System/socket dataset setup failed

Testing auditbeat-7.5.0-1-x86_64 on SLES 12 SP4. When the socket dataset is enabled under module system, auditbeat restarts. I checked the release note which says ipv6.disable=1 is taken care of.

Any suggestion?

Blockquote auditbeat[20739]: 2019-12-04T12:13:18.733-0500#011WARN#011[cfgwarn]#011socket/socket_linux.go:87#011BETA: The system/socket dataset is beta.
auditbeat[20739]: 2019-12-04T12:13:18.765-0500#011INFO#011[socket]#011socket/socket_linux.go:223#011Setting up system/socket for kernel 4.12.14-94.41-default
auditbeat[20739]: 2019-12-04T12:13:18.877-0500#011INFO#011[socket]#011guess/guess.go:258#011Running 16 guesses ...
auditbeat[20739]: 2019-12-04T12:13:21.720-0500#011INFO#011add_cloud_metadata/add_cloud_metadata.go:89#011add_cloud_metadata: hosting provider type not detected.
auditbeat[20739]: 2019-12-04T12:13:34.068-0500#011INFO#011instance/beat.go:402#011auditbeat stopped.
auditbeat[20739]: 2019-12-04T12:13:34.069-0500#011ERROR#011instance/beat.go:916#011Exiting: 1 error: 1 error: system/socket dataset setup failed: unable to guess one or more required parameters: guess_sk_buff_proto failed: timeout while waiting for event
auditbeat[20739]: Exiting: 1 error: 1 error: system/socket dataset setup failed: unable to guess one or more required parameters: guess_sk_buff_proto failed: timeout while waiting for event
systemd[1]: auditbeat.service: Main process exited, code=exited, status=1/FAILURE
systemd[1]: auditbeat.service: Unit entered failed state.
systemd[1]: auditbeat.service: Failed with result 'exit-code'.
systemd[1]: auditbeat.service: Service RestartSec=100ms expired, scheduling restart.
systemd[1]: Stopped Audit the activities of users and processes on your system..
systemd[1]: Started Audit the activities of users and processes on your system..

Hi,

It worked for me for SLES12 sp4 (4.12.14-95.32-default). Both in default configuration and with ipv6.disable=1.

Can you share your debug logs (run auditbeat with -d '*'), and share more information about the machine configuration (if you're disabled ipv6, how, etc)?

sorry about the delay. We rebuild the testing env and start using ssl. We don't notice this anymore. I'll sure repost with more info if we encounter the same issue again. Thanks.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.