I'm stumped here. I'm using salt to deploy auditbeat across multiple CentOS7 hosts but found at least one server where auditbeat will not start and giving me the following error:
2018-02-10T19:30:18.733-0500 ERROR instance/beat.go:667 Exiting: 2 errors: 1 error: metricset 'audit/kernel' is not registered, module not found; 1 error: metricset 'audit/file' is not registered, module not found
Now this is the same config that am I using on multiple like hosts so i'm pretty sure that the config is correct and missing something obvious on this one host but cant for the life of me figure out what.
My modules config looks like this:
#========================== Modules configuration ============================= auditbeat.modules: - module: audit metricsets: [kernel] kernel.resolve_ids: true kernel.failure_mode: silent kernel.backlog_limit: 8196 kernel.rate_limit: 0 kernel.include_raw_message: false kernel.include_warnings: false kernel.audit_rules: | -a always,exit -F arch=b32 -S all -F key=32bit-abi file.scan_at_start: true file.max_file_size: 100 MiB
Anyone come across this error or can point me in a general direction on where to start looking?