Can't start auditbeat

adrisr · November 17, 2020, 10:02am

Back to the original issue, the problem you're experiencing is that the file_integrity module requires inotify support in the kernel, which yours doesn't have. While the documentation states that inotify is present in kernels 2.6.13 and up, turns out newer versions of the fsnotify library require at least 2.6.27 due to the use of inotify_init1 syscall.

As you're only interested in the Login Events dashboards, I suggest you disable the file_integrity module by adding an enabled: false key to its configuration:

- module: file_integrity
  enabled: false

headtea · November 17, 2020, 10:08am

YES! Thank you so much!

It now complains about af_packet. Can that be disabled too?

{"level":"error","timestamp":"2020-11-17T10:07:15.088Z","caller":"instance/beat.go:951","message":"Exiting: 1 error: unable to create DNS sniffer: failed creating af_packet sniffer: no known tpacket versions work on this machine"}
Exiting: 1 error: unable to create DNS sniffer: failed creating af_packet sniffer: no known tpacket versions work on this machine

adrisr · November 17, 2020, 10:13am

This is an error from - socket under system module. This one will also not work on such an old kernel.

My suggestion is that you disable everything except - login:

- module: system
  datasets:
    - login
  state.period: 30s

All the other modules must be removed.

headtea · November 17, 2020, 10:17am

Yes!!!! Thank you SO MUCH!!!

I can not express how much sweat tears and time went over this. I can't thank you enough.

headtea · November 22, 2020, 10:18am

Just last thing I wanted to ask.

On those CentOS 5 machines, The beats currently only work with auditbeat -e or filebeat -e. If I start it as a service (service filebeat start) I get:

FATAL: kernel too old
/bin/bash: line 1: 27770 Segmentation fault      /usr/share/filebeat/bin/filebeat-god -r / -n -p /var/run/filebeat.pid -- /usr/share/filebeat/bin/filebeat -c /etc/filebeat/filebeat.yml --path.home /usr/share/filebeat --path.config /etc/filebeat --path.data /var/lib/filebeat --path.logs /var/log/filebeat

Is it at all possible to have it working as a service? If not it's absolutely fine, not a biggie. Just a little nitpicking.

system · December 20, 2020, 12:18pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.