Failed to hash executable /usr/sbin/agetty

StefanDE · April 16, 2020, 8:55am

On RHEL when starting auditbeat I get this errormessage via journalctl -u auditbeat:

WARN        [process]        process/process.go:234        failed to hash executable /usr/sbin/agetty;5e46b406 (deleted) for PID 1140: failed to stat file /usr/sbin/agetty;5e46b406 (deleted): stat /usr/sbin/agetty;5e46b406 (deleted): no such file or directory

Result is that SIEM module does not detect when I e.g. use "whoami" in bash.

cat /usr/sbin/agetty gives me letters...so it exists.
*edit: but...

ps -ef|grep tty
root 1140 1 0 2019 tty1 00:00:00 /sbin/agetty --noclear tty1 linux

so do I need to change some config from /usr/sbin/agetty to /sbin/agetty ?

I don't find "agetty" in auditbeat.yml. Where would I change this?

StefanDE · April 20, 2020, 7:51am

in the meantime I've learned, that the warning "failed to hash executable /usr/sbin/agetty" is not the source of my problem.

I had to remove the comment before some of the lines in auditbeat.yml in the - "module: auditd" section.

Never thought about that as on Windows the whoami-alert was running from the start.

system · May 11, 2020, 7:51am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Failed to hash executable Beats auditbeat	1	564	October 28, 2020
Audit beat warning Beats metricbeat	4	565	March 29, 2021
/usr/share/metricbeat/bin/metricbeat exceeds max file size Beats auditbeat	2	2027	October 22, 2019
Auditbeat randomly shuts down Beats auditbeat	24	1864	November 4, 2022
Multiple "-module: auditd" stanzas in config file lead to problems Beats auditbeat	1	306	September 18, 2021

Failed to hash executable /usr/sbin/agetty

Related topics