Can't start auditbeat

I have installed auditbeat (latest version).

This is my config file (I hid the output.logstash/kibana part as it's irrelevant and has sensitive data. Also, it doesn't even have audit rules - it didn't work before so I removed it)

When I start auditbeat, this is what I get:

{"level":"error","timestamp":"2020-11-11T16:17:28.970Z","caller":"instance/beat.go:951","message":"Exiting: 1 error: failed to initialize file event reader: function not implemented"}
Exiting: 1 error: failed to initialize file event reader: function not implemented

Does anyone happen to know why it's happening?

Thanks ahead.

What do you get when you run auditbeat test config and auditbeat test outout?

1 Like

Thanks for the response.

I get:

[root@server-150 elk]# auditbeat test config
Exiting: 1 error: failed to initialize file event reader: function not implemented

[root@server-150 elk]# auditbeat test output
logstash: *ip*:5044...
  connection...
    parse host... OK
    dns lookup... OK
    addresses: *ip*
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.2
    dial up... OK
  talk to server... OK

Do you get an error when you revert back to the default yml?

Nothing is jumping out to me so I would try to go back to default and run autditbeat test config then make adjustments to your yml until you hit an error.

I had the same error with the default file, I thought maybe if I would put the one I usually use on other servers it would be solved.

When you say current version is that 7.10? I download and looked at the default for that. Update the ES output and give that a shot.

auditbeat.config.modules:
  path: ${path.config}/modules.d/*.yml
  reload.period: 10s
  reload.enabled: false

auditbeat.max_start_delay: 10s

auditbeat.modules:
- module: file_integrity
  paths:
  - /bin
  - /usr/bin
  - /usr/local/bin
  - /sbin
  - /usr/sbin
  - /usr/local/sbin

  exclude_files:
  - '\.DS_Store$'
  - '\.swp$'
  scan_at_start: true
  scan_rate_per_sec: 50 MiB
  max_file_size: 100 MiB
  hash_types: [sha1]
  recursive: false

- module: system
  datasets:
    - package 

  period: 2m 

- module: system
  datasets:
    - host    
    - process 
  state.period: 12h
  process.hash.scan_rate_per_sec: 50 MiB
  process.hash.max_file_size: 100 MiB
  process.hash.hash_types: [sha1]

output.elasticsearch:
  hosts: ["localhost:9200"]

setup.template.settings:

setup.kibana:

logging.to_files: true
logging.files:
1 Like

Sorry, my bad then. It's 7.9.3

[root@server-150 ~] #auditbeat version
auditbeat version 7.9.3 (386), libbeat 7.9.3 [7aab6a9659749802201db8020c4f04b74cec2169 built 2020-10-16 09:11:37 +0000 UTC]

does it still apply? Should I still change anything in the config?

Yes. Try to change it.

My ES output is commented out completely though, I only defined output to logstash.

That's just the default config. Remove es output and put your logstash info.

But running auditbeat test config with an OK result is what you need to get to first. Your current config is not passing so need to figure out which part is breaking it.

Thanks for the response,

I pasted in the config you provided and got the same response :confused:

I'm not sure what's going on then. Maybe the easiest way is to remove this installation and try a fresh one.

I reinstalled and got the same error (with default).

May this can provide more info? I don't get an ok on config test with the default configuration.

2020-11-11T18:18:08.057Z        INFO    instance/beat.go:299    Setup Beat: auditbeat; Version: 7.9.3
2020-11-11T18:18:08.057Z        INFO    [index-management]      idxmgmt/std.go:184      Set output.elasticsearch.index to 'auditbeat-7.9.3' as ILM is enabled.
2020-11-11T18:18:08.057Z        INFO    eslegclient/connection.go:99    elasticsearch url: http://localhost:9200
2020-11-11T18:18:08.058Z        INFO    [publisher]     pipeline/module.go:113  Beat name: RATE-PS-16_75
2020-11-11T18:18:08.058Z        INFO    [auditd]        auditd/audit_linux.go:106       auditd module is running as euid=0 on kernel=2.6.18-164.el5
2020-11-11T18:18:08.058Z        INFO    [auditd]        auditd/audit_linux.go:133       socket_type=unicast will be used.
2020-11-11T18:18:08.058Z        INFO    instance/beat.go:419    auditbeat stopped.
2020-11-11T18:18:08.061Z        ERROR   instance/beat.go:951    Exiting: 1 error: failed to initialize file event reader: function not implemented
Exiting: 1 error: failed to initialize file event reader: function not implemented

Just an FYI, based off of

2020-11-11T18:18:08.058Z INFO [auditd] auditd/audit_linux.go:106 auditd module is running as euid=0 on kernel=2.6.18-164.el5

It looks like you're running this on CentOS 5.4. It doesn't look like Auditbeat is tested against CentOS 5.4.

1 Like

@BenB196 I'd agree with this and unfortunately I am not able to easily test against that version.

@headtea If you are able to test on a newer OS I would start there. If you aren't able to upgrade then you can try to install Filebeats and use the Auditd module. As long as auditd is creating the logs you want in /var/log/audit/ then it should pick them up.

1 Like

Thanks for the response. Filebeat is indeed working on that CentOS 5 machine.

To be honest, the only thing I use auditbeat for is one of its default "Login events" dashboards.

Is there a way I could ship the same information with filebeat so it would end in this exact dashboard?

If your auditd is setup to capture that you can use Filebeat with Auditd module. Here are the fields it can give you.

1 Like

Thank you so much for this!

Do you happen to know what auditd needs to be setup with to capture this? And how to have it end up on that dashboard? it seems like this module would create a separate one

I do not know the correct auditd rules to set for that OS version, sorry. You might be capturing already and can check the /var/log/audit/* folder to see.

The dashboard is a new one but you can pick the individual visualization that you want and add it to an existing dashboard.