AuditBeat failed to create audit client: protocol not supported

Elastic Stack Beats
1

Auditbeat is failing to start successfully with the error message:

2018-07-04T18:01:32.410Z ERROR instance/beat.go:691 Exiting: 1 error: 1 error: failed to create audit client: failed to create audit client: protocol not supported

I ran it in debug mode with the following command:
auditbeat -c /etc/auditbeat/auditbeat.yml -e -d "*"

Below is the output:

2018-07-04T18:01:32.403Z INFO instance/beat.go:492 Home path: [/usr/share/auditbeat] Config path: [/etc/auditbeat] Data path: [/var/lib/auditbeat] Logs path: [/var/log/auditbeat]
2018-07-04T18:01:32.403Z DEBUG [beat] instance/beat.go:519 Beat metadata path: /var/lib/auditbeat/meta.json
2018-07-04T18:01:32.403Z INFO instance/beat.go:499 Beat UUID: 78cc0659-5e94-4cd7-8442-b75310dc37c4
2018-07-04T18:01:32.403Z INFO [beat] instance/beat.go:716 Beat info {"system_info": {"beat": {"path": {"config": "/etc/auditbeat", "data": "/var/lib/auditbeat", "home": "/usr/share/auditbeat", "logs": "/var/log/auditbeat"}, "type": "auditbeat", "uuid": "78cc0659-5e94-4cd7-8442-b75310dc37c4"}}}
2018-07-04T18:01:32.403Z INFO [beat] instance/beat.go:725 Build info {"system_info": {"build": {"commit": "a04cb664d5fbd4b1aab485d1766f3979c138fd38", "libbeat": "6.3.0", "time": "2018-06-11T22:49:45.000Z", "version": "6.3.0"}}}
2018-07-04T18:01:32.404Z INFO [beat] instance/beat.go:728 Go runtime info {"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":1,"version":"go1.9.4"}}}
2018-07-04T18:01:32.404Z INFO [beat] instance/beat.go:732 Host info {"system_info": {"host": {"architecture":"x86_64","boot_time":"2018-07-04T16:34:27Z","containerized":true,"hostname":"XXXXX","ips":["127.0.0.1/8","::1/128","10.0.3.15/24","fe80::a00:27ff:fedf:c384/64","192.168.97.97/24","fe80::a00:27ff:fe0e:fe11/64"],"kernel_version":"3.16.39+pam02","mac_addresses":["08:00:27:df:c3:84","08:00:27:0e:fe:11"],"os":{"family":"debian","platform":"debian","name":"Debian GNU/Linux","version":"8 (jessie)","major":8,"minor":0,"patch":0,"codename":"jessie"},"timezone":"UTC","timezone_offset_sec":0,"id":"90ad79efd626481e99c15419491a7edf"}}}
2018-07-04T18:01:32.405Z INFO [beat] instance/beat.go:761 Process info {"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"ambient":null}, "cwd": "/root", "exe": "/usr/share/auditbeat/bin/auditbeat", "name": "auditbeat", "pid": 19950, "ppid": 9118, "seccomp": {"mode":"disabled"}, "start_time": "2018-07-04T18:01:32.100Z"}}}
2018-07-04T18:01:32.405Z INFO instance/beat.go:225 Setup Beat: auditbeat; Version: 6.3.0
2018-07-04T18:01:32.405Z DEBUG [beat] instance/beat.go:242 Initializing output plugins
2018-07-04T18:01:32.406Z DEBUG [processors] processors/processor.go:49 Processors:
2018-07-04T18:01:32.408Z DEBUG [publish] pipeline/consumer.go:120 start pipeline event consumer
2018-07-04T18:01:32.408Z INFO pipeline/module.go:81 Beat name: xxxx-xxxx
2018-07-04T18:01:32.408Z DEBUG [modules] beater/metricbeat.go:81 Register [ModuleFactory:[], MetricSetFactory:[auditd/auditd, file_integrity/file]]
2018-07-04T18:01:32.408Z DEBUG [processors] processors/processor.go:49 Processors:
2018-07-04T18:01:32.409Z INFO [auditd] auditd/audit_linux.go:65 auditd module is running as euid=0 on kernel=3.16.39+pam02
2018-07-04T18:01:32.409Z DEBUG [processors] processors/processor.go:49 Processors:
2018-07-04T18:01:32.410Z DEBUG [file_integrity] file_integrity/metricset.go:86 Initialized the file event reader. Running as euid=0
2018-07-04T18:01:32.410Z INFO instance/beat.go:275 auditbeat stopped.
2018-07-04T18:01:32.410Z ERROR instance/beat.go:691 Exiting: 1 error: 1 error: failed to create audit client: failed to create audit client: protocol not supported
Exiting: 1 error: 1 error: failed to create audit client: failed to create audit client: protocol not supported

2

This error means your kernel has been compiled without audit support. I understand it's a custom kernel? It needs:

CONFIG_AUDIT=y

3

Ah, thanks!

4

This issue affects Microsoft Windows subsystem for Linux (WSL). Auditbeat just won't start up.
Any workaround? Just want Auditbeat to send ANY events for testing tbh.

5

@Simone_Scarduzio disable the auditd module:

- module: auditd
  enabled: false

in auditbeat.yml

1 Like
6

thanks @adrisr it worked :slight_smile: