Failed to hash executable /usr/sbin/agetty

Elastic Stack Beats
1

On RHEL when starting auditbeat I get this errormessage via journalctl -u auditbeat:

WARN        [process]        process/process.go:234        failed to hash executable /usr/sbin/agetty;5e46b406 (deleted) for PID 1140: failed to stat file /usr/sbin/agetty;5e46b406 (deleted): stat /usr/sbin/agetty;5e46b406 (deleted): no such file or directory

Result is that SIEM module does not detect when I e.g. use "whoami" in bash.

cat /usr/sbin/agetty gives me letters...so it exists.
*edit: but...

ps -ef|grep tty
root 1140 1 0 2019 tty1 00:00:00 /sbin/agetty --noclear tty1 linux

so do I need to change some config from /usr/sbin/agetty to /sbin/agetty ?

I don't find "agetty" in auditbeat.yml. Where would I change this?

2

in the meantime I've learned, that the warning "failed to hash executable /usr/sbin/agetty" is not the source of my problem.

I had to remove the comment before some of the lines in auditbeat.yml in the - "module: auditd" section.

Never thought about that as on Windows the whoami-alert was running from the start.

3

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.