 30 13:13:01 HOSTNAME auditbeat[11745]: 2020-05-30T13:13:01.411+0530#011ERROR#011instance/beat.go:932#011Exiting: 1 error: system/socket dataset setup failed: unable to guess one or more required parameters: guess_inet6_csk_xmit failed: failed to add kprobe 'r:inet_csk_accept_guess inet_csk_accept sock={{.RET}}': failed installing probe 'r:auditbeat/inet_csk_accept_guess inet_csk_accept sock=%ax': write /sys/kernel/tracing/kprobe_events: file exists
    May 30 13:13:01 HOSTNAME auditbeat[11745]: Exiting: 1 error: system/socket dataset setup failed: unable to guess one or more required parameters: guess_inet6_csk_xmit failed: failed to add kprobe 'r:inet_csk_accept_guess inet_csk_accept sock={{.RET}}': failed installing probe 'r:auditbeat/inet_csk_accept_guess inet_csk_accept sock=%ax': write /sys/kernel/tracing/kprobe_events: file exists
    May 30 13:13:01 HOSTNAME systemd[1]: auditbeat.service: Main process exited, code=exited, status=1/FAILURE
    May 30 13:13:01 HOSTNAME systemd[1]: auditbeat.service: Failed with result 'exit-code'.
    May 30 13:13:01 HOSTNAME kernel: [ 2796.313920] audit: type=1131 audit(1590824581.469:1047): pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=auditbeat comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
    May 30 13:13:01 HOSTNAME systemd[1]: auditbeat.service: Scheduled restart job, restart counter is at 1.

Could someone kindly guide me?

Andre_Letterer · May 30, 2020, 10:28pm

You ran into IPv6 issue.
I assume like I did in my test.
If you look into

/etc/sysctl.conf

Please have a look if you have configured:

net.ipv6.conf.all.disable_ipv6 = 1

In theory it should be enough if you just enable IPv6 for lo interface and add this line to /etc/sysctl.conf and reboot the machine:

net.ipv6.conf.lo.disable_ipv6 = 0

Please let me know if this helped.

parthmaniar · June 1, 2020, 5:29pm

This worked perfectly. I however used GUI to ignore IPv6 on network connections.

Andre_Letterer · June 1, 2020, 9:14pm

Yes, the beats are programmed in Golang, and it seems that this can even be an issue on the Golang implementation level. I am not sure, but I found some similar issues on other repositories working around this in a similar manner.

system · June 22, 2020, 9:15pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.