AuditBeat Will Not Start

Hi

A fresh install of auditbeat will not start returning the following below.

Exiting: 1 error: 1 error: system/socket dataset setup failed: unable to guess one or more required parameters: guess_sk_buff_proto failed: failed to monitor probe: PERF_EVENT_IOC_ID: inappropriate ioctl for device

cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 6.5 (Santiago)

uname -a
Linux REMOVED -HOSTNAME 2.6.32-431.el6.x86_64 #1 SMP Sun Nov 10 22:19:54 EST 2013 x86_64 x86_64 x86_64 GNU/Linux

rpm -qa |grep -i auditbeat
auditbeat-7.4.2-1.x86_64

auditbeat -e -d "*"

2019-11-29T16:09:36.918-0500 INFO instance/beat.go:607 Home path: [/usr/share/auditbeat] Config path: [/etc/auditbeat] Data path: [/var/lib/auditbeat] Logs path: [/var/log/auditbeat]
2019-11-29T16:09:36.918-0500 DEBUG [beat] instance/beat.go:659 Beat metadata path: /var/lib/auditbeat/meta.json
2019-11-29T16:09:36.918-0500 INFO instance/beat.go:615 Beat ID: 2e50be9a-9e4b-485b-9538-0d430fd41edb
2019-11-29T16:09:36.921-0500 DEBUG [filters] add_cloud_metadata/providers.go:126 add_cloud_metadata: starting to fetch metadata, timeout=3s
2019-11-29T16:09:39.921-0500 DEBUG [filters] add_cloud_metadata/providers.go:169 add_cloud_metadata: timed-out waiting for all responses
2019-11-29T16:09:39.921-0500 DEBUG [filters] add_cloud_metadata/providers.go:129 add_cloud_metadata: fetchMetadata ran for 3.00034529s
2019-11-29T16:09:39.921-0500 INFO add_cloud_metadata/add_cloud_metadata.go:87 add_cloud_metadata: hosting provider type not detected.
2019-11-29T16:09:39.921-0500 DEBUG [processors] processors/processor.go:101 Generated new processors: add_host_metadata=[netinfo.enabled=[false], cache.ttl=[5m0s]], add_cloud_metadata=null
2019-11-29T16:09:39.921-0500 INFO [seccomp] seccomp/seccomp.go:101 Syscall filter could not be installed because the kernel does not support seccomp
2019-11-29T16:09:39.921-0500 INFO [beat] instance/beat.go:903 Beat info {"system_info": {"beat": {"path": {"config": "/etc/auditbeat", "data": "/var/lib/auditbeat", "home": "/usr/share/auditbeat", "logs": "/var/log/auditbeat"}, "type": "auditbeat", "uuid": "2e50be9a-9e4b-485b-9538-0d430fd41edb"}}}
2019-11-29T16:09:39.921-0500 INFO [beat] instance/beat.go:912 Build info {"system_info": {"build": {"commit": "15075156388b44390301f070960fd8aeac1c9712", "libbeat": "7.4.2", "time": "2019-10-28T19:43:11.000Z", "version": "7.4.2"}}}
2019-11-29T16:09:39.921-0500 INFO [beat] instance/beat.go:915 Go runtime info {"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":40,"version":"go1.12.9"}}}
2019-11-29T16:09:39.923-0500 INFO [beat] instance/beat.go:919 Host info {"system_info": {"host": {"architecture":"x86_64","boot_time":"2016-09-28T12:20:09-04:00","containerized":false,"name":"serverhost.someserver.com","ip":["127.0.0.1/8","10.248.1.6/25","10.248.1.132/25"],"kernel_version":"2.6.32-431.el6.x86_64","mac":["fc:5b:39:2d:5a:76","fc:5b:39:2d:5a:77"],"os":{"family":"redhat","platform":"redhat","name":"Red","version":"6.5 (Santiago)","major":6,"minor":5,"patch":0,"codename":"Santiago"},"timezone":"EST","timezone_offset_sec":-18000,"id":"bdf26306c00c44ac223a2bd80000000d"}}}
2019-11-29T16:09:39.923-0500 INFO [beat] instance/beat.go:948 Process info {"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40","41","42","43","44","45","46","47","48","49","50","51","52","53","54","55","56","57","58","59","60","61","62","63"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40","41","42","43","44","45","46","47","48","49","50","51","52","53","54","55","56","57","58","59","60","61","62","63"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40","41","42","43","44","45","46","47","48","49","50","51","52","53","54","55","56","57","58","59","60","61","62","63"],"ambient":null}, "cwd": "/var/log", "exe": "/usr/share/auditbeat/bin/auditbeat", "name": "auditbeat", "pid": 28895, "ppid": 27852, "seccomp": {"mode":""}, "start_time": "2019-11-29T16:09:36.050-0500"}}}
2019-11-29T16:09:39.923-0500 INFO instance/beat.go:292 Setup Beat: auditbeat; Version: 7.4.2
2019-11-29T16:09:39.923-0500 DEBUG [beat] instance/beat.go:318 Initializing output plugins
2019-11-29T16:09:39.923-0500 INFO [index-management] idxmgmt/std.go:178 Set output.elasticsearch.index to 'auditbeat-7.4.2' as ILM is enabled.
2019-11-29T16:09:39.924-0500 INFO elasticsearch/client.go:170 Elasticsearch url: http://localhost:9200
2019-11-29T16:09:39.924-0500 DEBUG [publisher] pipeline/consumer.go:137 start pipeline event consumer
2019-11-29T16:09:39.924-0500 INFO [publisher] pipeline/module.go:97 Beat name: serverhost.someserver.com
2019-11-29T16:09:39.924-0500 DEBUG [modules] beater/metricbeat.go:121 Available modules and metricsets: Register [ModuleFactory:[system], MetricSetFactory:[auditd/auditd, file_integrity/file, system/host, system/login, system/package, system/process, system/socket, system/user]]
2019-11-29T16:09:39.924-0500 INFO [auditd] auditd/audit_linux.go:106 auditd module is running as euid=0 on kernel=2.6.32-431.el6.x86_64
2019-11-29T16:09:39.924-0500 INFO [auditd] auditd/audit_linux.go:133 socket_type=unicast will be used.
2019-11-29T16:09:39.925-0500 DEBUG [file_integrity] file_integrity/metricset.go:97 Initialized the file event reader. Running as euid=0
2019-11-29T16:09:39.926-0500 WARN [cfgwarn] host/host.go:167 BETA: The system/host dataset is beta
2019-11-29T16:09:39.926-0500 DEBUG [system] host/host.go:450 No last host information found on disk.
2019-11-29T16:09:39.926-0500 WARN [cfgwarn] login/login.go:95 BETA: The system/login dataset is beta
2019-11-29T16:09:39.927-0500 DEBUG [login] login/utmp.go:539 Restored 0 UTMP file records from disk
2019-11-29T16:09:39.927-0500 DEBUG [login] login/utmp.go:571 Restored 0 open login sessions from disk
2019-11-29T16:09:39.927-0500 WARN [cfgwarn] package/package.go:170 BETA: The system/package dataset is beta
2019-11-29T16:09:39.927-0500 DEBUG [package] package/package.go:203 No state timestamp found
2019-11-29T16:09:39.927-0500 DEBUG [package] package/package.go:211 Restored 0 packages from disk
2019-11-29T16:09:39.927-0500 WARN [cfgwarn] process/process.go:131 BETA: The system/process dataset is beta
2019-11-29T16:09:39.927-0500 DEBUG [process] process/process.go:170 No state timestamp found
2019-11-29T16:09:39.927-0500 WARN [cfgwarn] socket/socket_linux.go:81 BETA: The system/socket dataset is beta.
2019-11-29T16:09:39.927-0500 INFO [socket] socket/socket_linux.go:197 Setting up system/socket for kernel 2.6.32-431.el6.x86_64
2019-11-29T16:09:39.928-0500 DEBUG [socket] socket/socket_linux.go:245 IPv6 supported: false
2019-11-29T16:09:39.928-0500 DEBUG [socket] socket/socket_linux.go:252 IPv6 enabled: false
2019-11-29T16:09:39.981-0500 DEBUG [socket] socket/socket_linux.go:305 Selected kernel function sys_newuname for SYS_UNAME
2019-11-29T16:09:39.981-0500 DEBUG [socket] socket/socket_linux.go:305 Selected kernel function ip_local_out for IP_LOCAL_OUT
2019-11-29T16:09:39.981-0500 DEBUG [socket] socket/socket_linux.go:305 Selected kernel function __skb_recv_datagram for RECV_UDP_DATAGRAM
2019-11-29T16:09:39.981-0500 DEBUG [socket] socket/socket_linux.go:305 Selected kernel function sys_execve for SYS_EXECVE
2019-11-29T16:09:39.981-0500 DEBUG [socket] socket/socket_linux.go:305 Selected kernel function sys_gettimeofday for SYS_GETTIMEOFDAY
2019-11-29T16:09:39.984-0500 INFO [socket] guess/guess.go:258 Running 16 guesses ...
2019-11-29T16:09:39.984-0500 DEBUG [socket] guess/guess.go:270 Guess guess_inet_sock_ipv6 skipped.
2019-11-29T16:09:39.991-0500 WARN [cfgwarn] user/user.go:205 BETA: The system/user dataset is beta
2019-11-29T16:09:39.992-0500 DEBUG [user] user/user.go:247 No state timestamp found
2019-11-29T16:09:39.992-0500 DEBUG [user] user/user.go:255 Restored 0 users from disk
2019-11-29T16:09:39.992-0500 INFO instance/beat.go:385 auditbeat stopped.
2019-11-29T16:09:39.992-0500 ERROR instance/beat.go:878 Exiting: 1 error: 1 error: system/socket dataset setup failed: unable to guess one or more required parameters: guess_sk_buff_proto failed: failed to monitor probe: PERF_EVENT_IOC_ID: inappropriate ioctl for device
Exiting: 1 error: 1 error: system/socket dataset setup failed: unable to guess one or more required parameters: guess_sk_buff_proto failed: failed to monitor probe: PERF_EVENT_IOC_ID: inappropriate ioctl for device

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.

Newer versions of Centos 6 work, but not 6.5. See https://www.elastic.co/guide/en/beats/auditbeat/7.x/auditbeat-dataset-system-socket.html#_requirements.