Auditbeat installation replaces custom config with example

antwan · September 14, 2018, 10:18am

On CentOS 6, using beats 6.4.0, I create custom configs in /etc/"beat"/"beat".yml.
After deploying Filebeat and Packetbeat I end up with "beat".yml.rpmnew, and they work as intended.

But with Auditbeat, I end up with the default example auditbeat.yml only, having replaced my own auditbeat.yml. This in turn include the 32-bit sample rules in /etc/auditbeat/audit_rules.d/ effectively bricking the installation.

I use ansible to install my beats, and the Filebeat, Packetbeat and Auditbeat roles are identical in their setup, so I am pretty sure the problem is upstream..

Has anyone else seen this?

andrewkroh · September 14, 2018, 1:25pm

Yeah, we saw the problem and it should be fixed in the next release we make. We refactored our packaging process in 6.4.0, but unfortunately broke something.

Details are in https://github.com/elastic/beats/pull/8078.

If you want to test one of the fixed binaries prior to release you can get a snapshot build from jenkins.

antwan · September 14, 2018, 3:38pm

Great!

system · October 5, 2018, 3:38pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Configuring Auditbeat to only report modifications to files I want to monitor Beats auditbeat	7	1222	October 23, 2018
Community_ID Beats auditbeat	8	403	July 1, 2019
Configure Packetbeat prior to building MacOS pkg Beats packetbeat	6	430	December 22, 2020
Auditbeat test config fails when auditbeat already running Beats	1	667	February 20, 2020
Auditbeat on docker fails to run auditd module Beats docker , auditbeat	17	1729	October 22, 2021

Auditbeat installation replaces custom config with example

Related topics