Auditbeat getsockopt: connection refused

I'm running elasticsearch and kibana on the host machine and i want to send the auditbeat data from ubuntu running on virtual box to the host machine please help me with it.

@Richard_Phillips_Roy Can you describe how you have set up the systems (esp. network) and post the Auditbeat log incl. the getsockopt error message? Maybe also run Auditbeat with debug logging enabled (append -e -d "*" when running it).

Btw, what I do in this scenario is log in from the host machine to the virtual one using ssh and port forwarding with -R 9200:localhost:9200. That will make it look to Auditbeat in the virtual machine as if Elasticsearch is running inside the virtual machine.

How do i enable auditd module inside auditbeat 7.1 ?
Here is my configuration
https://pastebin.com/0Trg6rmm
I'm getting this error when i tried to setup kibana dashboards
Exiting: 1 error: 1 error: metricset 'auditd/kernel' is not registered, module not found

Ah, I see. With Auditbeat 6.2, we unbundled the kernel and file metricsets into their own modules: auditd and file_integrity. So there are no more metricsets.

You can see the current configuration reference file here (also ships with Auditbeat).

So what you would do is change to:

- module: auditd
  audit_rules: |
    <your rules go here>

- module: file_integrity
  paths:
    <your paths go here>

Okay Thank you
How do i start auditd service ?
i created a rules.conf file in audit.rules.d folder and wrote some rules and i changed the auditbeat.yml to point at the rules file audit_rule_files: ['$/etc/auditbeat/audit.rules.d/rules.conf' ]
and when i run sudo auditbeat show auditd-rules
No rules

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.