With the update to 7.4 some of my auditbeats now longer start. (for me the ones running on digitalocean).
The error is:
ERROR instance/beat.go:878 Exiting: 1 error: 1 error: system/socket dataset setup failed: unable to guess one or more required parameters: guess_sockaddr_in6 failed: timeout while waiting for trigger to complete
When I disable ipv6 (socket.enable_ipv6: false) it starts again.
I guess this is probably a bug with the new Linux KProbes implementation in 7.4.
Anyone else seeing this?
andrewkroh
October 1, 2019, 7:30pm
2
What's the operating system and version?
I have a similar issue on Ubuntu 18.04 LTS:
Exiting: 1 error: 1 error: system/socket dataset setup failed: error detecting IPv6 support: ipv6 socket failed: address family not supported by protocol
jaysee
October 2, 2019, 2:09pm
4
Same issue, just upgrade to 7.4 and seems to be happening to the hosts where I do have ipv6 enabled in the OS.
Ubuntu 18.04 LTS
adding socket.enable_ipv6: false to auditbeat.yml does seem to fix it.
Same issue here on latest CentOS 7. We have a dual-stack (IPv4 and IPv6) environment.
cat /etc/centos-release
CentOS Linux release 7.7.1908 (Core)
uname -a
Linux HOSTNAME-OMITTED 3.10.0-1062.1.1.el7.x86_64 #1 SMP Fri Sep 13 22:55:44 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
rpm -qa | grep auditbeat
auditbeat-7.4.0-1.x86_64
Workaround currently is to disable socket.enable_ipv6 option in the auditbeat config:
- module: system
socket.enable_ipv6: false
adrisr
October 7, 2019, 9:33pm
7
I've attempted to reproduce the problem without any luck. Tried:
Ubuntu 18.04 running in DigitalOcean (4.15.0-58-generic)
Also created the following issue to track the problem:
Please include configurations and logs if available.
For confirmed bugs, please report:
Version: 7.4.0
Operating System: Ubuntu 18.04 LTS / CentOS 7.7
Discuss Forum URL:...
Auditbeat
Team:SIEM
bug
help wanted
Can you please help me figure out this issue so I can fix it? @stephan13360 @danielsnelling @jaysee @elastic22
If possible provide the following information, here, or via private message or in the GitHub issue:
Debug log of auditbeat with default ipv6 configuration. auditbeat run -e -d '*'
Output of ip -6 a
Output of ip -6 a add fd12:3456::1111 dev lo
Output of sysctl -a | grep ipv6
Thanks!
@adrisr I've added info to the GitHub issue.
Points to note for my particular problem are:
Azure Ubuntu image
Kernel version 5
IPv6 disabled
CIS hardened OS
1 Like
mirketto82
October 9, 2019, 9:03am
9
the same issue with Oracle Linux 7
adrisr
October 9, 2019, 3:01pm
10
@mirketto82 Can you test with the packages shared in the github issue above?
system
October 30, 2019, 3:01pm
11
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.