Metricset 'audit/kernel' is not registered, module not found

Elastic Stack Beats
1

I'm stumped here. I'm using salt to deploy auditbeat across multiple CentOS7 hosts but found at least one server where auditbeat will not start and giving me the following error:

2018-02-10T19:30:18.733-0500 ERROR instance/beat.go:667 Exiting: 2 errors: 1 error: metricset 'audit/kernel' is not registered, module not found; 1 error: metricset 'audit/file' is not registered, module not found

Now this is the same config that am I using on multiple like hosts so i'm pretty sure that the config is correct and missing something obvious on this one host but cant for the life of me figure out what.

My modules config looks like this:

#==========================  Modules configuration =============================
auditbeat.modules:
  - module: audit
    metricsets: [kernel]
    kernel.resolve_ids: true
    kernel.failure_mode: silent
    kernel.backlog_limit: 8196
    kernel.rate_limit: 0
    kernel.include_raw_message: false
    kernel.include_warnings: false
    kernel.audit_rules: |
      -a always,exit -F arch=b32 -S all -F key=32bit-abi

    file.scan_at_start: true
    file.max_file_size: 100 MiB

Anyone come across this error or can point me in a general direction on where to start looking?

2

Im wrong and it's definitely a config issue but still not sure why. Still doing some testing around this to see where i'm going wrong

3

Are you using Auditbeat 6.2? If not, I strongly suggest you upgrade to it because starting with 6.2, Auditbeat is GA. Your config looks like it's for pre-6.2 Auditbeat (still refers to "metricsets"), the 6.2 config should be simpler.

4

Here's some information about the changes in version 6.2: https://www.elastic.co/guide/en/beats/auditbeat/6.2/auditbeat-breaking-changes.html

5

I am having the exact same issue on Centos 7 with Auditbeat version 6.3:

[root@Auditd auditbeat]# tail /var/log/auditbeat/auditbeat
2018-08-08T10:47:18.417+0100 INFO instance/beat.go:225 Setup Beat: auditbeat; Version: 6.3.2
2018-08-08T10:47:18.417+0100 DEBUG [beat] instance/beat.go:242 Initializing output plugins
2018-08-08T10:47:18.417+0100 DEBUG [processors] processors/processor.go:49 Processors:
2018-08-08T10:47:18.417+0100 DEBUG [publish] pipeline/consumer.go:120 start pipeline event consumer
2018-08-08T10:47:18.417+0100 INFO pipeline/module.go:81 Beat name: Auditd
2018-08-08T10:47:18.417+0100 DEBUG [modules] beater/metricbeat.go:81 Register [ModuleFactory:[], MetricSetFactory:[auditd/auditd, file_integrity/file]]
2018-08-08T10:47:18.417+0100 DEBUG [processors] processors/processor.go:49 Processors:
2018-08-08T10:47:18.418+0100 DEBUG [processors] processors/processor.go:49 Processors:
2018-08-08T10:47:18.418+0100 INFO instance/beat.go:275 auditbeat stopped.
2018-08-08T10:47:18.418+0100 ERROR instance/beat.go:691 Exiting: 2 errors: 1 error: metricset 'audit/kernel' is not registered, module not found; 1 error: metricset 'audit/file' is not registered, module not found

6

The exact same solution applies. You'll need to update your configuration used with any Auditbeat beta releases (pre v6.2) to work with versions >=6.2.0.

See the examples in https://www.elastic.co/guide/en/beats/auditbeat/6.2/auditbeat-breaking-changes.html or the configuration files that are included with the 6.3.2 package that you installed.