Unable to start auditbeat daemon process

vitt-bagal · May 29, 2018, 11:59am

Able to built auditbeat on ubuntu 16.04 container & used default auditbeat.yml to start auditbeat daemon process. But unable to start it.

sudo ./auditbeat -e -c auditbeat.yml -d "publish" & command is failing with below error

Exiting: 1 error: 1 error: failed to create audit client: failed to get audit status: failed sending request: connection refuse

Anyone faced this issue before if yes please help me out.

andrewkroh · May 29, 2018, 8:23pm

So you built Auditbeat from source? There are official container images available at https://www.docker.elastic.co/. And documentation for running Auditbeat in a container at Running Auditbeat on Docker | Auditbeat Reference [6.2] | Elastic. It requires some capabilities and to be in the host's PID namespace.

docker run --cap-add=AUDIT_CONTROL,AUDIT_READ --pid=host docker.elastic.co/beats/auditbeat:6.2.4

vitt-bagal · June 1, 2018, 5:38am

Thanks... It worked.

Topic		Replies	Views
Unable to start Auditbeat on Proxmox Container Beats auditbeat	2	435	June 19, 2023
Auditbeat failed to create audit client & failed to get audit status: operation not permitted Beats auditbeat	5	2651	May 28, 2020
Exiting: 1 error: failed to create audit client: failed to get audit status: operation not permitted Beats docker , auditbeat	3	853	August 12, 2022
Unable to start auditbeat on docker Beats auditbeat	10	3593	November 4, 2022
Unable to start Auditbeat on LXC container Beats auditbeat	9	3951	November 4, 2022