Start auditbeat

I'm starting auditbeat on one of the machines and I'm getting the following message when running auditbeat:

ERROR   instance/beat.go:951    Exiting: 1 error: system/socket dataset setup failed: tracefs/debugfs is not mounted or not writeable: 2 errors: stat /sys/kernel/tracing/kprobe_events: no such file or directory; stat /sys/kernel/debug/tracing/kprobe_events: no such file or directory
Exiting: 1 error: system/socket dataset setup failed: tracefs/debugfs is not mounted or not writeable: 2 errors: stat /sys/kernel/tracing/kprobe_events: no such file or directory; stat /sys/kernel/debug/tracing/kprobe_events: no such file or directory

I did some googling but I wasn't able to figure out much. Does anyone know how to fix this? Thanks ahead.

Hey @headtea,

On what Linux distribution and version are you installing Auditbeat? Are you running Auditbeat as root?

Thanks for the response.

I'm on CentOS 6.7. I was able to solve this by commenting out this line (socket):

-- module: system
-  datasets:
# - socket  # Opened and closed sockets

Although I'm not sure what it does and what's different now.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.