System/socket module stops auditbeat 7.4 from starting (ipv6 detection)

With the update to 7.4 some of my auditbeats now longer start. (for me the ones running on digitalocean).

The error is:

ERROR instance/beat.go:878 Exiting: 1 error: 1 error: system/socket dataset setup failed: unable to guess one or more required parameters: guess_sockaddr_in6 failed: timeout while waiting for trigger to complete

When I disable ipv6 (socket.enable_ipv6: false) it starts again.

I guess this is probably a bug with the new Linux KProbes implementation in 7.4.

Anyone else seeing this?

What's the operating system and version?

I have a similar issue on Ubuntu 18.04 LTS:

Exiting: 1 error: 1 error: system/socket dataset setup failed: error detecting IPv6 support: ipv6 socket failed: address family not supported by protocol

Same issue, just upgrade to 7.4 and seems to be happening to the hosts where I do have ipv6 enabled in the OS.

Ubuntu 18.04 LTS

adding socket.enable_ipv6: false to auditbeat.yml does seem to fix it.

Ubuntu 18.04

Same issue here on latest CentOS 7. We have a dual-stack (IPv4 and IPv6) environment.

cat /etc/centos-release
CentOS Linux release 7.7.1908 (Core)

uname -a
Linux HOSTNAME-OMITTED 3.10.0-1062.1.1.el7.x86_64 #1 SMP Fri Sep 13 22:55:44 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

rpm -qa | grep auditbeat
auditbeat-7.4.0-1.x86_64

Workaround currently is to disable socket.enable_ipv6 option in the auditbeat config:

- module: system
  socket.enable_ipv6: false

I've attempted to reproduce the problem without any luck. Tried:

Ubuntu 18.04 running in DigitalOcean (4.15.0-58-generic)
CentOS 7.7 (3.10.0-1062.1.1.el7.x86_64)

Also created the following issue to track the problem:

Can you please help me figure out this issue so I can fix it? @stephan13360 @danielsnelling @jaysee @elastic22

If possible provide the following information, here, or via private message or in the GitHub issue:

  • Debug log of auditbeat with default ipv6 configuration. auditbeat run -e -d '*'
  • Output of ip -6 a
  • Output of ip -6 a add fd12:3456::1111 dev lo
  • Output of sysctl -a | grep ipv6

Thanks!

@adrisr I've added info to the GitHub issue.

Points to note for my particular problem are:

  • Azure Ubuntu image
  • Kernel version 5
  • IPv6 disabled
  • CIS hardened OS
1 Like

the same issue with Oracle Linux 7

@mirketto82 Can you test with the packages shared in the github issue above?