Run Auditbeat with non-root user

Hi Elastic Team,
I run ELK on Linux(CentOS7).
Because of security issue, I need to run Auditbeat with non-root user.

When runing Auditbeat with non-root user, it shows:

2019-08    WARN    [cfgwarn]       host/host.go:167        BETA: The system/host dataset is beta
2019-08    WARN    [cfgwarn]       login/login.go:95       BETA: The system/login dataset is beta
2019-08    WARN    [cfgwarn]       package/package.go:169  BETA: The system/package dataset is beta
2019-08    WARN    [cfgwarn]       process/process.go:131  BETA: The system/process dataset is beta
2019-08    WARN    [process]       process/process.go:174  Running as non-root user, will likely not report all processes.
2019-08    WARN    [cfgwarn]       socket/socket.go:245    BETA: The system/socket dataset is beta
2019-08    WARN    [cfgwarn]       user/user.go:205        BETA: The system/user dataset is beta
2019-08    INFO    instance/beat.go:385    auditbeat stopped.
2019-08    ERROR   instance/beat.go:877    Exiting: 1 error: 1 error: failed to create audit client: failed to get audit status: operation not permitted
Exiting: 1 error: 1 error: failed to create audit client: failed to get audit status: operation not permitted`

Does anyone know what capabilities needed when running Auditbeat?
capability doc

Any suggestion will be really grateful!
Daniel.

use this command:

setcap cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog=ep auditbeat

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.