irobot678
December 30, 2019, 8:02am
1
Hi, i'm using elk stack 7.1.1 with x-pack installed and i'm trying to setup auditbeat but i am getting the following error:
2019-12-30T13:18:04.176+0530 ERROR instance/beat.go:802 Exiting: 1 error: 1 error: failed to create audit client: failed to get audit status: operation not permitted
Exiting: 1 error: 1 error: failed to create audit client: failed to get audit status: operation not permitted
auditbeat.yml conf
auditbeat.modules:
- module: auditd
# Load audit rules from separate files. Same format as audit.rules(7).
audit_rule_files: [ '${path.config}/audit.rules.d/*.conf' ]
audit_rules: |
- module: file_integrity
paths:
- /bin
- /usr/bin
- /sbin
- /usr/sbin
- /etc
- module: system
datasets:
- host
- login
- package
- process
- socket
- user
state.period: 12h
user.detect_password_changes: true
login.wtmp_file_pattern: /var/log/wtmp*
login.btmp_file_pattern: /var/log/btmp*
setup.template.settings:
index.number_of_shards: 1
index.codec: best_compression
setup.kibana:
host: "localhost:5601"
output.elasticsearch:
hosts: ["localhost:9200"]
index: "auditbeat-7.1.1-%{+yyyy.MM.dd}"
protocol: "https"
username: "elastic"
password: "mypassword"
setup.template:
name: 'auditbeat'
pattern: 'auditbeat-*'
enabled: false
Please help me solve it.
Hi Vamsi,
I believe the user account has insufficient privileges. Try "sudo " on linux/macos or "run as administrator" (on windows)
Here's a link to some info on running auditbeat as a non-root user as well (linux specific I believe)
Hi Elastic Team,
I run ELK on Linux(CentOS7).
Because of security issue, I need to run Auditbeat with non-root user.
When runing Auditbeat with non-root user, it shows:
2019-08 WARN [cfgwarn] host/host.go:167 BETA: The system/host dataset is beta
2019-08 WARN [cfgwarn] login/login.go:95 BETA: The system/login dataset is beta
2019-08 WARN [cfgwarn] package/package.go:169 BETA: The system/package dataset is beta
2019-08 WARN [cfgwarn] …
Hope this helps!
irobot678
January 2, 2020, 6:46am
3
HI @Dain.Perkins ,
thanks for the response , i have followed the thread but i'm getting the following error:
Exiting: 1 error: 1 error: failed to create audit client: failed to open audit netlink socket: bind failed: operation not permitted
Exiting: 1 error: 1 error: failed to create audit client: failed to open audit netlink socket: bind failed: operation not permitted
Please help me solve it.
@irobot678
does it work if you run it without the socket dataset enabled, or if you run it as root?
My guess is that the permission changes weren't successful/sufficient to grant the appropriate permissions to the user executing auditbeat.
Do you have the output from the setcap command?
Thanks
system
January 27, 2020, 12:14pm
5
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.