Finding computer in hosts

ukuleleplayer · February 5, 2021, 7:53pm

I got a computer hooked up to auditbeat, but am unable to find it in the hosts. So, I have two questions.
1.) Is there any setting that might prevent it from showing up?
2.) Is there anyway for me to confirm whether or not it's connected?
It's connected to an ubuntu 20.04 laptop

stephenb · February 7, 2021, 1:06am

I would go to that host and look at the auditbeat logs.. perhaps it did not start correctly or can not connect to the elasticsearch cluster. In the auditbeat logs you will be able to see whether it can connect or not... Another easy to test is to just run auditbeat in the foreground.

sudo auditbeat -e

And observe the output

ukuleleplayer · February 8, 2021, 5:19pm

This was definitely helpful, and I think I've found the issue, but I'm unsure what I need to do to fix it. After running sudo auditbeat -e, It gives me this:
Exiting: data path already locked by another beat. Please make sure that multiple beats are not sharing the same data path (path.data)
I previously had this device connected to a different auditbeat account, so I guess it's still associating itself to old account. I've tried uninstalling auditbeat and removing all association to the old account, but it's still not working. Any advice?

stephenb · February 8, 2021, 5:53pm

That is because auditbeat is already running you will need to stop the auditbeat that is running as a service 2 auditbeats cannot be running at the same time.

did you do a ps -efl | grep auditbeat and see if it is already running

If you uninstalled it, I suspect there is still some data left ... I would read this and look at the directory layout and make sure everything is cleaned up. Then reinstall ...

ukuleleplayer · February 8, 2021, 10:51pm

So, I tried this, and I didn't have any luck. In the end, I ended up wiping the slate clean, and doing a fresh install of Ubuntu 20.04 on the computer. I thought this would work, but unfortunately, I ended up in the same place, with the same issue.

stephenb · February 8, 2021, 11:48pm

It still says locked by another user or it can not connect? I am not clear

What do the auditbeat logs indicate on startup... if you post them we may be able to help.

How did you start autidbeat with systemctl? What does the status say?

can you curl the elasticsearch host?

curl -u username:password https://elasticsearchhostorip:9200

system · March 8, 2021, 11:49pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.