Only one log is output from auditbeat

aurantiacus · September 6, 2022, 3:02am

I am using auditbeat (6.4) on windows 10.

I have specified the C drive as the monitoring destination.
Other computers output a lot of data in 'file_integrity'.
When I start auditbeat on only one computer, I get only one data as shown below.
file.path: C:\

There is an error in the auditbeat log.

INFO	[file_integrity]	file_integrity/eventreader_fsnotify.go:76	Started fsnotify watcher {"file_path": ["C:\\"], "recursive": true}

ERROR	bbolt/freelist.go:143	recovered from panic while fetching 'file_integrity/file' for host ''. Recovering, but please report this.	{"panic": "page 89956 already freed", "stack": "github.com/elastic/beats/libbeat/logp.Recover

/go/src/github.com/elastic/beats/libbeat/logp/global.go:105
runtime.call32
/usr/local/go/src/runtime/asm_amd64.s:573
runtime.gopanic
/usr/local/go/src/runtime/panic.go:502
github.com/elastic/beats/vendor/github.com/coreos/bbolt.(*freelist).free
/go/src/github.com/elastic/beats/vendor/github.com/coreos/bbolt/freelist.go:143
github.com/elastic/beats/vendor/github.com/coreos/bbolt.(*node).spill
/go/src/github.com/elastic/beats/vendor/github.com/coreos/bbolt/node.go:363
github.com/elastic/beats/vendor/github.com/coreos/bbolt.(*node).spill
/go/src/github.com/elastic/beats/vendor/github.com/coreos/bbolt/node.go:350
github.com/elastic/beats/vendor/github.com/coreos/bbolt.(*node).spill
/go/src/github.com/elastic/beats/vendor/github.com/coreos/bbolt/node.go:350
github.com/elastic/beats/vendor/github.com/coreos/bbolt.(*node).spill
/go/src/github.com/elastic/beats/vendor/github.com/coreos/bbolt/node.go:350
github.com/elastic/beats/vendor/github.com/coreos/bbolt.(*node).spill
/go/src/github.com/elastic/beats/vendor/github.com/coreos/bbolt/node.go:350
github.com/elastic/beats/vendor/github.com/coreos/bbolt.(*node).spill
/go/src/github.com/elastic/beats/vendor/github.com/coreos/bbolt/node.go:350
github.com/elastic/beats/vendor/github.com/coreos/bbolt.(*Bucket).spill
/go/src/github.com/elastic/beats/vendor/github.com/coreos/bbolt/bucket.go:568
github.com/elastic/beats/vendor/github.com/coreos/bbolt.(*Bucket).spill
/go/src/github.com/elastic/beats/vendor/github.com/coreos/bbolt/bucket.go:535
github.com/elastic/beats/vendor/github.com/coreos/bbolt.(*Tx).Commit
/go/src/github.com/elastic/beats/vendor/github.com/coreos/bbolt/tx.go:160
github.com/elastic/beats/vendor/github.com/coreos/bbolt.(*DB).Update
/go/src/github.com/elastic/beats/vendor/github.com/coreos/bbolt/db.go:679
github.com/elastic/beats/auditbeat/datastore.(*boltBucket).Store
/go/src/github.com/elastic/beats/auditbeat/datastore/datastore.go:142
github.com/elastic/beats/auditbeat/module/file_integrity.store
/go/src/github.com/elastic/beats/auditbeat/module/file_integrity/metricset.go:304
github.com/elastic/beats/auditbeat/module/file_integrity.(*MetricSet).reportEvent
/go/src/github.com/elastic/beats/auditbeat/module/file_integrity/metricset.go:203
github.com/elastic/beats/auditbeat/module/file_integrity.(*MetricSet).Run
/go/src/github.com/elastic/beats/auditbeat/module/file_integrity/metricset.go:133
github.com/elastic/beats/metricbeat/mb/module.(*metricSetWrapper).run
/go/src/github.com/elastic/beats/metricbeat/mb/module/wrapper.go:193
github.com/elastic/beats/metricbeat/mb/module.(*Wrapper).Start.func1
/go/src/github.com/elastic/beats/metricbeat/mb/module/wrapper.go:137"}

What is wrong? I would like to solve this problem.

Thanks.

warkolm · September 6, 2022, 3:47am

Can you share your config file please.

aurantiacus · September 6, 2022, 9:29am

The config file is here

#6.4.0
path.data:
  C:/ProgramData/xxxx/db/auditbeat

auditbeat.modules:
- module: file_integrity
  paths:
  - C:/
  exclude_files:
  - 'beat.db'
  - 'x*\.tmp$'
  - 'x*\\Content\.Outlook\\x*'
  - 'x*\.emf$'
  - 'x*\\beat.db$'
  - 'x*\\.tmp$'
  - 'x*\\Content\.Outlook\\x*'
  - 'x*\\.emf$'
  - 'x*\\AppData\\Roaming\\Microsoft\\Outlook\\OutlPrnt$'
  - 'x*\\~\$*.*$'
  - '.?:\\ProgramData\\xxxx\\monitor-ab$'
  - '.*\\ProgramData\\PCA\\.*'
  - '.*\\adobeTemp\\.*'
  - '.*\\Users\\.*\\AppData\\Local\\Temp\\Adobe.*'
  - '.*\\Users\\.*\\AppData\\Roaming\\Adobe.*'
  - '.*\\Users\\.*\\Documents\\Adobe.*'
  scan_at_start: true
  scan_rate_per_sec: 5 mb
  max_file_size: 100 kb
  hash_types: sha256
  recursive: true

tags: ["auditbeat"]

output.logstash:
  hosts: ["localhost:5044"]


logging.level: info
logging.to_files: true
logging.files:
  path: c:/ProgramData/xxxx
  name: auditbeat
  keepfiles: 7
  permissions: 0644

thanks.

andrewkroh · September 7, 2022, 12:58am

Does this issue reproduce when using the latest 7.17 or 8.4 versions of Auditbeat?

system · October 5, 2022, 2:59am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.