Issues installing Auditbeat on Oracle Linux and Red Hat

I am trying to install Auditbeat on Oracle Linux 6.8 and Red Hat 7.5 but I can't run the service after installation.

The following are the error messages I get:

On Oracle Linux:
2018-09-03T09:04:49.775+0300 INFO instance/beat.go:225 Setup Beat: auditbeat; Version: 6.3.2
2018-09-03T09:04:49.775+0300 DEBUG [beat] instance/beat.go:242 Initializing output plugins
2018-09-03T09:04:49.775+0300 DEBUG [processors] processors/processor.go:49 Processors:
2018-09-03T09:04:49.775+0300 DEBUG [publish] pipeline/consumer.go:120 start pipeline event consumer
2018-09-03T09:04:49.775+0300 INFO pipeline/module.go:81 Beat name:
2018-09-03T09:04:49.775+0300 DEBUG [modules] beater/metricbeat.go:81 Register [ModuleFactory:[], MetricSetFactory:[auditd/auditd, file_integrity/file]]
2018-09-03T09:04:49.776+0300 DEBUG [processors] processors/processor.go:49 Processors:
2018-09-03T09:04:49.776+0300 INFO [auditd] auditd/audit_linux.go:65 auditd module is running as euid=0 on kernel=2.6.39-400.284.1.el6uek.x86_64
2018-09-03T09:04:49.776+0300 ERROR [auditd] auditd/audit_linux.go:655 Cannot continue: audit configuration is locked in the kernel (enabled=2) which prevents using unicast sockets. Multicast audit subscriptions are not available in this kernel. Disable locking the audit configuration to use auditbeat.
2018-09-03T09:04:49.776+0300 ERROR instance/beat.go:691 Exiting: 1 error: 1 error: failed to create audit client: no connection to audit available
Exiting: 1 error: 1 error: failed to create audit client: no connection to audit available

On Red Hat:
-- Unit auditbeat.service has begun starting up.
Sep 03 09:13:08 auditbeat[60883]: Exiting: 1 error: 1 error: failed to create audit client: no connection to audit availa
Sep 03 09:13:08 systemd[1]: auditbeat.service: main process exited, code=exited, status=1/FAILURE
Sep 03 09:13:08 systemd[1]: Unit auditbeat.service entered failed state.
Sep 03 09:13:08 systemd[1]: auditbeat.service failed.
Sep 03 09:13:08 systemd[1]: auditbeat.service holdoff time over, scheduling restart.
Sep 03 09:13:08 systemd[1]: start request repeated too quickly for auditbeat.service
Sep 03 09:13:08 systemd[1]: Failed to start auditbeat.
-- Subject: Unit auditbeat.service has failed

I hear that this is happening because auditing is enabled on kernel at boot time. However disabling it will require a reboot which is not allowed.

Is there anyway to resolve this without a reboot?

The problem is that the kernel's audit configuration has been set to an immutable state. This usually is done as a security measure to prevent anything from disabling auditing or changing the rules. The only way to undo it is reboot. Prior to rebooting you'll want to modify your auditd configuration to remove the immutable flag (-e 2 from your auditd config). See -e in auditctl(8) - Linux man page.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.