Only one log is output from auditbeat

I am using auditbeat (6.4) on windows 10.

I have specified the C drive as the monitoring destination.
Other computers output a lot of data in 'file_integrity'.
When I start auditbeat on only one computer, I get only one data as shown below.
file.path: C:\

There is an error in the auditbeat log.

INFO	[file_integrity]	file_integrity/eventreader_fsnotify.go:76	Started fsnotify watcher {"file_path": ["C:\\"], "recursive": true}

ERROR	bbolt/freelist.go:143	recovered from panic while fetching 'file_integrity/file' for host ''. Recovering, but please report this.	{"panic": "page 89956 already freed", "stack": "github.com/elastic/beats/libbeat/logp.Recover

/go/src/github.com/elastic/beats/libbeat/logp/global.go:105
runtime.call32
/usr/local/go/src/runtime/asm_amd64.s:573
runtime.gopanic
/usr/local/go/src/runtime/panic.go:502
github.com/elastic/beats/vendor/github.com/coreos/bbolt.(*freelist).free
/go/src/github.com/elastic/beats/vendor/github.com/coreos/bbolt/freelist.go:143
github.com/elastic/beats/vendor/github.com/coreos/bbolt.(*node).spill
/go/src/github.com/elastic/beats/vendor/github.com/coreos/bbolt/node.go:363
github.com/elastic/beats/vendor/github.com/coreos/bbolt.(*node).spill
/go/src/github.com/elastic/beats/vendor/github.com/coreos/bbolt/node.go:350
github.com/elastic/beats/vendor/github.com/coreos/bbolt.(*node).spill
/go/src/github.com/elastic/beats/vendor/github.com/coreos/bbolt/node.go:350
github.com/elastic/beats/vendor/github.com/coreos/bbolt.(*node).spill
/go/src/github.com/elastic/beats/vendor/github.com/coreos/bbolt/node.go:350
github.com/elastic/beats/vendor/github.com/coreos/bbolt.(*node).spill
/go/src/github.com/elastic/beats/vendor/github.com/coreos/bbolt/node.go:350
github.com/elastic/beats/vendor/github.com/coreos/bbolt.(*node).spill
/go/src/github.com/elastic/beats/vendor/github.com/coreos/bbolt/node.go:350
github.com/elastic/beats/vendor/github.com/coreos/bbolt.(*Bucket).spill
/go/src/github.com/elastic/beats/vendor/github.com/coreos/bbolt/bucket.go:568
github.com/elastic/beats/vendor/github.com/coreos/bbolt.(*Bucket).spill
/go/src/github.com/elastic/beats/vendor/github.com/coreos/bbolt/bucket.go:535
github.com/elastic/beats/vendor/github.com/coreos/bbolt.(*Tx).Commit
/go/src/github.com/elastic/beats/vendor/github.com/coreos/bbolt/tx.go:160
github.com/elastic/beats/vendor/github.com/coreos/bbolt.(*DB).Update
/go/src/github.com/elastic/beats/vendor/github.com/coreos/bbolt/db.go:679
github.com/elastic/beats/auditbeat/datastore.(*boltBucket).Store
/go/src/github.com/elastic/beats/auditbeat/datastore/datastore.go:142
github.com/elastic/beats/auditbeat/module/file_integrity.store
/go/src/github.com/elastic/beats/auditbeat/module/file_integrity/metricset.go:304
github.com/elastic/beats/auditbeat/module/file_integrity.(*MetricSet).reportEvent
/go/src/github.com/elastic/beats/auditbeat/module/file_integrity/metricset.go:203
github.com/elastic/beats/auditbeat/module/file_integrity.(*MetricSet).Run
/go/src/github.com/elastic/beats/auditbeat/module/file_integrity/metricset.go:133
github.com/elastic/beats/metricbeat/mb/module.(*metricSetWrapper).run
/go/src/github.com/elastic/beats/metricbeat/mb/module/wrapper.go:193
github.com/elastic/beats/metricbeat/mb/module.(*Wrapper).Start.func1
/go/src/github.com/elastic/beats/metricbeat/mb/module/wrapper.go:137"}

What is wrong? I would like to solve this problem.

Thanks.

Can you share your config file please.

The config file is here

#6.4.0
path.data:
  C:/ProgramData/xxxx/db/auditbeat

auditbeat.modules:
- module: file_integrity
  paths:
  - C:/
  exclude_files:
  - 'beat.db'
  - 'x*\.tmp$'
  - 'x*\\Content\.Outlook\\x*'
  - 'x*\.emf$'
  - 'x*\\beat.db$'
  - 'x*\\.tmp$'
  - 'x*\\Content\.Outlook\\x*'
  - 'x*\\.emf$'
  - 'x*\\AppData\\Roaming\\Microsoft\\Outlook\\OutlPrnt$'
  - 'x*\\~\$*.*$'
  - '.?:\\ProgramData\\xxxx\\monitor-ab$'
  - '.*\\ProgramData\\PCA\\.*'
  - '.*\\adobeTemp\\.*'
  - '.*\\Users\\.*\\AppData\\Local\\Temp\\Adobe.*'
  - '.*\\Users\\.*\\AppData\\Roaming\\Adobe.*'
  - '.*\\Users\\.*\\Documents\\Adobe.*'
  scan_at_start: true
  scan_rate_per_sec: 5 mb
  max_file_size: 100 kb
  hash_types: sha256
  recursive: true

tags: ["auditbeat"]

output.logstash:
  hosts: ["localhost:5044"]


logging.level: info
logging.to_files: true
logging.files:
  path: c:/ProgramData/xxxx
  name: auditbeat
  keepfiles: 7
  permissions: 0644

thanks.

Does this issue reproduce when using the latest 7.17 or 8.4 versions of Auditbeat?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.