Hello,
I've got running many auditbeat on linux.
Recently, I've upgrade from auditbeat version 7.5.x to 7.15.2
But unexpected some server error occurred in this version.
When "auditd" error continues to occur, the CPU and MEMORY utilization linear increase.
It only occurs on a specific server, even on many server with the same OS and application installed.
/var/log/auditbeat/auditbeat ERROR log:
...
2021-12-22T12:47:11.486+0900 ERROR [auditd] auditd/audit_linux.go:204 get status request failed:failed to get audit status reply: no reply received
2021-12-22T12:57:56.488+0900 ERROR [auditd] auditd/audit_linux.go:204 get status request failed:failed to get audit status reply: no reply received
2021-12-22T13:06:41.486+0900 ERROR [auditd] auditd/audit_linux.go:204 get status request failed:failed to get audit status reply: no reply received
2021-12-22T13:08:11.488+0900 ERROR [auditd] auditd/audit_linux.go:204 get status request failed:failed to get audit status reply: no reply received
2021-12-22T13:11:26.490+0900 ERROR [auditd] auditd/audit_linux.go:204 get status request failed:failed to get audit status reply: no reply received
2021-12-22T13:16:26.489+0900 ERROR [auditd] auditd/audit_linux.go:204 get status request failed:failed to get audit status reply: no reply received
2021-12-22T13:26:11.489+0900 ERROR [auditd] auditd/audit_linux.go:204 get status request failed:failed to get audit status reply: no reply received
2021-12-22T13:28:11.490+0900 ERROR [auditd] auditd/audit_linux.go:204 get status request failed:failed to get audit status reply: no reply received
2021-12-22T13:32:26.488+0900 ERROR [auditd] auditd/audit_linux.go:204 get status request failed:failed to get audit status reply: no reply received
2021-12-22T13:38:26.492+0900 ERROR [auditd] auditd/audit_linux.go:204 get status request failed:failed to get audit status reply: no reply received
2021-12-22T13:42:41.489+0900 ERROR [auditd] auditd/audit_linux.go:204 get status request failed:failed to get audit status reply: no reply received
2021-12-22T13:45:26.490+0900 ERROR [auditd] auditd/audit_linux.go:204 get status request failed:failed to get audit status reply: no reply received
2021-12-22T13:50:41.488+0900 ERROR [auditd] auditd/audit_linux.go:204 get status request failed:failed to get audit status reply: no reply received
2021-12-22T14:05:11.489+0900 ERROR [auditd] auditd/audit_linux.go:204 get status request failed:failed to get audit status reply: no reply received
2021-12-22T14:26:26.491+0900 ERROR [auditd] auditd/audit_linux.go:204 get status request failed:failed to get audit status reply: no reply received
2021-12-22T14:33:11.489+0900 ERROR [auditd] auditd/audit_linux.go:204 get status request failed:failed to get audit status reply: no reply received
2021-12-22T14:53:41.488+0900 ERROR [auditd] auditd/audit_linux.go:204 get status request failed:failed to get audit status reply: no reply received
2021-12-22T14:54:41.487+0900 ERROR [auditd] auditd/audit_linux.go:204 get status request failed:failed to get audit status reply: no reply received
2021-12-22T14:57:26.489+0900 ERROR [auditd] auditd/audit_linux.go:204 get status request failed:failed to get audit status reply: no reply received
2021-12-22T14:57:56.491+0900 ERROR [auditd] auditd/audit_linux.go:204 get status request failed:failed to get audit status reply: no reply received
2021-12-22T14:59:41.489+0900 ERROR [auditd] auditd/audit_linux.go:204 get status request failed:failed to get audit status reply: no reply received
2021-12-22T15:13:56.492+0900 ERROR [auditd] auditd/audit_linux.go:204 get status request failed:failed to get audit status reply: no reply received
2021-12-22T15:14:26.488+0900 ERROR [auditd] auditd/audit_linux.go:204 get status request failed:failed to get audit status reply: no reply received
2021-12-22T15:20:26.490+0900 ERROR [auditd] auditd/audit_linux.go:204 get status request failed:failed to get audit status reply: no reply received
2021-12-22T15:27:41.491+0900 ERROR [auditd] auditd/audit_linux.go:204 get status request failed:failed to get audit status reply: no reply received
2021-12-22T15:37:11.487+0900 ERROR [auditd] auditd/audit_linux.go:204 get status request failed:failed to get audit status reply: no reply received
2021-12-22T15:40:56.488+0900 ERROR [auditd] auditd/audit_linux.go:204 get status request failed:failed to get audit status reply: no reply received
2021-12-22T15:59:11.489+0900 ERROR [auditd] auditd/audit_linux.go:204 get status request failed:failed to get audit status ack: no reply received
2021-12-22T15:59:56.489+0900 ERROR [auditd] auditd/audit_linux.go:204 get status request failed:failed to get audit status reply: no reply received
2021-12-22T16:04:56.486+0900 ERROR [auditd] auditd/audit_linux.go:204 get status request failed:failed to get audit status reply: no reply received
2021-12-22T16:06:41.488+0900 ERROR [auditd] auditd/audit_linux.go:204 get status request failed:failed to get audit status reply: no reply received
2021-12-22T16:33:41.488+0900 ERROR [auditd] auditd/audit_linux.go:204 get status request failed:failed to get audit status reply: no reply received
...
auditbeat.yml:
auditbeat.modules:
- module: auditd
resolve_ids: true
failure_mode: log
backlog_limit: 8640
rate_limit: 0
include_raw_message: false
include_warnings: false
backpressure_strategy : auto
audit_rule_files: [ '${path.config}/audit.rules.d/*.conf' ]
processors:
- drop_event:
when.or:
- not.has_fields: ["tags"]
- add_fields:
target: host
fields:
company: 'universe4you'
- add_docker_metadata:
host: "unix:///var/run/docker.sock"
match_fields: ["system.process.cgroup.id"]
match_pids: ["process.pid", "process.ppid"]
match_source: true
match_short_id: false
cleanup_timeout: 60
labels.dedot: false
- add_process_metadata:
match_pids: ["process.ppid"]
target: "process.parent"
- module: system
datasets:
- host # General host information, e.g. uptime, IPs
period: 1h
state.period: 8h # 8hour
- module: file_integrity
paths:
- /sbin/
- /bin/
- /usr/bin/
- /usr/sbin/
- /usr/local/bin/
- /usr/local/sbin/
- /var/log/auditbeat/
scan_at_start: true
scan_rate_per_sec: 5 MiB
max_file_size: 10 MiB
hash_types: ['md5', 'sha1']
output.file:
elabled: true
path: "/etc/auditbeat/log"
filename: auditbeat
rotate_every_kb: 20000
number_of_files: 10
queue:
mem:
events: 20480
flush.min_events: 4096
flush.timeout: 1s
monitoring.elasticsearch:
enabled: true
hosts: ["http://es.universe4you.io:9200"]
max_retries: 3
backoff.init: 1m
backoff.max: 60s
timeout: 60
metrics.period: 2m
state.period: 60m
bulk_max_size: 50
logging.to_syslog: false
logging.to_eventlog : false
logging.to_files : true
logging.level : error
logging.metrics.enabled : false
logging.metrics.period : 86400s
logging.files.path : /var/log/auditbeat
logging.files.rotateeverybytes : 1048576
logging.files.keepfiles : 7
logging.files.permission : 0600
logging.json : false
logging.files.redirect_stderr : true
max_procs: 1
audit.conf
-a exclude,always -F msgtype=PATH
-a exclude,always -F msgtype=CRED_ACQ
-a exclude,always -F msgtype=CRED_DISP
-a exclude,always -F msgtype=CRED_REFR
-a exclude,always -F msgtype=CRYPTO_KEY_USER
-a exclude,always -F msgtype=CRYPTO_SESSION
-a exclude,always -F msgtype=USER_ACCT
-a exclude,always -F msgtype=USER_AUTH
-a exclude,always -F msgtype=USER_CMD
-a exclude,always -F msgtype=USER_END
-a exclude,always -F msgtype=USER_LOGIN
-a exclude,always -F msgtype=USER_LOGOUT
-a exclude,always -F msgtype=USER_START
-w /etc/certification/private.key -p x -k privatekey
-a always,exit -F arch=b64 -S connect -F a2=0x02 -F key=b64connect
-a always,exit -F arch=b64 -S connect -F a2=0x10 -F key=b64connect
-a always,exit -F arch=b64 -S execve -F euid=0 -F key=b64rootexecve
getpcaps command:
$ getpcaps "$(pgrep auditbeat)"
Capabilities for `3037': = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,37+ep
auditbeat DEBUG mode stdout:
2021-12-22T14:25:10.363+0900 INFO instance/beat.go:665 Home path: [/usr/share/auditbeat] Config path: [/etc/auditbeat] Data path: [/var/lib/auditbeat] Logs path: [/var/log/auditbeat]
2021-12-22T14:25:10.363+0900 DEBUG [beat] instance/beat.go:723 Beat metadata path: /var/lib/auditbeat/meta.json
2021-12-22T14:25:10.363+0900 INFO instance/beat.go:673 Beat ID: d146ef6b-b3bb-4336-9024-ecc8c80109c3
2021-12-22T14:25:10.363+0900 INFO instance/beat.go:686 Set max procs limit: 1
2021-12-22T14:25:10.363+0900 DEBUG [seccomp] seccomp/seccomp.go:117 Loading syscall filter {"seccomp_filter": {"no_new_privs":true,"flag":"tsync","policy":{"default_action":"errno","syscalls":[{"names":["accept","accept4","access","arch_prctl","bind","brk","chmod","chown","clock_gettime","clone","close","connect","dup","dup2","epoll_create","epoll_create1","epoll_ctl","epoll_pwait","epoll_wait","exit","exit_group","fchdir","fchmod","fchmodat","fchown","fchownat","fcntl","fdatasync","flock","fstat","fstatfs","fsync","ftruncate","futex","getcwd","getdents","getdents64","geteuid","getgid","getpeername","getpid","getppid","getrandom","getrlimit","getrusage","getsockname","getsockopt","gettid","gettimeofday","getuid","inotify_add_watch","inotify_init1","inotify_rm_watch","ioctl","kill","listen","lseek","lstat","madvise","mincore","mkdirat","mmap","mprotect","munmap","nanosleep","newfstatat","open","openat","pipe","pipe2","poll","ppoll","pread64","pselect6","pwrite64","read","readlink","readlinkat","recvfrom","recvmmsg","recvmsg","rename","renameat","rt_sigaction","rt_sigprocmask","rt_sigreturn","sched_getaffinity","sched_yield","sendfile","sendmmsg","sendmsg","sendto","set_robust_list","setitimer","setsockopt","shutdown","sigaltstack","socket","splice","stat","statfs","sysinfo","tgkill","time","tkill","uname","unlink","unlinkat","wait4","waitid","write","writev","umask","mremap","perf_event_open","eventfd2","mount","umount2"],"action":"allow"}]}}}
2021-12-22T14:25:10.364+0900 INFO [seccomp] seccomp/seccomp.go:124 Syscall filter successfully installed
2021-12-22T14:25:10.364+0900 INFO [beat] instance/beat.go:1014 Beat info {"system_info": {"beat": {"path": {"config": "/etc/auditbeat", "data": "/var/lib/auditbeat", "home": "/usr/share/auditbeat", "logs": "/var/log/auditbeat"}, "type": "auditbeat", "uuid": "d146ef6b-b3bb-4336-9024-ecc8c80109c3"}}}
2021-12-22T14:25:10.364+0900 INFO [beat] instance/beat.go:1023 Build info {"system_info": {"build": {"commit": "fd322dad6ceafec40c84df4d2a0694ea357d16cc", "libbeat": "7.15.2", "time": "2021-11-04T14:16:53.000Z", "version": "7.15.2"}}}
2021-12-22T14:25:10.364+0900 INFO [beat] instance/beat.go:1026 Go runtime info {"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":1,"version":"go1.16.6"}}}
2021-12-22T14:25:10.365+0900 INFO [beat] instance/beat.go:1030 Host info {"system_info": {"host": {"architecture":"x86_64","boot_time":"2019-10-10T11:53:47+09:00","containerized":false,"name":"univer4you-web26","ip":["127.0.0.1/8","1.1.1.1/28","1.1.1.1/32"],"kernel_version":"3.10.0-1062.1.2.el7.x86_64","mac":["00:0c:33:f1:7a:c1"],"os":{"type":"linux","family":"redhat","platform":"centos","name":"CentOS Linux","version":"7 (Core)","major":7,"minor":6,"patch":1810,"codename":"Core"},"timezone":"KST","timezone_offset_sec":32400,"id":"c268205898a2450ea26381e7025dfe54"}}}
2021-12-22T14:25:10.365+0900 INFO [beat] instance/beat.go:1059 Process info {"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend"],"ambient":null}, "cwd": "/var/log/auditbeat", "exe": "/usr/share/auditbeat/bin/auditbeat", "name": "auditbeat", "pid": 19926, "ppid": 19925, "seccomp": {"mode":"filter","no_new_privs":true}, "start_time": "2021-12-22T14:25:10.160+0900"}}}
2021-12-22T14:25:10.366+0900 INFO instance/beat.go:309 Setup Beat: auditbeat; Version: 7.15.2
2021-12-22T14:25:10.366+0900 DEBUG [beat] instance/beat.go:335 Initializing output plugins
2021-12-22T14:25:10.366+0900 DEBUG [publisher] pipeline/consumer.go:148 start pipeline event consumer
2021-12-22T14:25:10.367+0900 INFO [publisher] pipeline/module.go:113 Beat name: univer4you-web26
2021-12-22T14:25:10.367+0900 DEBUG [modules] beater/metricbeat.go:151 Available modules and metricsets: Register [ModuleFactory:[system], MetricSetFactory:[auditd/auditd, file_integrity/file, system/host, system/login, system/package, system/process, system/socket, system/user]]
2021-12-22T14:25:10.368+0900 INFO [auditd] auditd/audit_linux.go:107 auditd module is running as euid=0 on kernel=3.10.0-1062.1.2.el7.x86_64
2021-12-22T14:25:10.368+0900 INFO [auditd] auditd/audit_linux.go:134 socket_type=unicast will be used.
2021-12-22T14:25:10.369+0900 DEBUG [conditions] conditions/conditions.go:98 New condition has_fields: [tags]
2021-12-22T14:25:10.369+0900 DEBUG [conditions] conditions/conditions.go:98 New condition !has_fields: [tags]
2021-12-22T14:25:10.369+0900 DEBUG [docker] docker/client.go:48 Docker client will negotiate the API version on the first request.
2021-12-22T14:25:10.369+0900 DEBUG [add_docker_metadata] add_docker_metadata/add_docker_metadata.go:86 add_docker_metadata: docker environment not detected: Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?
2021-12-22T14:25:10.370+0900 DEBUG [add_process_metadata] add_process_metadata/add_process_metadata.go:130 Initializing cgroup cache {"instance_id": 1}
2021-12-22T14:25:10.394+0900 WARN [cfgwarn] host/host.go:188 BETA: The system/host dataset is beta
2021-12-22T14:25:10.394+0900 DEBUG [system] host/host.go:472 Restored last host information from disk.
2021-12-22T14:25:10.395+0900 DEBUG [file_integrity] file_integrity/metricset.go:109 Initialized the file event reader. Running as euid=0
2021-12-22T14:25:10.396+0900 INFO [esclientleg] eslegclient/connection.go:100 elasticsearch url: http://es.univer4you.io:9200
2021-12-22T14:25:10.396+0900 DEBUG [monitoring] pipeline/consumer.go:148 start pipeline event consumer
2021-12-22T14:25:10.396+0900 DEBUG [monitoring] elasticsearch/elasticsearch.go:215 Start monitoring endpoint init loop.
2021-12-22T14:25:10.396+0900 DEBUG [monitoring] elasticsearch/client.go:66 Monitoring client: connect.
2021-12-22T14:25:10.396+0900 DEBUG [esclientleg] eslegclient/connection.go:249 ES Ping(url=http://es.univer4you.io:9200)
2021-12-22T14:25:10.397+0900 INFO instance/beat.go:473 auditbeat start running.
2021-12-22T14:25:10.397+0900 DEBUG [module] module/wrapper.go:127 Starting Wrapper[name=auditd, len(metricSetWrappers)=1]
2021-12-22T14:25:10.397+0900 DEBUG [module] module/wrapper.go:127 Starting Wrapper[name=system, len(metricSetWrappers)=1]
2021-12-22T14:25:10.397+0900 DEBUG [module] module/wrapper.go:127 Starting Wrapper[name=file_integrity, len(metricSetWrappers)=1]
2021-12-22T14:25:10.397+0900 DEBUG [module] module/wrapper.go:181 auditd/auditd will start after 7.671423914s
2021-12-22T14:25:10.397+0900 DEBUG [module] module/wrapper.go:181 system/host will start after 6.199571658s
2021-12-22T14:25:10.397+0900 DEBUG [module] module/wrapper.go:181 file_integrity/file will start after 3.110411367s
2021-12-22T14:25:10.398+0900 DEBUG [esclientleg] transport/logging.go:41 Completed dialing successfully {"network": "tcp", "address": "es.univer4you.io:9200"}
2021-12-22T14:25:10.400+0900 DEBUG [esclientleg] eslegclient/connection.go:272 Ping status code: 200
2021-12-22T14:25:10.400+0900 INFO [esclientleg] eslegclient/connection.go:273 Attempting to connect to Elasticsearch version 7.10.2
2021-12-22T14:25:10.400+0900 DEBUG [esclientleg] eslegclient/connection.go:328 GET http://es.univer4you.io:9200/_xpack?filter_path=features.monitoring.enabled <nil>
2021-12-22T14:25:10.420+0900 DEBUG [monitoring] elasticsearch/client.go:101 XPack monitoring is enabled
2021-12-22T14:25:10.420+0900 INFO [monitoring] elasticsearch/elasticsearch.go:244 Successfully connected to X-Pack Monitoring endpoint.
2021-12-22T14:25:10.420+0900 DEBUG [monitoring] elasticsearch/elasticsearch.go:250 Finish monitoring endpoint init loop.
2021-12-22T14:25:10.420+0900 INFO [monitoring] elasticsearch/elasticsearch.go:258 Start monitoring stats metrics snapshot loop with period 2m0s.
2021-12-22T14:25:10.420+0900 INFO [monitoring] elasticsearch/elasticsearch.go:258 Start monitoring state metrics snapshot loop with period 1h0m0s.
2021-12-22T14:25:13.510+0900 DEBUG [module] module/wrapper.go:189 Starting metricSetWrapper[module=file_integrity, name=file, host=]
2021-12-22T14:25:13.511+0900 INFO [file_integrity] file_integrity/eventreader_fsnotify.go:97 Started fsnotify watcher {"file_path": ["/usr/bin", "/usr/local/bin", "/usr/local/sbin", "/usr/sbin", "/var/log/auditbeat"], "recursive": false}
2021-12-22T14:25:13.511+0900 DEBUG [file_integrity] file_integrity/scanner.go:73 Creating token bucket with rate 5 MiB/sec and capacity 10 MiB {"scanner_id": 1, "bytes_per_sec": 5242880, "capacity_bytes": 10485760}
2021-12-22T14:25:13.511+0900 DEBUG [file_integrity] file_integrity/scanner.go:89 File system scanner is starting {"scanner_id": 1, "file_path": ["/etc/auditbeat/auditbeat.yml", "/usr/bin", "/usr/local/bin", "/usr/local/sbin", "/usr/sbin", "/var/log/auditbeat"], "new_path": {}}
^C2021-12-22T14:25:15.959+0900 DEBUG [service] service/service.go:54 Received sigterm/sigint, stopping
2021-12-22T14:25:15.959+0900 DEBUG [publisher] pipeline/client.go:158 client: closing acker
2021-12-22T14:25:15.961+0900 DEBUG [publisher] pipeline/client.go:163 client: done closing acker
2021-12-22T14:25:15.961+0900 DEBUG [publisher] pipeline/client.go:165 client: unlink from queue
2021-12-22T14:25:15.961+0900 DEBUG [publisher] pipeline/client.go:187 client: cancelled 0 events
2021-12-22T14:25:15.961+0900 DEBUG [publisher] pipeline/client.go:167 client: done unlink
2021-12-22T14:25:15.961+0900 DEBUG [publisher] pipeline/client.go:170 client: closing processors
2021-12-22T14:25:15.961+0900 DEBUG [publisher] pipeline/client.go:175 client: done closing processors
2021-12-22T14:25:15.959+0900 DEBUG [file_integrity] file_integrity/eventreader_fsnotify.go:120 fsnotify reader terminated
2021-12-22T14:25:15.959+0900 DEBUG [publisher] pipeline/client.go:158 client: closing acker
2021-12-22T14:25:15.961+0900 DEBUG [publisher] pipeline/client.go:163 client: done closing acker
2021-12-22T14:25:15.961+0900 DEBUG [publisher] pipeline/client.go:165 client: unlink from queue
2021-12-22T14:25:15.961+0900 DEBUG [publisher] pipeline/client.go:187 client: cancelled 0 events
2021-12-22T14:25:15.961+0900 DEBUG [publisher] pipeline/client.go:167 client: done unlink
2021-12-22T14:25:15.961+0900 DEBUG [publisher] pipeline/client.go:170 client: closing processors
2021-12-22T14:25:15.961+0900 DEBUG [publisher] pipeline/client.go:175 client: done closing processors
2021-12-22T14:25:15.959+0900 DEBUG [module] module/wrapper.go:155 Stopped Wrapper[name=system, len(metricSetWrappers)=1]
2021-12-22T14:25:15.959+0900 DEBUG [publisher] pipeline/client.go:158 client: closing acker
2021-12-22T14:25:15.962+0900 DEBUG [publisher] pipeline/client.go:163 client: done closing acker
2021-12-22T14:25:15.962+0900 DEBUG [publisher] pipeline/client.go:165 client: unlink from queue
2021-12-22T14:25:15.962+0900 DEBUG [publisher] pipeline/client.go:187 client: cancelled 0 events
2021-12-22T14:25:15.962+0900 DEBUG [publisher] pipeline/client.go:167 client: done unlink
2021-12-22T14:25:15.962+0900 DEBUG [publisher] pipeline/client.go:170 client: closing processors
2021-12-22T14:25:15.962+0900 DEBUG [publisher] pipeline/client.go:175 client: done closing processors
2021-12-22T14:25:15.959+0900 DEBUG [module] module/wrapper.go:155 Stopped Wrapper[name=auditd, len(metricSetWrappers)=1]
2021-12-22T14:25:15.960+0900 DEBUG [module] module/wrapper.go:214 Stopped metricSetWrapper[module=file_integrity, name=file, host=]
2021-12-22T14:25:15.962+0900 DEBUG [module] module/wrapper.go:155 Stopped Wrapper[name=file_integrity, len(metricSetWrappers)=1]
2021-12-22T14:25:15.962+0900 DEBUG [monitoring] pipeline/pipeline.go:203 close pipeline
2021-12-22T14:25:15.962+0900 INFO instance/beat.go:479 auditbeat stopped.
Same problem OS:
CentOS Linux release 7.3.1611 / Kernel 3.10.0-957.21.3.el7.x86_64
CentOS Linux release 7.5.1804 / Kernel 3.10.0-862.11.6.el7.x86_64
CentOS Linux release 7.7.1908 / Kernel 3.10.0-1062.12.1.el7.x86_64
Ubuntu 18.04.5 / Kernel 4.15.0-156-generic
Ubuntu 20.04.3 / Kernel 5.4.0-91-generic
and more...
Please how can I solve this problem?