I am unable to Start Auditbeat service

HI Team,
I am unable to install Auditbeat In my Linux version.
I am getting this error:

Exiting: 2 errors: 1 error: failed to create audit client: failed to get audit status: operation not permitted; 1 error: unable to create DNS sniffer: failed creating af_packet sniffer: operation not permitted

Is there any one have solution for this

Welcome to our community! :smiley:

What OS are you on? What version of the beat? How did you install it, and how did you start it?
Can you post the full command you are running and the response.

Hi warkolm thanks for quick replay,
I am on Linux OS Installing auditbeat 7.6.2 version and starting through python script,
and I am able to install remianing beats of metric,heart and filebeat. But when I m trying to run Getting this error.

Please see my request above/

2020-12-07T14:22:09.088+0530	INFO	[auditd]	auditd/audit_linux.go:106	auditd module is running as euid=1000 on kernel=5.4.0-54-generic
2020-12-07T14:22:09.090+0530	WARN	[cfgwarn]	host/host.go:167	BETA: The system/host dataset is beta
2020-12-07T14:22:09.181+0530	WARN	[cfgwarn]	login/login.go:95	BETA: The system/login dataset is beta
2020-12-07T14:22:09.206+0530	WARN	[cfgwarn]	package/package.go:170	BETA: The system/package dataset is beta
2020-12-07T14:22:09.232+0530	WARN	[cfgwarn]	process/process.go:131	BETA: The system/process dataset is beta
2020-12-07T14:22:09.257+0530	WARN	[process]	process/process.go:174	Running as non-root user, will likely not report all processes.
2020-12-07T14:22:09.258+0530	WARN	[cfgwarn]	socket/socket_linux.go:87	BETA: The system/socket dataset is beta.
2020-12-07T14:22:09.258+0530	WARN	[cfgwarn]	user/user.go:205	BETA: The system/user dataset is beta
2020-12-07T14:22:09.283+0530	INFO	instance/beat.go:412	auditbeat stopped.
2020-12-07T14:22:09.309+0530	ERROR	instance/beat.go:933	Exiting: 2 errors: 1 error: failed to create audit client: failed to get audit status: operation not permitted; 1 error: unable to create DNS sniffer: failed creating af_packet sniffer: operation not permitted

Can you post the python script you are using to start it? Is there a reason you can't use systemd?

import subprocess
import shutil
import os


def download(url):
    print('----------------- downloading -------------')
    command = "curl -L -O {0}".format(url)
    p = subprocess.Popen(command,shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
    out, err = p.communicate()
    print(out)
    print(err)

def extract(gzfile):
    print('------------------- extracting -----------')
    command = ["tar", "xzvf", "{0}".format(gzfile)]
    subprocess.call(command)


def replace_file(src_file, des_file):
    print('--------------------- replacing-------------------')
    file = src_file + ".yml"
    src = os.path.join(os.getcwd(), file)
    print(src)
    permission = ["chmod 755 {0}".format(src)]
    p = subprocess.Popen(permission ,shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
    out, err = p.communicate()
    print(out)
    print(err)

    des = os.path.join(des_file,  file)
    permission = ["chmod 755 {0}".format(des)]
    p = subprocess.Popen(permission ,shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
    out, err = p.communicate()
    print(out)
    print(err)
    print(des)
    if os.path.exists(src):
        shutil.move(src, des)

def start(beat, beat_dir):
    des = beat_dir +"/" +beat + ".yml"
    cdir = os.getcwd()
    permission = ["chmod 755 {0}".format(des)]
    p = subprocess.Popen(permission ,shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
    out, err = p.communicate()
    print(out)
    print(err)
    if beat == "metricbeat":
        permission = ["chmod 755 {0}".format(os.path.join(beat_dir, "modules.d/system.yml"))]
        p = subprocess.Popen(permission ,shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
        out, err = p.communicate()
        print(out)
        print(err)
    os.chdir(beat_dir)
    command = "./{0} &".format(beat)
    os.system(command)
    os.chdir(cdir)
    #print('out is --------------------- {0}'.format(p))

if __name__ =="__main__":
    permission = ["chmod 755 {0}".format("beat_config.txt")]
    p = subprocess.Popen(permission ,shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
    out, err = p.communicate()
    print(out)
    print(err)
    with open('beat_config.txt', 'r') as f:
        beat_config = f.readlines()
        
    version_number = ""
    for line in beat_config:
        if line.startswith('version'):
            version_number = (line.split('=')[-1]).strip()


    if version_number == "":
            raise ValueError('version is not specified, please specify it in beat_config.txt file')
            sys.exit()
            
    beat_download = {"filebeat":"https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-{0}-linux-x86_64.tar.gz".format(version_number),
                     "auditbeat":"https://artifacts.elastic.co/downloads/beats/auditbeat/auditbeat-{0}-linux-x86_64.tar.gz".format(version_number),
                     "metricbeat":"https://artifacts.elastic.co/downloads/beats/metricbeat/metricbeat-{0}-linux-x86_64.tar.gz".format(version_number),
                     "heartbeat":"https://artifacts.elastic.co/downloads/beats/heartbeat/heartbeat-{0}-linux-x86_64.tar.gz".format(version_number)
                     }
    
    beat_dir= {"auditbeat":"auditbeat-{0}-linux-x86_64".format(version_number),
               "filebeat":"filebeat-{0}-linux-x86_64".format(version_number),
               "metricbeat":"metricbeat-{0}-linux-x86_64".format(version_number),
               "heartbeat":"heartbeat-{0}-linux-x86_64".format(version_number)
               }
    for beat in beat_download.keys():
        download(beat_download[beat])
        extract(beat_dir[beat] + ".tar.gz")
        replace_file(beat, beat_dir[beat])
        start(beat, beat_dir[beat])

This is the script which I am using to download,extract and start.

In windows as well I am getting same error for Auditbeat as well.

I tried Manually for auditbeat but still same error I am facing.

Please don't post pictures of text, they are difficult to read, impossible to search and replicate (if it's code), and some people may not be even able to see them :slight_smile:

Are you running this as an admin/root user? Is there a reason you aren't using a deb/rpm package?

Yes I am running as admin only.

Is there any issue for using Linux package??

And as root on linux?

Yes I am running as root on linux

What do you mean by issue?

All services running smoothly except this auditbeat.

I am using Linux package so Is there any bug in that linux packages ? we can use any package rit for Linux OS

If you installed the package, why do you have a custom script to start it as opposed to using the included service script?

That script will do all like downloading and extracting and replacing the version and then finally starting

Yeah, but why?

Hi,
Now I am Getting error while Installing the Packetbeat On my Linux Machine

Exiting: Sniffer main loop failed: Error starting sniffer: any: You don't have permission to capture on that device (socket: Operation not permitted)