Unable to start auditbeat daemon process

(Vitt Bagal) #1

Able to built auditbeat on ubuntu 16.04 container & used default auditbeat.yml to start auditbeat daemon process. But unable to start it.

sudo ./auditbeat -e -c auditbeat.yml -d "publish" & command is failing with below error

Exiting: 1 error: 1 error: failed to create audit client: failed to get audit status: failed sending request: connection refuse

Anyone faced this issue before if yes please help me out.

(Andrew Kroh) #2

So you built Auditbeat from source? There are official container images available at https://www.docker.elastic.co/. And documentation for running Auditbeat in a container at https://www.elastic.co/guide/en/beats/auditbeat/6.2/running-on-docker.html. It requires some capabilities and to be in the host's PID namespace.

docker run --cap-add=AUDIT_CONTROL,AUDIT_READ --pid=host docker.elastic.co/beats/auditbeat:6.2.4

(Vitt Bagal) #3

Thanks... It worked.