System/socket dataset setup failed

Willl · December 4, 2019, 5:21pm

Testing auditbeat-7.5.0-1-x86_64 on SLES 12 SP4. When the socket dataset is enabled under module system, auditbeat restarts. I checked the release note which says ipv6.disable=1 is taken care of.

Any suggestion?

Blockquote auditbeat[20739]: 2019-12-04T12:13:18.733-0500#011WARN#011[cfgwarn]#011socket/socket_linux.go:87#011BETA: The system/socket dataset is beta.
auditbeat[20739]: 2019-12-04T12:13:18.765-0500#011INFO#011[socket]#011socket/socket_linux.go:223#011Setting up system/socket for kernel 4.12.14-94.41-default
auditbeat[20739]: 2019-12-04T12:13:18.877-0500#011INFO#011[socket]#011guess/guess.go:258#011Running 16 guesses ...
auditbeat[20739]: 2019-12-04T12:13:21.720-0500#011INFO#011add_cloud_metadata/add_cloud_metadata.go:89#011add_cloud_metadata: hosting provider type not detected.
auditbeat[20739]: 2019-12-04T12:13:34.068-0500#011INFO#011instance/beat.go:402#011auditbeat stopped.
auditbeat[20739]: 2019-12-04T12:13:34.069-0500#011ERROR#011instance/beat.go:916#011Exiting: 1 error: 1 error: system/socket dataset setup failed: unable to guess one or more required parameters: guess_sk_buff_proto failed: timeout while waiting for event
auditbeat[20739]: Exiting: 1 error: 1 error: system/socket dataset setup failed: unable to guess one or more required parameters: guess_sk_buff_proto failed: timeout while waiting for event
systemd[1]: auditbeat.service: Main process exited, code=exited, status=1/FAILURE
systemd[1]: auditbeat.service: Unit entered failed state.
systemd[1]: auditbeat.service: Failed with result 'exit-code'.
systemd[1]: auditbeat.service: Service RestartSec=100ms expired, scheduling restart.
systemd[1]: Stopped Audit the activities of users and processes on your system..
systemd[1]: Started Audit the activities of users and processes on your system..

adrisr · December 12, 2019, 12:37pm

Hi,

It worked for me for SLES12 sp4 (4.12.14-95.32-default). Both in default configuration and with ipv6.disable=1.

Can you share your debug logs (run auditbeat with -d '*'), and share more information about the machine configuration (if you're disabled ipv6, how, etc)?

Willl · December 18, 2019, 6:22pm

sorry about the delay. We rebuild the testing env and start using ssl. We don't notice this anymore. I'll sure repost with more info if we encounter the same issue again. Thanks.

system · January 8, 2020, 6:22pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
System/socket module stops auditbeat 7.4 from starting (ipv6 detection) Beats auditbeat	10	1790	October 30, 2019
Error: system/socket dataset setup failed Beats auditbeat	1	442	May 9, 2023
Auditbeat: system/socket dataset setup failed - guess_inet_sock failed: timeout while waiting Beats auditbeat	1	217	December 21, 2023
System/socket dataset setup failed: guess_struct_creds Beats auditbeat	3	478	November 16, 2023
Can't seem to use socket dataset on rocky linux Beats auditbeat	8	998	March 30, 2022

System/socket dataset setup failed

Related topics