Failure with package dataset

I recently upgraded to auditbeat version 6.7.0 on our fleet of linux servers to test functionality of the newly added system datasets. Every other dataset works pretty well except for package

I get an error for failures to get RPM packages.

2019-04-01T11:48:57.035-0400    ERROR   [package]       package/package.go:267  failed to get packages: error getting RPM packages: unable to open a handle to the library

Auditbeat Version:
auditbeat version 6.7.0 (amd64), libbeat 6.7.0 [14ca49c28a6e10b84b4ea8cdebdc46bd2eab3130 built 2019-03-21 14:53:01 +0000 UTC]

Auditbeat.yml snipper:

  • module: system
    • host
    • user
    • login
    • package
      period: 1m
      user.detect_password_changes: true
      state.period: 24h
      login.wtmp_file_pattern: /var/log/wtmp*
      login.btmp_file_pattern: /var/log/btmp*

Server Distro:
Centos 7
Linux hostname 3.10.0-957.1.3.el7.x86_64 #1 SMP Thu Nov 29 14:49:43 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

Any ideas on how I can troubleshoot this would be appreciated.


Hi @olatunde.tokun, thanks for trying it out, and sorry you hit this bug.

The package dataset is currently relying on a Librpm library being present at /usr/lib64/ - which it only is if the rpm-devel package is installed. So to make it work you could install this package, or you could also create a symlink from the library version that you have (probably /usr/lib64/ though it could be a different number).

A fix is already in the works.

1 Like

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.