It will ignore any settings in the service or the auditbeat.yml and always log straight to var log messages.
This issue doesn't occur in RHEL 7.
1 Like
Hi,
You're pretty sparse on details...
Did you read this:
https://www.elastic.co/guide/en/beats/auditbeat/current/running-with-systemd.html
If yes, please share your unit file and your drop-in unit file along with the exact path where you took them from your system. Also please confirm that after you have changed the service unit to make it do what you wanted as specified in the doc above, you did:
systemctl daemon-reload
systemctl restart auditbeat
Please share the output of:
systemctl status auditbeat
When you say this issue doesn't occur on RHEL 7. What do you mean? That Auditbeat doesn't log in /var/log/message but instead in its own log file under /var/log/auditbeat without you touching the service unit file at all?
Or that on RHEL 7, after you had made changes to the service unit file, it was honored and then Auditbeat started to log according to the config you had put in its yaml file?
Confirm you're talking about the exact same version of Auditbeat on both RHEL and CentOS?
I run CentOS 7 myself so was easy to try a repro here. Can't do it:
[root@vm ~]# cat /etc/centos-release
CentOS Linux release 7.2.1511 (Core)
[root@vm ~]# rpm -qa | grep auditbeat
auditbeat-7.1.1-1.x86_64
All I did was follow this:
https://www.elastic.co/guide/en/beats/auditbeat/current/running-with-systemd.html
To a T, like if it was my first rodeo and logs went from /var/log/messages to /var/log/auditbeat after I cleared the "-e" with a drop-in file emptying the BEAT_LOG_OPTS var.
2 Likes
Centos 7.x here
Martin great, it worked, I had the same problem but for filebeat. 
The link to running-with-systemd was a real rescue, however the last "rodeo" sentence was very hard to understand.
Basically I:
- checked my
/etc/systemd/system/filebeat.service.d/directory and found it empty - did
export SYSTEMD_EDITOR=vi, the default editor for systemd is nano, I prefer vim -
systemctl edit filebeat, which startedvimwith empty file - added this 2 lines (as Martin said it is
-eby default):
[Service]
Environment="BEAT_LOG_OPTS="
- I quit&save in vi, so now I see a new
override.conffile in the above directory
But man such a pain to migrate elastic stack from 6.x to 7.1.1
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.