Hello,
I have auditbeat v7.8.0 installed on a Ubuntu 18.04.5 LTS VM that is currently in a weird state. Process is up and running but no data is sent to Elasticsearch.
According to systemd the process is fine (and it is since I can see it from the running processes):
● auditbeat.service - Audit the activities of users and processes on your system.
Loaded: loaded (/lib/systemd/system/auditbeat.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2020-10-28 08:21:48 UTC; 2 weeks 2 days ago
Docs: https://www.elastic.co/products/beats/auditbeat
Main PID: 997 (auditbeat)
Tasks: 10 (limit: 4915)
CGroup: /system.slice/auditbeat.service
└─997 /usr/share/auditbeat/bin/auditbeat -environment systemd -c /etc/auditbeat/auditbeat.yml -path.home /usr/share/auditbeat -path.config /etc/auditbeat -path.data /var/lib/auditbeat -path.logs /var/log/auditbeat
Checking logs are stuck since Wed 2020-10-28 and there's no errors in them (Auditbeat logging is set at INFO level).
The same happened on another machine and a restart of auditbeat solved the issue.
Why no errors are logged?
Is there a way to check this kind of states and react accordingly (trigger a restart)?
Thanks,
Andrea