Auditbeat failed to create audit client & failed to get audit status: operation not permitted

Elastic Stack Beats
1

Hello,

I'm trying to get my Auditbeat running and I keep getting this error:

Exiting: 1 error: 1 error: failed to create audit client: failed to get audit status: operation not permitted

My Auditbeat config looks like this:

  auditbeat:
    image: docker.elastic.co/beats/auditbeat:7.6.2
    pid: host
    cap_add:
      - AUDIT_CONTROL
      - AUDIT_READ
    command: -e -E 'output.elasticsearch.password=changeme'
    configs:
      - source: auditb_config.v3
        target: /usr/share/auditbeat/auditbeat.yml
    privileged: true
    networks:
      - elastic_elknet

When I deploy the stack I have this warning the beginning of the deployment:

Ignoring unsupported options: cap_add, pid, privileged.

I'm running my yml file on version 3.7

Any suggestions would be appreciated,
Thanks

2

Sounds like the container isn't running with the required capabilities because something went wrong. You can probably check this by using docker inspect to look at the running container. Or at an ever lower level with getpcaps "$(pgrep auditbeat)" on the host machine.

I guess there's an issue with the docker-compose file.

3

Hi Andrew,

My Auditbeat compose file looks like this:

  auditbeat:
    image: docker.elastic.co/beats/auditbeat:7.6.2
    user: root
    pid: host
    cap_add:
      - AUDIT_CONTROL
      - AUDIT_READ
    command: -e -E 'output.elasticsearch.password=changeme'
    configs:
      - source: auditb_config.v3
        target: /usr/share/auditbeat/auditbeat.yml
    privileged: true
    networks:
      - elastic_elknet

When I ran the command getpcaps, I get the following

Capabilities for ': = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read+ep`

For what I've found on the forums I think its a problem with swarm and accepting this environment variables.

4

Yep, swarm issue.

From the docker-compose docs:

Note when using docker stack deploy

The cap_add and cap_drop options are ignored when deploying a stack in swarm mode

5

Thank you anyway for confirming my suspicions.

6

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.