Auditbeat permission Error

Hi, i'm using elk stack 7.1.1 with x-pack installed and i'm trying to setup auditbeat but i am getting the following error:

2019-12-30T13:18:04.176+0530	ERROR	instance/beat.go:802	Exiting: 1 error: 1 error: failed to create audit client: failed to get audit status: operation not permitted
Exiting: 1 error: 1 error: failed to create audit client: failed to get audit status: operation not permitted

auditbeat.yml conf

auditbeat.modules:

- module: auditd
  # Load audit rules from separate files. Same format as audit.rules(7).
  audit_rule_files: [ '${path.config}/audit.rules.d/*.conf' ]
  audit_rules: |

- module: file_integrity
  paths:
  - /bin
  - /usr/bin
  - /sbin
  - /usr/sbin
  - /etc

- module: system
  datasets:
    - host
    - login
    - package
    - process
    - socket
    - user

  state.period: 12h
  user.detect_password_changes: true
  login.wtmp_file_pattern: /var/log/wtmp*
  login.btmp_file_pattern: /var/log/btmp*

 setup.template.settings:
      index.number_of_shards: 1
      index.codec: best_compression

 setup.kibana:
     host: "localhost:5601"

  output.elasticsearch: 
      hosts: ["localhost:9200"]
      index: "auditbeat-7.1.1-%{+yyyy.MM.dd}"
      protocol: "https"
      username: "elastic"
      password: "mypassword"
 setup.template:
     name: 'auditbeat'
     pattern: 'auditbeat-*'
     enabled: false

Please help me solve it.

Hi Vamsi,

I believe the user account has insufficient privileges. Try "sudo " on linux/macos or "run as administrator" (on windows)

Here's a link to some info on running auditbeat as a non-root user as well (linux specific I believe)

Hope this helps!

HI @Dain.Perkins ,

thanks for the response , i have followed the thread but i'm getting the following error:

Exiting: 1 error: 1 error: failed to create audit client: failed to open audit netlink socket: bind failed: operation not permitted

Exiting: 1 error: 1 error: failed to create audit client: failed to open audit netlink socket: bind failed: operation not permitted

Please help me solve it.

@irobot678

does it work if you run it without the socket dataset enabled, or if you run it as root?

My guess is that the permission changes weren't successful/sufficient to grant the appropriate permissions to the user executing auditbeat.

Do you have the output from the setcap command?

Thanks
/dain

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.