Why are some events in my socket dataset missing process info?
Hey @bolemebrige, welcome to discuss 
Could you give more details about the kind of sockets or processes you are missing this info from?
What version of Auditbeat are you running? Is it running as root?
Not sure if related, but there is an open issue that mentions reliability issues on process enrichment under some circumstances: https://github.com/elastic/beats/issues/17444
I'm running version 7.10.
So some events in socket dataset are simply missing info about process that is related to that event.
auditbeat is run with sudo service auditbeat start.
Some are missing only process.name and some are missing both process.name and process.pid.
Example 1:
| Time | process.name | process.pid | source.port | destination.port | event.type | network.direction | |
|---|---|---|---|---|---|---|---|
| Jan 12, 2021 @ 18:25:15.626 | - | 20,840 | 52,143 | 443 | info, connection | inbound | |
| Jan 12, 2021 @ 18:25:07.626 | - | 20,840 | 55,993 | 80 | info, connection | inbound | |
| Jan 12, 2021 @ 18:25:07.626 | - | 20,840 | 55,994 | 443 | info, connection | inbound | |
| Jan 12, 2021 @ 18:24:05.626 | - | 20,840 | 55,988 | 443 | info, connection | inbound | |
| Jan 12, 2021 @ 18:24:05.626 | - | 20,840 | 55,986 | 80 | info, connection | inbound | |
| Jan 12, 2021 @ 18:23:40.627 | - | 20,840 | 34,852 | 80 | info, connection | inbound | |
| Jan 12, 2021 @ 18:23:40.626 | - | 20,840 | 57,732 | 443 | info, connection | inbound |
Example 2.
| Time | process.name | process.pid | source.port | destination.port | event.type | network.direction | |
|---|---|---|---|---|---|---|---|
| Jan 12, 2021 @ 18:09:16.626 | - | - | 443 | 59,780 | info, connection | unknown | |
| Jan 12, 2021 @ 18:09:12.626 | - | - | 443 | 57,144 | info, connection | unknown | |
| Jan 12, 2021 @ 18:09:01.626 | - | - | 443 | 49,064 | info, connection | unknown | |
| Jan 12, 2021 @ 18:08:51.626 | - | - | 443 | 42,194 | info, connection | unknown | |
| Jan 12, 2021 @ 18:05:59.626 | - | - | 443 | 60,377 | info, connection | unknown | |
| Jan 12, 2021 @ 17:25:59.626 | - | - | 443 | 59,677 | info, connection | unknown |
Hi @bolemebrige,
Which kernel version and Linux distro are you using?
Can you share some debug logs?
Linux version 4.19.0-11-amd64 (debian-kernel@lists.debian.org) (gcc version 8.3.0 (Debian 8.3.0-6)) #1 SMP Debian 4.19.146-1 (2020-09-17)
When I run auditbat -e there is no any error logs although I get events with same problem...
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.