Hi!
I'm new at this and trying to get Auditbeat running on my Synology NAS (DS918+, x86_64) but there are errors when I try to start it (with ./auditbeat -e).
Can anyone tell me if there is something I can do to fix it, or if it just won't work with the current kernel (?).
Thanks!
Hi @rowe,
could you please check if you have these directories are present: "/sys/kernel/tracing" and "/sys/kernel/debug"?
Hi @mtojek, thank you for replying.
I have the /sys/kernel/debug directory, but not the tracing directory.
root@DS918:/sys/kernel/debug# ls
acpi bdi btrfs clk dma_buf dri extfrag fault_around_bytes gpio hid intel_lpss kvm mce pinctrl pm_qos ras regmap sched_features sleep_time sunrpc suspend_s
Permissions: drwx------ 20 root root 0 Mar 1 10:37 debug
Any ideas?
This happens to me aswell on all my servers
I can refer you to this guide I found: https://lwn.net/Articles/365835/
Could you please verify that your kernel supports ftrace? I think it's a system issue not a beat one.
My kernel is 3.13.0-170-generic and supports ftrace yes
Still, missing "tracing" part doesn't sound like a problem with beats. Please verify if ftrace is properly configured.
[root@server tracing]# wc -l trace
127014 trace
[root@server tracing]# cat current_tracer
nop
[root@server tracing]# cat tracing_on
1The issue described by @rowe included missing "tracing" mount. Are you talking about the same issue?
Oh, haven't seen in detail the complete error message he was getting, I thought I had the same issue because of the same error message regarding system/socket dataset setup failed.
2020-03-11T14:54:15.069+0100 INFO instance/beat.go:298 Setup Beat: auditbeat; Version: 7.6.1
2020-03-11T14:54:15.069+0100 INFO [publisher] pipeline/module.go:110 Beat name: server
2020-03-11T14:54:15.070+0100 INFO [auditd] auditd/audit_linux.go:106 auditd module is running as euid=0 on kernel=3.13.0-170-generic
2020-03-11T14:54:15.070+0100 INFO [auditd] auditd/audit_linux.go:133 socket_type=unicast will be used.
2020-03-11T14:54:15.071+0100 WARN [cfgwarn] host/host.go:167 BETA: The system/host dataset is beta
2020-03-11T14:54:15.073+0100 WARN [cfgwarn] login/login.go:95 BETA: The system/login dataset is beta
2020-03-11T14:54:15.074+0100 WARN [cfgwarn] package/package.go:170 BETA: The system/package dataset is beta
2020-03-11T14:54:15.079+0100 WARN [cfgwarn] user/user.go:205 BETA: The system/user dataset is beta
2020-03-11T14:54:15.081+0100 WARN [cfgwarn] process/process.go:131 BETA: The system/process dataset is beta
2020-03-11T14:54:15.082+0100 WARN [cfgwarn] socket/socket_linux.go:87 BETA: The system/socket dataset is beta.
2020-03-11T14:54:15.105+0100 INFO [socket] socket/socket_linux.go:223 Setting up system/socket for kernel 3.13.0-170-generic
2020-03-11T14:54:15.169+0100 INFO [socket] guess/guess.go:258 Running 17 guesses ...
2020-03-11T14:54:18.065+0100 INFO add_cloud_metadata/add_cloud_metadata.go:89 add_cloud_metadata: hosting provider type not detected.
2020-03-11T14:54:30.249+0100 INFO instance/beat.go:412 auditbeat stopped.
2020-03-11T14:54:30.251+0100 ERROR instance/beat.go:933 Exiting: 1 error: 1 error: system/socket dataset setup failed: unable to guess one or more required parameters: guess_inet_sock failed: timeout while waiting for event
My issue is more related to the guesser then :
ERROR instance/beat.go:933 Exiting: 1 error: 1 error: system/socket dataset setup failed: unable to guess one or more required parameters: guess_inet_sock failed: timeout while waiting for event
@jdelvecchio can you run in debug mode and share the logs?
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.