Hi, I've been trying to deploy the official auditbeat:6.2.4 container on our centos 7.4 but I'm stuck with the following error log:
2018-05-21T03:53:08.825Z INFO instance/beat.go:468 Home path: [/usr/share/auditbeat] Config path: [/usr/share/auditbeat] Data path: [/usr/share/auditbeat/data] Logs path: [/usr/share/auditbeat/logs]
2018-05-21T03:53:08.825Z DEBUG [beat] instance/beat.go:495 Beat metadata path: /usr/share/auditbeat/data/meta.json
2018-05-21T03:53:08.825Z INFO instance/beat.go:475 Beat UUID: 0bd41a5d-0893-4d51-9ffc-1a4d1eb95fa6
2018-05-21T03:53:08.825Z INFO instance/beat.go:213 Setup Beat: auditbeat; Version: 6.2.4
2018-05-21T03:53:08.825Z DEBUG [beat] instance/beat.go:230 Initializing output plugins
2018-05-21T03:53:08.825Z DEBUG [processors] processors/processor.go:49 Processors:
2018-05-21T03:53:08.825Z INFO elasticsearch/client.go:145 Elasticsearch url: http://10.4.95.242:9200
2018-05-21T03:53:08.826Z INFO pipeline/module.go:76 Beat name: 84e65b21e37f
2018-05-21T03:53:08.826Z DEBUG [modules] beater/metricbeat.go:80 Register [ModuleFactory:, MetricSetFactory:[auditd/auditd, file_integrity/file]]
2018-05-21T03:53:08.826Z DEBUG [processors] processors/processor.go:49 Processors:
2018-05-21T03:53:08.826Z INFO [auditd] auditd/audit_linux.go:65 auditd module is running as euid=0 on kernel=3.10.0-693.el7.x86_64
2018-05-21T03:53:08.826Z ERROR instance/beat.go:667 Exiting: 1 error: 1 error: failed to create audit client: failed to get audit status: failed sending request: connection refused
Exiting: 1 error: 1 error: failed to create audit client: failed to get audit status: failed sending request: connection refused
I have disabled the auditd,
● auditd.service - Security Auditing Service
Loaded: loaded (/usr/lib/systemd/system/auditd.service; disabled; vendor preset: enabled)
Active: inactive (dead) since Mon 2018-05-21 13:05:56 AEST; 58min ago
Docs: man:auditd(8)
GitHub - linux-audit/audit-documentation: Documentation and specifications
Main PID: 707 (code=exited, status=0/SUCCESS)
I've also used the following params to start the container as suggested,
docker run -d --name sandbox_auditbeat --privileged --pid=host -v /tmp/auditbeat.yml:/usr/share/auditbeat/auditbeat.yml docker.elastic.co/beats/auditbeat:6.2.4
As seen from the output above, the kernel is 3.10 which means the unicast socket type is used so it should work just fine as long as we have disabled the auditd; doesn't seem to be the case here.
The auditbeat.yml,
auditbeat.modules: - module: auditd audit_rules: | -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access fields: tenant: abc setup.kibana: host: "10.4.95.244:5601" output.elasticsearch: hosts: ["10.4.95.242:9200"] username: "elastic" password: "changeme" logging.level: debug
What else could I've missed here?