System/socket module stops auditbeat 7.4 from starting (ipv6 detection)

stephan13360 · October 1, 2019, 6:15pm

With the update to 7.4 some of my auditbeats now longer start. (for me the ones running on digitalocean).

The error is:

ERROR instance/beat.go:878 Exiting: 1 error: 1 error: system/socket dataset setup failed: unable to guess one or more required parameters: guess_sockaddr_in6 failed: timeout while waiting for trigger to complete

When I disable ipv6 (socket.enable_ipv6: false) it starts again.

I guess this is probably a bug with the new Linux KProbes implementation in 7.4.

Anyone else seeing this?

andrewkroh · October 1, 2019, 7:30pm

What's the operating system and version?

danielsnelling · October 2, 2019, 6:32am

I have a similar issue on Ubuntu 18.04 LTS:

Exiting: 1 error: 1 error: system/socket dataset setup failed: error detecting IPv6 support: ipv6 socket failed: address family not supported by protocol

jaysee · October 2, 2019, 2:09pm

Same issue, just upgrade to 7.4 and seems to be happening to the hosts where I do have ipv6 enabled in the OS.

Ubuntu 18.04 LTS

adding socket.enable_ipv6: false to auditbeat.yml does seem to fix it.

stephan13360 · October 5, 2019, 10:00pm

Ubuntu 18.04

elastic22 · October 7, 2019, 7:14am

Same issue here on latest CentOS 7. We have a dual-stack (IPv4 and IPv6) environment.

cat /etc/centos-release
CentOS Linux release 7.7.1908 (Core)

uname -a
Linux HOSTNAME-OMITTED 3.10.0-1062.1.1.el7.x86_64 #1 SMP Fri Sep 13 22:55:44 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

rpm -qa | grep auditbeat
auditbeat-7.4.0-1.x86_64

Workaround currently is to disable socket.enable_ipv6 option in the auditbeat config:

- module: system
  socket.enable_ipv6: false

adrisr · October 7, 2019, 9:33pm

I've attempted to reproduce the problem without any luck. Tried:

Ubuntu 18.04 running in DigitalOcean (4.15.0-58-generic)
CentOS 7.7 (3.10.0-1062.1.1.el7.x86_64)

Also created the following issue to track the problem:

Can you please help me figure out this issue so I can fix it? @stephan13360 @danielsnelling @jaysee @elastic22

If possible provide the following information, here, or via private message or in the GitHub issue:

Debug log of auditbeat with default ipv6 configuration. auditbeat run -e -d '*'
Output of ip -6 a
Output of ip -6 a add fd12:3456::1111 dev lo
Output of sysctl -a | grep ipv6

Thanks!

danielsnelling · October 7, 2019, 9:58pm

@adrisr I've added info to the GitHub issue.

Points to note for my particular problem are:

Azure Ubuntu image
Kernel version 5
IPv6 disabled
CIS hardened OS

mirketto82 · October 9, 2019, 9:03am

the same issue with Oracle Linux 7

adrisr · October 9, 2019, 3:01pm

@mirketto82 Can you test with the packages shared in the github issue above?

system · October 30, 2019, 3:01pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.