Auditbeat system module fails to start

Elastic Stack Beats
1

I'm trying to get system module of Auditbeat to work with no success. When I start Auditbeat it throws an error:
2019-03-23T09:05:16.523+0100 ERROR instance/beat.go:911 Exiting: 1 error: no metricsets configured for module 'system'

For tests I left only system module configuration in audtibeat.yml and set it to the defaults:

- module: system
  datasets:
    - host
    - process
    - socket
    - user
  period: 10s
  state.period: 12h
  user.detect_password_changes: true

In my setup auditbeat has direct connection to Elasticsearch. Elastic is in version 6.6.0 and Auditbeat is in 6.6.1. Auditbeat is running on top of ppc (but the error message doesn't suggest an platform/compliation issue). Other modules (auditd and file_integrity) works fine.

2

@Owdaan That looks weird indeed. Can you try the following:

  1. Export the parsed config with ./auditbeat export config and paste it here.
  2. Run Auditbeat with debug logging enabled and paste the output: ./auditbeat -e -d "*"
  3. Delete the datasets configuration entirely and try running it. It should default to all datasets.
1 Like
3

@cwurm Thanks for reply! Here you have the results:

Ad. 1:

auditbeat:
  modules:
  - module: system
output:
  elasticsearch:
    hosts:
    - http://<elasticsearch_ip>:9200
path:
  config: /opt/elastic/auditbeat
  data: /opt/elastic/auditbeat/data
  home: /opt/elastic/auditbeat
  logs: /opt/elastic/auditbeat/logs
processors:
- add_host_metadata: null

Ad. 2

/opt/elastic/auditbeat # ./auditbeat -e -d "*"
2019-04-02T11:53:58.239+0200    INFO    instance/beat.go:616    Home path: [/opt/elastic/auditbeat] Config path: [/opt/elastic/auditbeat] Data path: [/opt/elastic/auditbeat/data] Logs path: [/opt/elastic/auditbeat/logs]
2019-04-02T11:53:58.239+0200    DEBUG   [beat]  instance/beat.go:653    Beat metadata path: /opt/elastic/auditbeat/data/meta.json
2019-04-02T11:53:58.239+0200    INFO    instance/beat.go:623    Beat UUID: c11c97e6-4f1d-4a8a-9451-591898594b33
2019-04-02T11:53:58.239+0200    DEBUG   [seccomp]       seccomp/seccomp.go:99   No seccomp policy is defined
2019-04-02T11:53:58.239+0200    INFO    [beat]  instance/beat.go:936    Beat info       {"system_info": {"beat": {"path": {"config": "/opt/elastic/auditbeat", "data": "/opt/elastic/auditbeat/data", "home": "/opt/elastic/auditbeat", "logs": "/opt/elastic/auditbeat/logs"}, "type": "auditbeat", "uuid": "c11c97e6-4f1d-4a8a-9451-591898594b33"}}}
2019-04-02T11:53:58.239+0200    INFO    [beat]  instance/beat.go:945    Build info      {"system_info": {"build": {"commit": "b002f33ddc9bf7602dc7dbc45910bfd3f2c5df5a", "libbeat": "6.6.1", "time": "2019-02-12T14:27:01.000Z", "version": "6.6.1"}}}
2019-04-02T11:53:58.239+0200    INFO    [beat]  instance/beat.go:948    Go runtime info {"system_info": {"go": {"os":"linux","arch":"ppc64le","max_procs":8,"version":"go1.11.5"}}}
2019-04-02T11:53:58.240+0200    INFO    [beat]  instance/beat.go:952    Host info       {"system_info": {"host": {"architecture":"ppc64le","boot_time":"2018-12-10T13:08:18+01:00","containerized":false,"name":"********","ip":["127.0.0.1/8","::1/128","********/**","fe80::f8fc:31ff:fe79:b520/64"],"kernel_version":"4.4.155-94.50-default","mac":["**********"],"os":{"family":"suse","platform":"sles","name":"SLES","version":"12-SP3","major":12,"minor":0,"patch":0},"timezone":"CEST","timezone_offset_sec":7200,"id":"476d3ed2557640bbe9bf9b255c0e46e7"}}}
2019-04-02T11:53:58.240+0200    INFO    [beat]  instance/beat.go:981    Process info    {"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"ambient":null}, "cwd": "/data/elastic/auditbeat", "exe": "/data/elastic/auditbeat/auditbeat", "name": "auditbeat", "pid": 24632, "ppid": 21322, "seccomp": {"mode":"disabled"}, "start_time": "2019-04-02T11:53:57.440+0200"}}}
2019-04-02T11:53:58.240+0200    INFO    instance/beat.go:281    Setup Beat: auditbeat; Version: 6.6.1
2019-04-02T11:53:58.240+0200    DEBUG   [beat]  instance/beat.go:302    Initializing output plugins
2019-04-02T11:53:58.241+0200    DEBUG   [processors]    processors/processor.go:66      Processors: add_host_metadata=[netinfo.enabled=[false], cache.ttl=[5m0s]]
2019-04-02T11:53:58.241+0200    INFO    elasticsearch/client.go:165     Elasticsearch url: http://145.218.225.21:9200
2019-04-02T11:53:58.241+0200    DEBUG   [publish]       pipeline/consumer.go:137        start pipeline event consumer
2019-04-02T11:53:58.241+0200    INFO    [publisher]     pipeline/module.go:110  Beat name: ********
2019-04-02T11:53:58.241+0200    DEBUG   [modules]       beater/metricbeat.go:103        Register [ModuleFactory:[], MetricSetFactory:[auditd/auditd, file_integrity/file]]
2019-04-02T11:53:58.241+0200    DEBUG   [processors]    processors/processor.go:66      Processors:
2019-04-02T11:53:58.241+0200    INFO    instance/beat.go:360    auditbeat stopped.
2019-04-02T11:53:58.241+0200    ERROR   instance/beat.go:911    Exiting: 1 error: no metricsets configured for module 'system'
Exiting: 1 error: no metricsets configured for module 'system'

Ad 3. I've tried with a config without dataset definition but the result is exactly the same as above.

4

@Owdaan I think I might know what's going on. How did you download or install Auditbeat?

The system module is only contained in the default (free) distribution available from https://www.elastic.co/downloads/beats/auditbeat.

The pure Apache 2.0 licensed distribution of Auditbeat does not contain the system module, only auditd and file_integrity.

5

@cwurm As mentioned in the first post I'm unfortunately running this on top of PPC so I had to build this from sources. I would love to use an official build from Elastic, but as I far as I know there no build (even unoffcial/unstable) for ppc available..

6

@Owdaan Ok, then if you build from the x-pack/auditbeat/ directory (instead of auditbeat/) you should get the default distribution including the system module.

7

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.