Auditbeat Connection Refused

learningelastic · November 13, 2022, 11:54pm

I'm trying to learn how to set up auditbeat on the same server as my elasticsearch and kibana instance verison 8.5 which is running off of ubuntu 20.04. But when I do a systemctl start auditbeat.service, I get the error:

{"log.level":"error","@timestamp":"2022-11-13T23:01:44.731Z","log.origin":{"file.name":"instance/beat.go","file.line":1056},"message":"Exiting: 1 error: failed to create audit client: failed to get audit status: connection refused","service.name":"auditbeat","ecs.version":"1.6.0"}

In terms of what I did, I started a completely new installation of Ubuntu 20.04 on my laptop which has an IP address of 192.168.0.41. And then I ran these commands to download all the packages I need to set up elasticsearch, kibana and auditbeat.

apt-get update && apt dist-upgrade -y
apt-get install -y curl gnupg gpg vim

wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpg
sudo apt-get install apt-transport-https
echo "deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg] https://artifacts.elastic.co/packages/8.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-8.x.list

sudo apt-get update
sudo apt-get install -y elasticsearch
sudo apt-get install -y kibana
sudo apt-get install -y auditbeat

systemctl enable elasticsearch.service
systemctl enable kibana.service
systemctl enable auditbeat.service

mkdir /etc/kibana/certs
cp /etc/elasticsearch/certs/http_ca.crt /etc/kibana/certs
chown -R kibana:kibana /etc/kibana/certs
chmod -R 755 /etc/kibana/certs

Then I made these 3 files on the server:

# file: /etc/elasticsearch/elasticsearch.yml

cluster.name: my-application
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: localhost
http.port: 9200
xpack.security.enabled: true
xpack.security.enrollment.enabled: true
xpack.security.http.ssl:
  enabled: true
  keystore.path: certs/http.p12
xpack.security.transport.ssl:
  enabled: true
  verification_mode: certificate
  keystore.path: certs/transport.p12
  truststore.path: certs/transport.p12
cluster.initial_master_nodes: ["auditbeat"]
http.host: 0.0.0.0

# file: /etc/kibana/kibana.yml
server.port: 5601
server.host: "192.168.0.41"
server.publicBaseUrl: "http://192.168.0.41:5601"
elasticsearch.hosts: ["https://localhost:9200"]
elasticsearch.username: "kibana_system"
elasticsearch.password: "ABCD1234"
elasticsearch.ssl.certificateAuthorities: [ "/etc/kibana/certs/http_ca.crt" ]
elasticsearch.ssl.verificationMode: none
logging:
  appenders:
    file:
      type: file
      fileName: /var/log/kibana/kibana.log
      layout:
        type: json
  root:
    appenders:
      - default
      - file
pid.file: /run/kibana/kibana.pid


# file: /etc/auditbeat/auditbeat.yml

auditbeat.modules:
- module: auditd
  audit_rule_files: [ '${path.config}/audit.rules.d/*.conf' ]
  audit_rules: |
- module: file_integrity
  paths:
  - /bin
  - /usr/bin
  - /sbin
  - /usr/sbin
  - /etc
- module: system
  datasets:
    - package # Installed, updated, and removed packages
  period: 2m # The frequency at which the datasets check for changes
- module: system
  datasets:
    - host    # General host information, e.g. uptime, IPs
    - login   # User logins, logouts, and system boots.
    - process # Started and stopped processes
    - socket  # Opened and closed sockets
    - user    # User information
  state.period: 1m
  user.detect_password_changes: true
  login.wtmp_file_pattern: /var/log/wtmp*
  login.btmp_file_pattern: /var/log/btmp*
setup.template.settings:
  index.number_of_shards: 1
setup.dashboards.enabled: true
setup.kibana:
  host: "192.168.0.41:5601"
output.elasticsearch:
  hosts: ["localhost:9200"]
  protocol: "https"
  username: "elastic"
  password: "ABCD1234"
  ssl.verification_mode: none
processors:
  - add_host_metadata: ~
  - add_cloud_metadata: ~
  - add_docker_metadata: ~

Then I typed systemctl start elasticsearch.service.

Once elasticsearch.service is up, I typed these two command to reset the password for elastic and kibana_system to simply ABCD1234:

/usr/share/elasticsearch/bin/elasticsearch-reset-password -i -u elastic
# when prompted, type in password ABCD1234
/usr/share/elasticsearch/bin/elasticsearch-reset-password -i -u kibana_system
# when prompted, type in password ABCD1234

Then I started Kibana with systemctl start kibana.service. I login to the website at http://192.168.0.41:5601 with the user elastic and password ABCD1234 to confirm everything is working.

Then I ran this command to set up and start auditbeat:

/usr/share/auditbeat/bin/auditbeat setup -c /etc/auditbeat/auditbeat.yml --path.home /usr/share/auditbeat/ --path.config /etc/auditbeat/ --path.data /var/lib/auditbeat --path.logs /var/log/auditbeat

systemctl start auditbeat.service

Then I see failures with auditbeat that shows this error:

{"log.level":"error","@timestamp":"2022-11-13T23:01:44.731Z","log.origin":{"file.name":"instance/beat.go","file.line":1056},"message":"Exiting: 1 error: failed to create audit client: failed to get audit status: connection refused","service.name":"auditbeat","ecs.version":"1.6.0"}

What did I do wrong?

Incase it helps, here is a 2 minute video recording of me performing all the steps above from setting up ubuntu up until the point I get the error with auditbeat:

What did I do wrong?

warkolm · November 15, 2022, 12:47am

Can you share more of the Aubitbeat log please, preferably from when it starts up to when it errors.

learningelastic · November 15, 2022, 1:25pm

Sure here's what happens when I systemctl start auditbeat.service

Nov 15 13:22:32 auditbeat systemd[1]: Started Audit the activities of users and processes on your system..
Nov 15 13:22:32 auditbeat auditbeat[286043]: {"log.level":"info","@timestamp":"2022-11-15T13:22:32.587Z","log.origin":{"file.name":"instance/beat.go","file.line":707},"message":"Home path: [/usr/share/auditbeat] Config path: [/etc/auditbeat] Data path: [/var/lib/auditbeat] Logs path: [/var/log/auditbeat]","service.name":"auditbeat","ecs.version":"1.6.0"}
Nov 15 13:22:32 auditbeat auditbeat[286043]: {"log.level":"info","@timestamp":"2022-11-15T13:22:32.587Z","log.origin":{"file.name":"instance/beat.go","file.line":715},"message":"Beat ID: d78dd929-79bb-4a76-b844-7c9faa4a6d3e","service.name":"auditbeat","ecs.version":"1.6.0"}
Nov 15 13:22:35 auditbeat auditbeat[286043]: {"log.level":"warn","@timestamp":"2022-11-15T13:22:35.589Z","log.logger":"add_cloud_metadata","log.origin":{"file.name":"add_cloud_metadata/provider_aws_ec2.go","file.line":81},"message":"read token request for getting IMDSv2 token returns empty: Put \"http://169.254.169.254/latest/api/token\": context deadline exceeded (Client.Timeout exceeded while awaiting headers). No token in the metadata request will be used.","service.name":"auditbeat","ecs.version":"1.6.0"}
Nov 15 13:22:35 auditbeat auditbeat[286043]: {"log.level":"info","@timestamp":"2022-11-15T13:22:35.591Z","log.logger":"seccomp","log.origin":{"file.name":"seccomp/seccomp.go","file.line":124},"message":"Syscall filter successfully installed","service.name":"auditbeat","ecs.version":"1.6.0"}
Nov 15 13:22:35 auditbeat auditbeat[286043]: {"log.level":"info","@timestamp":"2022-11-15T13:22:35.591Z","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1081},"message":"Beat info","service.name":"auditbeat","system_info":{"beat":{"path":{"config":"/etc/auditbeat","data":"/var/lib/auditbeat","home":"/usr/share/auditbeat","logs":"/var/log/auditbeat"},"type":"auditbeat","uuid":"d78dd929-79bb-4a76-b844-7c9faa4a6d3e"},"ecs.version":"1.6.0"}}
Nov 15 13:22:35 auditbeat auditbeat[286043]: {"log.level":"info","@timestamp":"2022-11-15T13:22:35.591Z","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1090},"message":"Build info","service.name":"auditbeat","system_info":{"build":{"commit":"6d6754fcb0adf6a2191b055d35f694c961c8ba40","libbeat":"8.5.0","time":"2022-10-24T09:36:35.000Z","version":"8.5.0"},"ecs.version":"1.6.0"}}
Nov 15 13:22:35 auditbeat auditbeat[286043]: {"log.level":"info","@timestamp":"2022-11-15T13:22:35.591Z","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1093},"message":"Go runtime info","service.name":"auditbeat","system_info":{"go":{"os":"linux","arch":"amd64","max_procs":2,"version":"go1.18.7"},"ecs.version":"1.6.0"}}
Nov 15 13:22:35 auditbeat auditbeat[286043]: {"log.level":"info","@timestamp":"2022-11-15T13:22:35.592Z","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1097},"message":"Host info","service.name":"auditbeat","system_info":{"host":{"architecture":"x86_64","boot_time":"2022-10-30T22:29:58Z","containerized":false,"name":"auditbeat","ip":["127.0.0.1/8","::1/128","192.168.0.41/24","fe80::9441:b0ff:feaf:2b67/64"],"kernel_version":"5.13.19-2-pve","mac":["96:41:b0:af:2b:67"],"os":{"type":"linux","family":"debian","platform":"ubuntu","name":"Ubuntu","version":"20.04.5 LTS (Focal Fossa)","major":20,"minor":4,"patch":5,"codename":"focal"},"timezone":"UTC","timezone_offset_sec":0,"id":"8f90c76efb894f1291acfe5d3b0f9b56"},"ecs.version":"1.6.0"}}
Nov 15 13:22:35 auditbeat auditbeat[286043]: {"log.level":"info","@timestamp":"2022-11-15T13:22:35.593Z","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1126},"message":"Process info","service.name":"auditbeat","system_info":{"process":{"capabilities":{"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"ambient":null},"cwd":"/","exe":"/usr/share/auditbeat/bin/auditbeat","name":"auditbeat","pid":286043,"ppid":1,"seccomp":{"mode":"filter","no_new_privs":true},"start_time":"2022-11-15T13:22:31.530Z"},"ecs.version":"1.6.0"}}
Nov 15 13:22:35 auditbeat auditbeat[286043]: {"log.level":"info","@timestamp":"2022-11-15T13:22:35.593Z","log.origin":{"file.name":"instance/beat.go","file.line":293},"message":"Setup Beat: auditbeat; Version: 8.5.0","service.name":"auditbeat","ecs.version":"1.6.0"}
Nov 15 13:22:35 auditbeat auditbeat[286043]: {"log.level":"warn","@timestamp":"2022-11-15T13:22:35.597Z","log.logger":"cfgwarn","log.origin":{"file.name":"tlscommon/config.go","file.line":102},"message":"DEPRECATED: Treating the CommonName field on X.509 certificates as a host name when no Subject Alternative Names are present is going to be removed. Please update your certificates if needed. Will be removed in version: 8.0.0","service.name":"auditbeat","ecs.version":"1.6.0"}
Nov 15 13:22:35 auditbeat auditbeat[286043]: {"log.level":"info","@timestamp":"2022-11-15T13:22:35.597Z","log.logger":"esclientleg","log.origin":{"file.name":"eslegclient/connection.go","file.line":108},"message":"elasticsearch url: https://localhost:9200","service.name":"auditbeat","ecs.version":"1.6.0"}
Nov 15 13:22:35 auditbeat auditbeat[286043]: {"log.level":"warn","@timestamp":"2022-11-15T13:22:35.597Z","log.logger":"tls","log.origin":{"file.name":"tlscommon/tls_config.go","file.line":104},"message":"SSL/TLS verifications disabled.","service.name":"auditbeat","ecs.version":"1.6.0"}
Nov 15 13:22:35 auditbeat auditbeat[286043]: {"log.level":"info","@timestamp":"2022-11-15T13:22:35.597Z","log.logger":"publisher","log.origin":{"file.name":"pipeline/module.go","file.line":113},"message":"Beat name: auditbeat","service.name":"auditbeat","ecs.version":"1.6.0"}
Nov 15 13:22:35 auditbeat auditbeat[286043]: {"log.level":"info","@timestamp":"2022-11-15T13:22:35.598Z","log.logger":"auditd","log.origin":{"file.name":"auditd/audit_linux.go","file.line":107},"message":"auditd module is running as euid=0 on kernel=5.13.19-2-pve","service.name":"auditbeat","ecs.version":"1.6.0"}
Nov 15 13:22:35 auditbeat auditbeat[286043]: {"log.level":"info","@timestamp":"2022-11-15T13:22:35.598Z","log.origin":{"file.name":"instance/beat.go","file.line":426},"message":"auditbeat stopped.","service.name":"auditbeat","ecs.version":"1.6.0"}
Nov 15 13:22:35 auditbeat auditbeat[286043]: {"log.level":"error","@timestamp":"2022-11-15T13:22:35.598Z","log.origin":{"file.name":"instance/beat.go","file.line":1056},"message":"Exiting: 1 error: failed to create audit client: failed to get audit status: connection refused","service.name":"auditbeat","ecs.version":"1.6.0"}
Nov 15 13:22:35 auditbeat auditbeat[286043]: Exiting: 1 error: failed to create audit client: failed to get audit status: connection refused
Nov 15 13:22:35 auditbeat systemd[1]: auditbeat.service: Main process exited, code=exited, status=1/FAILURE
Nov 15 13:22:35 auditbeat systemd[1]: auditbeat.service: Failed with result 'exit-code'.
Nov 15 13:22:35 auditbeat systemd[1]: auditbeat.service: Scheduled restart job, restart counter is at 11.
Nov 15 13:22:35 auditbeat systemd[1]: Stopped Audit the activities of users and processes on your system..

learningelastic · November 15, 2022, 1:40pm

Also, I don't know if this helps, but I tried using this /etc/auditbeat/auditbeat.yml

auditbeat.modules:
- module: auditd
  audit_rule_files: [ '${path.config}/audit.rules.d/*.conf' ]
  audit_rules: |
- module: file_integrity
  paths:
  - /bin
  - /usr/bin
  - /sbin
  - /usr/sbin
  - /etc
- module: system
  datasets:
    - package # Installed, updated, and removed packages
  period: 2m # The frequency at which the datasets check for changes
- module: system
  datasets:
    - host    # General host information, e.g. uptime, IPs
    - login   # User logins, logouts, and system boots.
    - process # Started and stopped processes
    - socket  # Opened and closed sockets
    - user    # User information
  state.period: 1m
  user.detect_password_changes: true
  login.wtmp_file_pattern: /var/log/wtmp*
  login.btmp_file_pattern: /var/log/btmp*
processors:
  - add_host_metadata: ~
  - add_cloud_metadata: ~
  - add_docker_metadata: ~
output.file:
  filename: a.log
  path: /var/log/auditbeat

which I think outputs auditbeat content to a file /var/log/auditbeat/a.log. When I do a systemctl start auditbeat.service, I also get a connection refused and failed to create audit client like this:

Nov 15 13:36:18 auditbeat systemd[1]: Started Audit the activities of users and processes on your system..
Nov 15 13:36:18 auditbeat auditbeat[287958]: {"log.level":"info","@timestamp":"2022-11-15T13:36:18.583Z","log.origin":{"file.name":"instance/beat.go","file.line":707},"message":"Home path: [/usr/share/auditbeat] Config path: [/etc/auditbeat] Data path: [/var/lib/auditbeat] Logs path: [/var/log/auditbeat]","service.name":"auditbeat","ecs.version":"1.6.0"}
Nov 15 13:36:18 auditbeat auditbeat[287958]: {"log.level":"info","@timestamp":"2022-11-15T13:36:18.583Z","log.origin":{"file.name":"instance/beat.go","file.line":715},"message":"Beat ID: d78dd929-79bb-4a76-b844-7c9faa4a6d3e","service.name":"auditbeat","ecs.version":"1.6.0"}
Nov 15 13:36:21 auditbeat auditbeat[287958]: {"log.level":"warn","@timestamp":"2022-11-15T13:36:21.585Z","log.logger":"add_cloud_metadata","log.origin":{"file.name":"add_cloud_metadata/provider_aws_ec2.go","file.line":81},"message":"read token request for getting IMDSv2 token returns empty: Put \"http://169.254.169.254/latest/api/token\": context deadline exceeded (Client.Timeout exceeded while awaiting headers). No token in the metadata request will be used.","service.name":"auditbeat","ecs.version":"1.6.0"}
Nov 15 13:36:21 auditbeat auditbeat[287958]: {"log.level":"info","@timestamp":"2022-11-15T13:36:21.586Z","log.logger":"seccomp","log.origin":{"file.name":"seccomp/seccomp.go","file.line":124},"message":"Syscall filter successfully installed","service.name":"auditbeat","ecs.version":"1.6.0"}
Nov 15 13:36:21 auditbeat auditbeat[287958]: {"log.level":"info","@timestamp":"2022-11-15T13:36:21.586Z","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1081},"message":"Beat info","service.name":"auditbeat","system_info":{"beat":{"path":{"config":"/etc/auditbeat","data":"/var/lib/auditbeat","home":"/usr/share/auditbeat","logs":"/var/log/auditbeat"},"type":"auditbeat","uuid":"d78dd929-79bb-4a76-b844-7c9faa4a6d3e"},"ecs.version":"1.6.0"}}
Nov 15 13:36:21 auditbeat auditbeat[287958]: {"log.level":"info","@timestamp":"2022-11-15T13:36:21.586Z","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1090},"message":"Build info","service.name":"auditbeat","system_info":{"build":{"commit":"6d6754fcb0adf6a2191b055d35f694c961c8ba40","libbeat":"8.5.0","time":"2022-10-24T09:36:35.000Z","version":"8.5.0"},"ecs.version":"1.6.0"}}
Nov 15 13:36:21 auditbeat auditbeat[287958]: {"log.level":"info","@timestamp":"2022-11-15T13:36:21.586Z","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1093},"message":"Go runtime info","service.name":"auditbeat","system_info":{"go":{"os":"linux","arch":"amd64","max_procs":2,"version":"go1.18.7"},"ecs.version":"1.6.0"}}
Nov 15 13:36:21 auditbeat auditbeat[287958]: {"log.level":"info","@timestamp":"2022-11-15T13:36:21.587Z","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1097},"message":"Host info","service.name":"auditbeat","system_info":{"host":{"architecture":"x86_64","boot_time":"2022-10-30T22:29:58Z","containerized":false,"name":"auditbeat","ip":["127.0.0.1/8","::1/128","192.168.0.41/24","fe80::9441:b0ff:feaf:2b67/64"],"kernel_version":"5.13.19-2-pve","mac":["96:41:b0:af:2b:67"],"os":{"type":"linux","family":"debian","platform":"ubuntu","name":"Ubuntu","version":"20.04.5 LTS (Focal Fossa)","major":20,"minor":4,"patch":5,"codename":"focal"},"timezone":"UTC","timezone_offset_sec":0,"id":"8f90c76efb894f1291acfe5d3b0f9b56"},"ecs.version":"1.6.0"}}
Nov 15 13:36:21 auditbeat auditbeat[287958]: {"log.level":"info","@timestamp":"2022-11-15T13:36:21.588Z","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1126},"message":"Process info","service.name":"auditbeat","system_info":{"process":{"capabilities":{"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"ambient":null},"cwd":"/","exe":"/usr/share/auditbeat/bin/auditbeat","name":"auditbeat","pid":287958,"ppid":1,"seccomp":{"mode":"filter","no_new_privs":true},"start_time":"2022-11-15T13:36:17.530Z"},"ecs.version":"1.6.0"}}
Nov 15 13:36:21 auditbeat auditbeat[287958]: {"log.level":"info","@timestamp":"2022-11-15T13:36:21.588Z","log.origin":{"file.name":"instance/beat.go","file.line":293},"message":"Setup Beat: auditbeat; Version: 8.5.0","service.name":"auditbeat","ecs.version":"1.6.0"}
Nov 15 13:36:21 auditbeat auditbeat[287958]: {"log.level":"info","@timestamp":"2022-11-15T13:36:21.592Z","log.logger":"file","log.origin":{"file.name":"fileout/file.go","file.line":102},"message":"Initialized file output. path=/var/log/auditbeat/a.log max_size_bytes=10485760 max_backups=7 permissions=-rw-------","service.name":"auditbeat","ecs.version":"1.6.0"}
Nov 15 13:36:21 auditbeat auditbeat[287958]: {"log.level":"info","@timestamp":"2022-11-15T13:36:21.592Z","log.logger":"publisher","log.origin":{"file.name":"pipeline/module.go","file.line":113},"message":"Beat name: auditbeat","service.name":"auditbeat","ecs.version":"1.6.0"}
Nov 15 13:36:21 auditbeat auditbeat[287958]: {"log.level":"info","@timestamp":"2022-11-15T13:36:21.593Z","log.logger":"auditd","log.origin":{"file.name":"auditd/audit_linux.go","file.line":107},"message":"auditd module is running as euid=0 on kernel=5.13.19-2-pve","service.name":"auditbeat","ecs.version":"1.6.0"}
Nov 15 13:36:21 auditbeat auditbeat[287958]: {"log.level":"info","@timestamp":"2022-11-15T13:36:21.593Z","log.origin":{"file.name":"instance/beat.go","file.line":426},"message":"auditbeat stopped.","service.name":"auditbeat","ecs.version":"1.6.0"}
Nov 15 13:36:21 auditbeat auditbeat[287958]: {"log.level":"error","@timestamp":"2022-11-15T13:36:21.593Z","log.origin":{"file.name":"instance/beat.go","file.line":1056},"message":"Exiting: 1 error: failed to create audit client: failed to get audit status: connection refused","service.name":"auditbeat","ecs.version":"1.6.0"}
Nov 15 13:36:21 auditbeat auditbeat[287958]: Exiting: 1 error: failed to create audit client: failed to get audit status: connection refused
Nov 15 13:36:21 auditbeat systemd[1]: auditbeat.service: Main process exited, code=exited, status=1/FAILURE
Nov 15 13:36:21 auditbeat systemd[1]: auditbeat.service: Failed with result 'exit-code'.
Nov 15 13:36:21 auditbeat systemd[1]: auditbeat.service: Scheduled restart job, restart counter is at 45.
Nov 15 13:36:21 auditbeat systemd[1]: Stopped Audit the activities of users and processes on your system..

learningelastic · November 15, 2022, 3:21pm

@warkolm I was able to isolate the problem! But I don't know why it is a problem!

If my ubuntu 20.04 is running in a container (in my case a proxmox hypervisor), then auditbeat will give the connection refused error as stated in my original question.

If my ubuntu 20.04 is running in a virtual machine (in my proxmox hypervisor), then auditbeat will work correctly.

Do you know why auditbeat works in a VM but not in a Container? Thank you!

system · December 13, 2022, 5:21pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.