Exiting: data path already locked by another beat. Please make sure that multiple beats are not sharing the same data path (path.data)

hello everyone ,
i am new to ELK , was trying to setup ELK with Auditbeat to monitor linux auditd logs, but it seems to break. kibana is not showing desired output and when attempted to check i got this log . appreciate some kind help on this. thank you.

2022-09-02T19:12:26.282+0800    INFO    instance/beat.go:647    Home path: [/usr/share/auditbeat] Config path: [/etc/auditbeat] Data path: [/var/lib/auditbeat] Logs path: [/var/log/auditbeat]
2022-09-02T19:12:26.282+0800    INFO    instance/beat.go:655    Beat ID: 67d2e935-04cf-4a59-927b-89963769fc13
2022-09-02T19:12:26.310+0800    INFO    instance/beat.go:404    auditbeat stopped.
2022-09-02T19:12:26.310+0800    ERROR   instance/beat.go:958    Exiting: data path already locked by another beat. Please make sure that multiple beats are not sharing the same data path (path.data).
Exiting: data path already locked by another beat. Please make sure that multiple beats are not sharing the same data path (path.data).

Try this: elasticsearch - Filebeat : data path already locked by another beat. Please make sure that multiple beats are not sharing the same data path - Stack Overflow

1 Like

Thanks !

similar solution ..solved it as below

[root@lxansidev02 auditbeat]# rm -rf /var/lib/auditbeat/auditbeat.lock
[root@lxansidev02 auditbeat]# auditbeat -e
2022-09-06T15:08:56.042+0800    INFO    instance/beat.go:647    Home path: [/usr/share/auditbeat] Config path: [/etc/auditbeat] Data path: [/var/lib/auditbeat] Logs path: [/var/log/auditbeat]
2022-09-06T15:08:56.042+0800    INFO    instance/beat.go:655    Beat ID: 58ed8ad7-38c3-4763-894e-1338febe6621
2022-09-06T15:08:56.065+0800    INFO    [seccomp]       seccomp/seccomp.go:124  Syscall filter successfully installed
2022-09-06T15:08:56.065+0800    INFO    [beat]  instance/beat.go:983    Beat info       {"system_info": {"beat": {"path": {"config": "/etc/auditbeat", "data": "/var/lib/auditbeat", "home": "/usr/share/auditbeat", "logs": "/var/log/auditbeat"}, "type": "auditbeat", "uuid": "58ed8ad7-38c3-4763-894e-1338febe6621"}}}
2022-09-06T15:08:56.065+0800    INFO    [beat]  instance/beat.go:992    Build info      {"system_info": {"build": {"commit": "94f7632be5d56a7928595da79f4b829ffe123744", "libbeat": "7.8.1", "time": "2020-07-21T15:07:37.000Z", "version": "7.8.1"}}}
2022-09-06T15:08:56.065+0800    INFO    [beat]  instance/beat.go:995    Go runtime info {"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":2,"version":"go1.13.10"}}}
2022-09-06T15:08:56.067+0800    INFO    [beat]  instance/beat.go:999    Host info       {"system_info": {"host": {"architecture":"x86_64","boot_time":"2022-09-02T10:45:15+08:00","containerized":false,"name":"lxansidev02","ip":["127.0.0.1/8","::1/128","172.16.204.104/24","172.18.0.1/16","fe80::42:f1ff:fe03:2a27/64","172.17.0.1/16","fe80::c5c:68ff:fe1a:8be4/64","fe80::9435:a5ff:fe20:b417/64"],"kernel_version":"4.18.0-372.19.1.el8_6.x86_64","mac":["00:50:56:9c:4c:f9","02:42:f1:03:2a:27","02:42:af:46:54:76","0e:5c:68:1a:8b:e4","96:35:a5:20:b4:17"],"os":{"family":"redhat","platform":"rhel","name":"Red Hat Enterprise Linux","version":"8.6 (Ootpa)","major":8,"minor":6,"patch":0,"codename":"Ootpa"},"timezone":"+08","timezone_offset_sec":28800,"id":"e5c152233e7c44628e7c0d53d3541a83"}}}
2022-09-06T15:08:56.067+0800    INFO    [beat]  instance/beat.go:1028   Process info    {"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"ambient":null}, "cwd": "/var/log/auditbeat", "exe": "/usr/share/auditbeat/bin/auditbeat", "name": "auditbeat", "pid": 1325663, "ppid": 1324327, "seccomp": {"mode":"filter","no_new_privs":true}, "start_time": "2022-09-06T15:08:55.500+0800"}}}
2022-09-06T15:08:56.067+0800    INFO    instance/beat.go:310    Setup Beat: auditbeat; Version: 7.8.1
2022-09-06T15:08:56.068+0800    INFO    [index-management]      idxmgmt/std.go:184      Set output.elasticsearch.index to 'auditbeat-7.8.1' as ILM is enabled.
2022-09-06T15:08:56.068+0800    INFO    eslegclient/connection.go:99    elasticsearch url: http://localhost:9200
2022-09-06T15:08:56.068+0800    INFO    [publisher]     pipeline/module.go:113  Beat name: lxansidev02
2022-09-06T15:08:56.069+0800    INFO    [auditd]        auditd/audit_linux.go:106       auditd module is running as euid=0 on kernel=4.18.0-372.19.1.el8_6.x86_64
2022-09-06T15:08:56.120+0800    INFO    [auditd]        auditd/audit_linux.go:133       socket_type=unicast will be used.
2022-09-06T15:08:56.124+0800    WARN    [cfgwarn]       package/package.go:201  BETA: The system/package dataset is beta
2022-09-06T15:08:59.046+0800    INFO    [add_cloud_metadata]    add_cloud_metadata/add_cloud_metadata.go:89     add_cloud_metadata: hosting provider type not detected.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.