Auditbeat runs flawlessly without the socket module. However, whenever I turn it on the following error shows up:
{"log.level":"info","@timestamp":"2023-09-30T20:01:20.511+0200","log.origin":{"file.name":"instance/beat.go","file.line":783},"message":"Home path: [/home/unknown/downloads/auditbeat-second/auditbeat-8.10.2-linux-x86_64] Config path: [/home/unknown/downloads/auditbeat-second/auditbeat-8.10.2-linux-x86_64] Data path: [/home/unknown/downloads/auditbeat-second/auditbeat-8.10.2-linux-x86_64/data] Logs path: [/home/unknown/downloads/auditbeat-second/auditbeat-8.10.2-linux-x86_64/logs]","service.name":"auditbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-09-30T20:01:20.511+0200","log.origin":{"file.name":"instance/beat.go","file.line":791},"message":"Beat ID: cb6c104d-ba71-4da6-bfee-fa0764306b39","service.name":"auditbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-09-30T20:01:20.615+0200","log.logger":"seccomp","log.origin":{"file.name":"seccomp/seccomp.go","file.line":125},"message":"Syscall filter successfully installed","service.name":"auditbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-09-30T20:01:20.615+0200","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1303},"message":"Beat info","service.name":"auditbeat","system_info":{"beat":{"path":{"config":"/home/unknown/downloads/auditbeat-second/auditbeat-8.10.2-linux-x86_64","data":"/home/unknown/downloads/auditbeat-second/auditbeat-8.10.2-linux-x86_64/data","home":"/home/unknown/downloads/auditbeat-second/auditbeat-8.10.2-linux-x86_64","logs":"/home/unknown/downloads/auditbeat-second/auditbeat-8.10.2-linux-x86_64/logs"},"type":"auditbeat","uuid":"cb6c104d-ba71-4da6-bfee-fa0764306b39"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-09-30T20:01:20.616+0200","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1312},"message":"Build info","service.name":"auditbeat","system_info":{"build":{"commit":"480bccf4f0423099bb2c0e672a44c54ecd7a805e","libbeat":"8.10.2","time":"2023-09-18T18:06:05.000Z","version":"8.10.2"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-09-30T20:01:20.616+0200","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1315},"message":"Go runtime info","service.name":"auditbeat","system_info":{"go":{"os":"linux","arch":"amd64","max_procs":16,"version":"go1.20.7"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-09-30T20:01:20.617+0200","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1321},"message":"Host info","service.name":"auditbeat","system_info":{"host":{"architecture":"x86_64","boot_time":"2023-09-30T10:27:12+02:00","containerized":false,"name":"arch","ip":["I deleted this one ay"],"kernel_version":"6.4.12-arch1-1","mac":["I deleted this line one ay"],"os":{"type":"linux","family":"arch","platform":"arch","name":"Arch Linux","version":"rolling","major":0,"minor":0,"patch":0,"build":"rolling"},"timezone":"CEST","timezone_offset_sec":7200,"id":"1a8471ac8d064bd3955c560dd4ce9ae3"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-09-30T20:01:20.617+0200","log.logger":"beat","log.origin":{"file.name":"instance/beat.go","file.line":1350},"message":"Process info","service.name":"auditbeat","system_info":{"process":{"capabilities":{"inheritable":["wake_alarm"],"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","perfmon","bpf","checkpoint_restore"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","perfmon","bpf","checkpoint_restore"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","perfmon","bpf","checkpoint_restore"],"ambient":null},"cwd":"/home/unknown/downloads/auditbeat-second/auditbeat-8.10.2-linux-x86_64","exe":"/home/unknown/downloads/auditbeat-second/auditbeat-8.10.2-linux-x86_64/auditbeat","name":"auditbeat","pid":37831,"ppid":37745,"seccomp":{"mode":"filter","no_new_privs":true},"start_time":"2023-09-30T20:01:19.540+0200"},"ecs.version":"1.6.0"}}
{"log.level":"info","@timestamp":"2023-09-30T20:01:20.617+0200","log.origin":{"file.name":"instance/beat.go","file.line":329},"message":"Setup Beat: auditbeat; Version: 8.10.2","service.name":"auditbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-09-30T20:01:23.609+0200","log.logger":"add_cloud_metadata","log.origin":{"file.name":"add_cloud_metadata/add_cloud_metadata.go","file.line":100},"message":"add_cloud_metadata: hosting provider type not detected.","service.name":"auditbeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2023-09-30T20:01:25.610+0200","log.logger":"add_cloud_metadata","log.origin":{"file.name":"add_cloud_metadata/provider_aws_ec2.go","file.line":91},"message":"error fetching EC2 Identity Document: operation error ec2imds: GetInstanceIdentityDocument, canceled, context deadline exceeded.","service.name":"auditbeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2023-09-30T20:01:30.621+0200","log.logger":"cfgwarn","log.origin":{"file.name":"tlscommon/config.go","file.line":102},"message":"DEPRECATED: Treating the CommonName field on X.509 certificates as a host name when no Subject Alternative Names are present is going to be removed. Please update your certificates if needed. Will be removed in version: 8.0.0","service.name":"auditbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-09-30T20:01:30.621+0200","log.logger":"esclientleg","log.origin":{"file.name":"eslegclient/connection.go","file.line":108},"message":"elasticsearch url: https://local-hemisphere:9200","service.name":"auditbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-09-30T20:01:30.621+0200","log.logger":"publisher","log.origin":{"file.name":"pipeline/module.go","file.line":105},"message":"Beat name: arch","service.name":"auditbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-09-30T20:01:30.622+0200","log.logger":"auditd","log.origin":{"file.name":"auditd/audit_linux.go","file.line":107},"message":"auditd module is running as euid=0 on kernel=6.4.12-arch1-1","service.name":"auditbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-09-30T20:01:30.622+0200","log.logger":"auditd","log.origin":{"file.name":"auditd/audit_linux.go","file.line":134},"message":"socket_type=unicast will be used.","service.name":"auditbeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2023-09-30T20:01:30.624+0200","log.logger":"cfgwarn","log.origin":{"file.name":"host/host.go","file.line":202},"message":"BETA: The system/host dataset is beta","service.name":"auditbeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2023-09-30T20:01:30.630+0200","log.logger":"cfgwarn","log.origin":{"file.name":"login/login.go","file.line":93},"message":"BETA: The system/login dataset is beta","service.name":"auditbeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2023-09-30T20:01:30.634+0200","log.logger":"cfgwarn","log.origin":{"file.name":"process/process.go","file.line":146},"message":"BETA: The system/process dataset is beta","service.name":"auditbeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2023-09-30T20:01:30.639+0200","log.logger":"cfgwarn","log.origin":{"file.name":"socket/socket_linux.go","file.line":126},"message":"BETA: The system/socket dataset is beta.","service.name":"auditbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-09-30T20:01:30.669+0200","log.logger":"socket","log.origin":{"file.name":"socket/socket_linux.go","file.line":283},"message":"Setting up system/socket for kernel 6.4.12-arch1-1","service.name":"auditbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-09-30T20:01:30.975+0200","log.logger":"socket","log.origin":{"file.name":"guess/guess.go","file.line":258},"message":"Running 17 guesses ...","service.name":"auditbeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2023-09-30T20:01:46.092+0200","log.logger":"cfgwarn","log.origin":{"file.name":"user/user.go","file.line":231},"message":"BETA: The system/user dataset is beta","service.name":"auditbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2023-09-30T20:01:46.100+0200","log.origin":{"file.name":"instance/beat.go","file.line":471},"message":"auditbeat stopped.","service.name":"auditbeat","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2023-09-30T20:01:46.100+0200","log.origin":{"file.name":"instance/beat.go","file.line":1278},"message":"Exiting: 1 error: system/socket dataset setup failed: unable to guess one or more required parameters: guess_struct_creds failed: timeout while waiting for event","service.name":"auditbeat","ecs.version":"1.6.0"}
Exiting: 1 error: system/socket dataset setup failed: unable to guess one or more required parameters: guess_struct_creds failed: timeout while waiting for event
Config in question:
###################### Auditbeat Configuration Example #########################
# This is an example configuration file highlighting only the most common
# options. The auditbeat.reference.yml file from the same directory contains all
# the supported options with more comments. You can use it as a reference.
#
# You can find the full configuration reference here:
# https://www.elastic.co/guide/en/beats/auditbeat/index.html
# =========================== Modules configuration ============================
auditbeat.modules:
- module: auditd
audit_rules: |
-a always,exit -F arch=b64 -S bind,listen -k listen-ports
-a always,exit -F arch=b32 -S bind,listen -k listen-ports
-a always,exit -F arch=b64 -S execve -k command-execution
-a always,exit -F arch=b32 -S execve -k command-execution
- module: file_integrity
paths:
- /bin
- /usr/bin
- /usr/local/bin
- /sbin
- /usr/sbin
- /usr/local/sbin
- module: system
socket.enable_ipv6: false
datasets:
- host # General host information, e.g. uptime, IPs
- login
- package
- process # Started and stopped processes
- socket
- user
state.period: 12h
setup.template.settings:
index.number_of_shards: 1
setup.kibana:
host: "kibana:5601"
output.elasticsearch:
hosts: ["elasticsearch:9200"]
protocol: "https"
username: "user"
password: "deleted"
ssl.ca_trusted_fingerprint: "deleted"
processors:
- add_host_metadata: ~
- add_cloud_metadata: ~
- add_docker_metadata: ~
I'm running it natively on an Arch Linux machine.
I have also attempted at using an earlier version of Auditbeat (8.10.1 specifically). Nothing changed. Any help would be highly appreciated. Thank you.