Closed adriansr closed 4 years ago
Pinging @elastic/siem (Team:SIEM)
Version: 7.4.0 Operating System: Ubuntu 18.04 LTS using stock Azure image (updated to latest - 5.0.0-1020-azure) Discuss Forum URL: https://discuss.elastic.co/t/system-socket-module-stops-auditbeat-7-4-from-starting-ipv6-detection/201852/5 Steps to Reproduce: In auditbeat.yml config, under the system module, enable the socket dataset. Note: Under the system module I have also added 'socket.enable_ipv6: false' to no effect
Error:
Oct 08 08:48:32 xxxxxxxx auditbeat[74319]: 2019-10-08T08:48:32.759+1100 WARN [cfgwarn] socket/socket_linux.go:81 BETA: The system/socket dataset is beta.
Oct 08 08:48:32 xxxxxxxx auditbeat[74319]: 2019-10-08T08:48:32.759+1100 INFO [socket] socket/socket_linux.go:197 Setting up system/socket for kernel 5.0.0-1020-azure
Oct 08 08:48:32 xxxxxxxx auditbeat[74319]: 2019-10-08T08:48:32.761+1100 WARN [cfgwarn] user/user.go:205 BETA: The system/user dataset is beta
Oct 08 08:48:32 xxxxxxxx auditbeat[74319]: 2019-10-08T08:48:32.769+1100 INFO instance/beat.go:385 auditbeat stopped.
Oct 08 08:48:32 xxxxxxxx auditbeat[74319]: 2019-10-08T08:48:32.769+1100 ERROR instance/beat.go:878 Exiting: 1 error: 1 error: system/socket dataset setup failed: error detecting IPv6 support: ipv6 socket failed: address family not supported by protocol
Oct 08 08:48:32 xxxxxxxx auditbeat[74319]: Exiting: 1 error: 1 error: system/socket dataset setup failed: error detecting IPv6 support: ipv6 socket failed: address family not supported by protocol
ip -6 a
returns nothing, as IPv6 is disabled (we follow CIS hardening guidelines)
sysctl -a | grep ipv6
also returns nothing
System: Ubuntu 18.04
auditbeat.modules:
- module: auditd
audit_rules: |
# Things that affect identity.
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
# Unauthorized access attempts to files (unsuccessful).
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
- module: file_integrity
hash_types: [sha256]
paths:
- /bin
- /usr/bin
- /sbin
- /usr/sbin
- /etc
- module: system
datasets:
- host
- login
- package
- user
period: 1m
user.detect_password_changes: true
- module: system
datasets:
- process
- socket
period: 1s
output.elasticsearch:
hosts: ["https://elasticsearch.domain.tld:443"]
username: "beats"
password: "XXXXXX"
setup.ilm:
policy_name: "beats"
processors:
- add_host_metadata: ~
- add_cloud_metadata: ~
monitoring:
enabled: true
logging.level: warning
logging.to_syslog: true
INFO instance/beat.go:607 Home path: [/usr/share/auditbeat] Config path: [/etc/auditbeat] Data path: [/var/lib/auditbeat] Logs path: [/var/log/auditbeat]
DEBUG [beat] instance/beat.go:659 Beat metadata path: /var/lib/auditbeat/meta.json
INFO instance/beat.go:615 Beat ID: afa2df26-38eb-4571-82da-9e4758f51031
DEBUG [filters] add_cloud_metadata/providers.go:126 add_cloud_metadata: starting to fetch metadata, timeout=3s
DEBUG [filters] add_cloud_metadata/providers.go:162 add_cloud_metadata: received disposition for az after 7.285395ms. result=[provider:az, error=failed with http status code 404, metadata={}]
DEBUG [filters] add_cloud_metadata/providers.go:162 add_cloud_metadata: received disposition for openstack after 7.499822ms. result=[provider:openstack, error=failed with http status code 404, metadata={}]
DEBUG [filters] add_cloud_metadata/providers.go:162 add_cloud_metadata: received disposition for aws after 7.662903ms. result=[provider:aws, error=failed with http status code 404, metadata={}]
DEBUG [filters] add_cloud_metadata/providers.go:162 add_cloud_metadata: received disposition for gcp after 7.725518ms. result=[provider:gcp, error=failed with http status code 404, metadata={}]
DEBUG [filters] add_cloud_metadata/providers.go:162 add_cloud_metadata: received disposition for digitalocean after 26.59954ms. result=[provider:digitalocean, error=<nil>, metadata={"instance":{"id":"137391861"},"provider":"digitalocean","region":"fra1"}]
DEBUG [filters] add_cloud_metadata/providers.go:129 add_cloud_metadata: fetchMetadata ran for 26.755622ms
INFO add_cloud_metadata/add_cloud_metadata.go:91 add_cloud_metadata: hosting provider type detected as digitalocean, metadata={"instance":{"id":"137391861"},"provider":"digitalocean","region":"fra1"}
DEBUG [processors] processors/processor.go:101 Generated new processors: add_host_metadata=[netinfo.enabled=[false], cache.ttl=[5m0s]], add_cloud_metadata={"instance":{"id":"137391861"},"provider":"digitalocean","region":"fra1"}
DEBUG [seccomp] seccomp/seccomp.go:117 Loading syscall filter {"seccomp_filter": {"no_new_privs":true,"flag":"tsync","policy":{"default_action":"errno","syscalls":[{"names":["accept","accept4","access","arch_prctl","bind","brk","clock_gettime","clone","close","connect","dup","dup2","epoll_create","epoll_create1","epoll_ctl","epoll_pwait","epoll_wait","exit","exit_group","fchdir","fchmod","fchown","fcntl","fdatasync","flock","fstat","fstatfs","fsync","ftruncate","futex","getcwd","getdents","getdents64","geteuid","getgid","getpeername","getpid","getppid","getrandom","getrlimit","getrusage","getsockname","getsockopt","gettid","gettimeofday","getuid","inotify_add_watch","inotify_init1","inotify_rm_watch","ioctl","kill","listen","lseek","lstat","madvise","mincore","mkdirat","mmap","mprotect","munmap","nanosleep","newfstatat","open","openat","pipe","pipe2","poll","ppoll","pread64","pselect6","pwrite64","read","readlink","readlinkat","recvfrom","recvmmsg","recvmsg","rename","renameat","rt_sigaction","rt_sigprocmask","rt_sigreturn","sched_getaffinity","sched_yield","sendfile","sendmmsg","sendmsg","sendto","set_robust_list","setitimer","setsockopt","shutdown","sigaltstack","socket","splice","stat","statfs","sysinfo","tgkill","time","tkill","uname","unlink","unlinkat","wait4","waitid","write","writev","umask","mremap","perf_event_open","eventfd2","mount","umount2"],"action":"allow"}]}}}
INFO [seccomp] seccomp/seccomp.go:124 Syscall filter successfully installed
INFO [beat] instance/beat.go:903 Beat info {"system_info": {"beat": {"path": {"config": "/etc/auditbeat", "data": "/var/lib/auditbeat", "home": "/usr/share/auditbeat", "logs": "/var/log/auditbeat"}, "type": "auditbeat", "uuid": "afa2df26-38eb-4571-82da-9e4758f51031"}}}
INFO [beat] instance/beat.go:912 Build info {"system_info": {"build": {"commit": "f940c36884d3749901a9c99bea5463a6030cdd9c", "libbeat": "7.4.0", "time": "2019-09-27T07:42:54.000Z", "version": "7.4.0"}}}
INFO [beat] instance/beat.go:915 Go runtime info {"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":1,"version":"go1.12.9"}}}
INFO [beat] instance/beat.go:919 Host info {"system_info": {"host": {"architecture":"x86_64","boot_time":"2019-10-01T19:14:26+02:00","containerized":false,"name":"root","ip":["127.0.0.1/8","::1/128","157.230.121.52/20","10.19.0.6/16","2a03:b0c0:3:e0::54:d001/64","fe80::4e8:54ff:fe4d:9427/64","10.10.10.1/24"],"kernel_version":"4.15.0-65-generic","mac":["06:e8:54:4d:94:27"],"os":{"family":"debian","platform":"ubuntu","name":"Ubuntu","version":"18.04.3 LTS (Bionic Beaver)","major":18,"minor":4,"patch":3,"codename":"bionic"},"timezone":"CEST","timezone_offset_sec":7200,"id":"434477ac15fa492da53d0a1effd2ba74"}}}
INFO [beat] instance/beat.go:948 Process info {"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"ambient":null}, "cwd": "/root", "exe": "/usr/share/auditbeat/bin/auditbeat", "name": "auditbeat", "pid": 5211, "ppid": 4986, "seccomp": {"mode":"filter","no_new_privs":true}, "start_time": "2019-10-07T23:53:13.540+0200"}}}
INFO instance/beat.go:292 Setup Beat: auditbeat; Version: 7.4.0
DEBUG [beat] instance/beat.go:318 Initializing output plugins
INFO [index-management] idxmgmt/std.go:178 Set output.elasticsearch.index to 'auditbeat-7.4.0' as ILM is enabled.
INFO elasticsearch/client.go:170 Elasticsearch url: https://elasticsearch.sherbers.de:443
DEBUG [publisher] pipeline/consumer.go:137 start pipeline event consumer
INFO [publisher] pipeline/module.go:97 Beat name: root
DEBUG [modules] beater/metricbeat.go:121 Available modules and metricsets: Register [ModuleFactory:[system], MetricSetFactory:[auditd/auditd, file_integrity/file, system/host, system/login, system/package, system/process, system/socket, system/user]]
INFO [auditd] auditd/audit_linux.go:106 auditd module is running as euid=0 on kernel=4.15.0-65-generic
INFO [auditd] auditd/audit_linux.go:133 socket_type=unicast will be used.
DEBUG [file_integrity] file_integrity/metricset.go:97 Initialized the file event reader. Running as euid=0
WARN [cfgwarn] host/host.go:167 BETA: The system/host dataset is beta
DEBUG [system] host/host.go:448 Restored last host information from disk.
WARN [cfgwarn] login/login.go:95 BETA: The system/login dataset is beta
DEBUG [login] login/utmp.go:539 Restored 4 UTMP file records from disk
DEBUG [login] login/utmp.go:571 Restored 1 open login sessions from disk
WARN [cfgwarn] package/package.go:170 BETA: The system/package dataset is beta
DEBUG [package] package/package.go:201 Last state was sent at 2019-10-07 23:25:38.784502657 +0200 CEST. Next state update by 2019-10-08 11:25:38.784502657 +0200 CEST.
DEBUG [package] package/package.go:211 Restored 652 packages from disk
WARN [cfgwarn] user/user.go:205 BETA: The system/user dataset is beta
DEBUG [user] user/user.go:245 Last state was sent at 2019-10-07 23:24:38.997360845 +0200 CEST. Next state update by 2019-10-08 11:24:38.997360845 +0200 CEST.
DEBUG [user] user/user.go:255 Restored 45 users from disk
WARN [cfgwarn] process/process.go:131 BETA: The system/process dataset is beta
DEBUG [process] process/process.go:168 Last state was sent at 2019-10-07 23:07:52.455978802 +0200 CEST. Next state update by 2019-10-08 11:07:52.455978802 +0200 CEST.
WARN [cfgwarn] socket/socket_linux.go:81 BETA: The system/socket dataset is beta.
INFO [socket] socket/socket_linux.go:197 Setting up system/socket for kernel 4.15.0-65-generic
DEBUG [socket] socket/socket_linux.go:244 IPv6 supported: true
DEBUG [socket] socket/socket_linux.go:251 IPv6 enabled: true
DEBUG [socket] socket/socket_linux.go:304 Selected kernel function SyS_gettimeofday for SYS_GETTIMEOFDAY
DEBUG [socket] socket/socket_linux.go:304 Selected kernel function SyS_newuname for SYS_UNAME
DEBUG [socket] socket/socket_linux.go:304 Selected kernel function ip_local_out for IP_LOCAL_OUT
DEBUG [socket] socket/socket_linux.go:304 Selected kernel function __skb_recv_udp for RECV_UDP_DATAGRAM
DEBUG [socket] socket/socket_linux.go:304 Selected kernel function SyS_execve for SYS_EXECVE
INFO [socket] guess/guess.go:258 Running 16 guesses ...
INFO instance/beat.go:385 auditbeat stopped.
ERROR instance/beat.go:878 Exiting: 1 error: 1 error: system/socket dataset setup failed: unable to guess one or more required parameters: guess_sockaddr_in6 failed: timeout while waiting for trigger to complete
Exiting: 1 error: 1 error: system/socket dataset setup failed: unable to guess one or more required parameters: guess_sockaddr_in6 failed: timeout while waiting for trigger to complete
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 2a03:b0c0:3:e0::54:d001/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::4e8:54ff:fe4d:9427/64 scope link
valid_lft forever preferred_lft forever
net.ipv6.anycast_src_echo_reply = 0
net.ipv6.auto_flowlabels = 1
net.ipv6.bindv6only = 0
net.ipv6.calipso_cache_bucket_size = 10
net.ipv6.calipso_cache_enable = 1
net.ipv6.conf.all.accept_dad = 0
net.ipv6.conf.all.accept_ra = 1
net.ipv6.conf.all.accept_ra_defrtr = 1
net.ipv6.conf.all.accept_ra_from_local = 0
net.ipv6.conf.all.accept_ra_min_hop_limit = 1
net.ipv6.conf.all.accept_ra_mtu = 1
net.ipv6.conf.all.accept_ra_pinfo = 1
net.ipv6.conf.all.accept_ra_rt_info_max_plen = 0
net.ipv6.conf.all.accept_ra_rt_info_min_plen = 0
net.ipv6.conf.all.accept_ra_rtr_pref = 1
net.ipv6.conf.all.accept_redirects = 1
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.all.addr_gen_mode = 0
net.ipv6.conf.all.autoconf = 1
net.ipv6.conf.all.dad_transmits = 1
net.ipv6.conf.all.disable_ipv6 = 0
net.ipv6.conf.all.disable_policy = 0
net.ipv6.conf.all.drop_unicast_in_l2_multicast = 0
net.ipv6.conf.all.drop_unsolicited_na = 0
net.ipv6.conf.all.enhanced_dad = 1
net.ipv6.conf.all.force_mld_version = 0
net.ipv6.conf.all.force_tllao = 0
net.ipv6.conf.all.forwarding = 0
net.ipv6.conf.all.hop_limit = 64
net.ipv6.conf.all.ignore_routes_with_linkdown = 0
net.ipv6.conf.all.keep_addr_on_down = 0
net.ipv6.conf.all.max_addresses = 16
net.ipv6.conf.all.max_desync_factor = 600
net.ipv6.conf.all.mc_forwarding = 0
net.ipv6.conf.all.mldv1_unsolicited_report_interval = 10000
net.ipv6.conf.all.mldv2_unsolicited_report_interval = 1000
net.ipv6.conf.all.mtu = 1280
net.ipv6.conf.all.ndisc_notify = 0
net.ipv6.conf.all.ndisc_tclass = 0
net.ipv6.conf.all.proxy_ndp = 0
net.ipv6.conf.all.regen_max_retry = 3
net.ipv6.conf.all.router_probe_interval = 60
net.ipv6.conf.all.router_solicitation_delay = 1
net.ipv6.conf.all.router_solicitation_interval = 4
net.ipv6.conf.all.router_solicitation_max_interval = 3600
net.ipv6.conf.all.router_solicitations = -1
net.ipv6.conf.all.seg6_enabled = 0
net.ipv6.conf.all.seg6_require_hmac = 0
net.ipv6.conf.all.suppress_frag_ndisc = 1
net.ipv6.conf.all.temp_prefered_lft = 86400
net.ipv6.conf.all.temp_valid_lft = 604800
net.ipv6.conf.all.use_oif_addrs_only = 0
net.ipv6.conf.all.use_tempaddr = 0
net.ipv6.conf.default.accept_dad = 1
net.ipv6.conf.default.accept_ra = 1
net.ipv6.conf.default.accept_ra_defrtr = 1
net.ipv6.conf.default.accept_ra_from_local = 0
net.ipv6.conf.default.accept_ra_min_hop_limit = 1
net.ipv6.conf.default.accept_ra_mtu = 1
net.ipv6.conf.default.accept_ra_pinfo = 1
net.ipv6.conf.default.accept_ra_rt_info_max_plen = 0
net.ipv6.conf.default.accept_ra_rt_info_min_plen = 0
net.ipv6.conf.default.accept_ra_rtr_pref = 1
net.ipv6.conf.default.accept_redirects = 1
net.ipv6.conf.default.accept_source_route = 0
net.ipv6.conf.default.addr_gen_mode = 0
net.ipv6.conf.default.autoconf = 1
net.ipv6.conf.default.dad_transmits = 1
net.ipv6.conf.default.disable_ipv6 = 0
net.ipv6.conf.default.disable_policy = 0
net.ipv6.conf.default.drop_unicast_in_l2_multicast = 0
net.ipv6.conf.default.drop_unsolicited_na = 0
net.ipv6.conf.default.enhanced_dad = 1
net.ipv6.conf.default.force_mld_version = 0
net.ipv6.conf.default.force_tllao = 0
net.ipv6.conf.default.forwarding = 0
net.ipv6.conf.default.hop_limit = 64
net.ipv6.conf.default.ignore_routes_with_linkdown = 0
net.ipv6.conf.default.keep_addr_on_down = 0
net.ipv6.conf.default.max_addresses = 16
net.ipv6.conf.default.max_desync_factor = 600
net.ipv6.conf.default.mc_forwarding = 0
net.ipv6.conf.default.mldv1_unsolicited_report_interval = 10000
net.ipv6.conf.default.mldv2_unsolicited_report_interval = 1000
net.ipv6.conf.default.mtu = 1280
net.ipv6.conf.default.ndisc_notify = 0
net.ipv6.conf.default.ndisc_tclass = 0
net.ipv6.conf.default.proxy_ndp = 0
net.ipv6.conf.default.regen_max_retry = 3
net.ipv6.conf.default.router_probe_interval = 60
net.ipv6.conf.default.router_solicitation_delay = 1
net.ipv6.conf.default.router_solicitation_interval = 4
net.ipv6.conf.default.router_solicitation_max_interval = 3600
net.ipv6.conf.default.router_solicitations = -1
net.ipv6.conf.default.seg6_enabled = 0
net.ipv6.conf.default.seg6_require_hmac = 0
net.ipv6.conf.default.suppress_frag_ndisc = 1
net.ipv6.conf.default.temp_prefered_lft = 86400
net.ipv6.conf.default.temp_valid_lft = 604800
net.ipv6.conf.default.use_oif_addrs_only = 0
net.ipv6.conf.default.use_tempaddr = 0
net.ipv6.conf.eth0.accept_dad = 1
net.ipv6.conf.eth0.accept_ra = 0
net.ipv6.conf.eth0.accept_ra_defrtr = 1
net.ipv6.conf.eth0.accept_ra_from_local = 0
net.ipv6.conf.eth0.accept_ra_min_hop_limit = 1
net.ipv6.conf.eth0.accept_ra_mtu = 1
net.ipv6.conf.eth0.accept_ra_pinfo = 1
net.ipv6.conf.eth0.accept_ra_rt_info_max_plen = 0
net.ipv6.conf.eth0.accept_ra_rt_info_min_plen = 0
net.ipv6.conf.eth0.accept_ra_rtr_pref = 1
net.ipv6.conf.eth0.accept_redirects = 1
net.ipv6.conf.eth0.accept_source_route = 0
net.ipv6.conf.eth0.addr_gen_mode = 0
net.ipv6.conf.eth0.autoconf = 1
net.ipv6.conf.eth0.dad_transmits = 1
net.ipv6.conf.eth0.disable_ipv6 = 0
net.ipv6.conf.eth0.disable_policy = 0
net.ipv6.conf.eth0.drop_unicast_in_l2_multicast = 0
net.ipv6.conf.eth0.drop_unsolicited_na = 0
net.ipv6.conf.eth0.enhanced_dad = 1
net.ipv6.conf.eth0.force_mld_version = 0
net.ipv6.conf.eth0.force_tllao = 0
net.ipv6.conf.eth0.forwarding = 0
net.ipv6.conf.eth0.hop_limit = 64
net.ipv6.conf.eth0.ignore_routes_with_linkdown = 0
net.ipv6.conf.eth0.keep_addr_on_down = 0
net.ipv6.conf.eth0.max_addresses = 16
net.ipv6.conf.eth0.max_desync_factor = 600
net.ipv6.conf.eth0.mc_forwarding = 0
net.ipv6.conf.eth0.mldv1_unsolicited_report_interval = 10000
net.ipv6.conf.eth0.mldv2_unsolicited_report_interval = 1000
net.ipv6.conf.eth0.mtu = 1500
net.ipv6.conf.eth0.ndisc_notify = 0
net.ipv6.conf.eth0.ndisc_tclass = 0
net.ipv6.conf.eth0.proxy_ndp = 0
net.ipv6.conf.eth0.regen_max_retry = 3
net.ipv6.conf.eth0.router_probe_interval = 60
net.ipv6.conf.eth0.router_solicitation_delay = 1
net.ipv6.conf.eth0.router_solicitation_interval = 4
net.ipv6.conf.eth0.router_solicitation_max_interval = 3600
net.ipv6.conf.eth0.router_solicitations = -1
net.ipv6.conf.eth0.seg6_enabled = 0
net.ipv6.conf.eth0.seg6_require_hmac = 0
net.ipv6.conf.eth0.suppress_frag_ndisc = 1
net.ipv6.conf.eth0.temp_prefered_lft = 86400
net.ipv6.conf.eth0.temp_valid_lft = 604800
net.ipv6.conf.eth0.use_oif_addrs_only = 0
net.ipv6.conf.eth0.use_tempaddr = 0
net.ipv6.conf.lo.accept_dad = -1
net.ipv6.conf.lo.accept_ra = 1
net.ipv6.conf.lo.accept_ra_defrtr = 1
net.ipv6.conf.lo.accept_ra_from_local = 0
net.ipv6.conf.lo.accept_ra_min_hop_limit = 1
net.ipv6.conf.lo.accept_ra_mtu = 1
net.ipv6.conf.lo.accept_ra_pinfo = 1
net.ipv6.conf.lo.accept_ra_rt_info_max_plen = 0
net.ipv6.conf.lo.accept_ra_rt_info_min_plen = 0
net.ipv6.conf.lo.accept_ra_rtr_pref = 1
net.ipv6.conf.lo.accept_redirects = 1
net.ipv6.conf.lo.accept_source_route = 0
net.ipv6.conf.lo.addr_gen_mode = 0
net.ipv6.conf.lo.autoconf = 1
net.ipv6.conf.lo.dad_transmits = 1
net.ipv6.conf.lo.disable_ipv6 = 0
net.ipv6.conf.lo.disable_policy = 0
net.ipv6.conf.lo.drop_unicast_in_l2_multicast = 0
net.ipv6.conf.lo.drop_unsolicited_na = 0
net.ipv6.conf.lo.enhanced_dad = 1
net.ipv6.conf.lo.force_mld_version = 0
net.ipv6.conf.lo.force_tllao = 0
net.ipv6.conf.lo.forwarding = 0
net.ipv6.conf.lo.hop_limit = 64
net.ipv6.conf.lo.ignore_routes_with_linkdown = 0
net.ipv6.conf.lo.keep_addr_on_down = 0
net.ipv6.conf.lo.max_addresses = 16
net.ipv6.conf.lo.max_desync_factor = 600
net.ipv6.conf.lo.mc_forwarding = 0
net.ipv6.conf.lo.mldv1_unsolicited_report_interval = 10000
net.ipv6.conf.lo.mldv2_unsolicited_report_interval = 1000
net.ipv6.conf.lo.mtu = 65536
net.ipv6.conf.lo.ndisc_notify = 0
net.ipv6.conf.lo.ndisc_tclass = 0
net.ipv6.conf.lo.proxy_ndp = 0
net.ipv6.conf.lo.regen_max_retry = 3
net.ipv6.conf.lo.router_probe_interval = 60
net.ipv6.conf.lo.router_solicitation_delay = 1
net.ipv6.conf.lo.router_solicitation_interval = 4
net.ipv6.conf.lo.router_solicitation_max_interval = 3600
net.ipv6.conf.lo.router_solicitations = -1
net.ipv6.conf.lo.seg6_enabled = 0
net.ipv6.conf.lo.seg6_require_hmac = 0
net.ipv6.conf.lo.suppress_frag_ndisc = 1
net.ipv6.conf.lo.temp_prefered_lft = 86400
net.ipv6.conf.lo.temp_valid_lft = 604800
net.ipv6.conf.lo.use_oif_addrs_only = 0
net.ipv6.conf.lo.use_tempaddr = -1
net.ipv6.conf.wg0.accept_dad = -1
net.ipv6.conf.wg0.accept_ra = 1
net.ipv6.conf.wg0.accept_ra_defrtr = 1
net.ipv6.conf.wg0.accept_ra_from_local = 0
net.ipv6.conf.wg0.accept_ra_min_hop_limit = 1
net.ipv6.conf.wg0.accept_ra_mtu = 1
net.ipv6.conf.wg0.accept_ra_pinfo = 1
net.ipv6.conf.wg0.accept_ra_rt_info_max_plen = 0
net.ipv6.conf.wg0.accept_ra_rt_info_min_plen = 0
net.ipv6.conf.wg0.accept_ra_rtr_pref = 1
net.ipv6.conf.wg0.accept_redirects = 1
net.ipv6.conf.wg0.accept_source_route = 0
net.ipv6.conf.wg0.addr_gen_mode = 1
net.ipv6.conf.wg0.autoconf = 1
net.ipv6.conf.wg0.dad_transmits = 1
net.ipv6.conf.wg0.disable_ipv6 = 0
net.ipv6.conf.wg0.disable_policy = 0
net.ipv6.conf.wg0.drop_unicast_in_l2_multicast = 0
net.ipv6.conf.wg0.drop_unsolicited_na = 0
net.ipv6.conf.wg0.enhanced_dad = 1
net.ipv6.conf.wg0.force_mld_version = 0
net.ipv6.conf.wg0.force_tllao = 0
net.ipv6.conf.wg0.forwarding = 0
net.ipv6.conf.wg0.hop_limit = 64
net.ipv6.conf.wg0.ignore_routes_with_linkdown = 0
net.ipv6.conf.wg0.keep_addr_on_down = 0
net.ipv6.conf.wg0.max_addresses = 16
net.ipv6.conf.wg0.max_desync_factor = 600
net.ipv6.conf.wg0.mc_forwarding = 0
net.ipv6.conf.wg0.mldv1_unsolicited_report_interval = 10000
net.ipv6.conf.wg0.mldv2_unsolicited_report_interval = 1000
net.ipv6.conf.wg0.mtu = 1420
net.ipv6.conf.wg0.ndisc_notify = 0
net.ipv6.conf.wg0.ndisc_tclass = 0
net.ipv6.conf.wg0.proxy_ndp = 0
net.ipv6.conf.wg0.regen_max_retry = 3
net.ipv6.conf.wg0.router_probe_interval = 60
net.ipv6.conf.wg0.router_solicitation_delay = 1
net.ipv6.conf.wg0.router_solicitation_interval = 4
net.ipv6.conf.wg0.router_solicitation_max_interval = 3600
net.ipv6.conf.wg0.router_solicitations = -1
net.ipv6.conf.wg0.seg6_enabled = 0
net.ipv6.conf.wg0.seg6_require_hmac = 0
net.ipv6.conf.wg0.suppress_frag_ndisc = 1
net.ipv6.conf.wg0.temp_prefered_lft = 86400
net.ipv6.conf.wg0.temp_valid_lft = 604800
net.ipv6.conf.wg0.use_oif_addrs_only = 0
net.ipv6.conf.wg0.use_tempaddr = -1
net.ipv6.flowlabel_consistency = 1
net.ipv6.flowlabel_reflect = 0
net.ipv6.flowlabel_state_ranges = 0
net.ipv6.fwmark_reflect = 0
net.ipv6.icmp.ratelimit = 1000
net.ipv6.idgen_delay = 1
net.ipv6.idgen_retries = 3
net.ipv6.ip6frag_high_thresh = 262144
net.ipv6.ip6frag_low_thresh = 196608
net.ipv6.ip6frag_secret_interval = 0
net.ipv6.ip6frag_time = 60
net.ipv6.ip_nonlocal_bind = 0
net.ipv6.max_dst_opts_length = 2147483647
net.ipv6.max_dst_opts_number = 8
net.ipv6.max_hbh_length = 2147483647
net.ipv6.max_hbh_opts_number = 8
net.ipv6.mld_max_msf = 64
net.ipv6.mld_qrv = 2
net.ipv6.neigh.default.anycast_delay = 100
net.ipv6.neigh.default.app_solicit = 0
net.ipv6.neigh.default.base_reachable_time_ms = 30000
net.ipv6.neigh.default.delay_first_probe_time = 5
net.ipv6.neigh.default.gc_interval = 30
net.ipv6.neigh.default.gc_stale_time = 60
net.ipv6.neigh.default.gc_thresh1 = 128
net.ipv6.neigh.default.gc_thresh2 = 512
net.ipv6.neigh.default.gc_thresh3 = 1024
net.ipv6.neigh.default.locktime = 0
net.ipv6.neigh.default.mcast_resolicit = 0
net.ipv6.neigh.default.mcast_solicit = 3
net.ipv6.neigh.default.proxy_delay = 80
net.ipv6.neigh.default.proxy_qlen = 64
net.ipv6.neigh.default.retrans_time_ms = 1000
net.ipv6.neigh.default.ucast_solicit = 3
net.ipv6.neigh.default.unres_qlen = 101
net.ipv6.neigh.default.unres_qlen_bytes = 212992
net.ipv6.neigh.eth0.anycast_delay = 100
net.ipv6.neigh.eth0.app_solicit = 0
net.ipv6.neigh.eth0.base_reachable_time_ms = 30000
net.ipv6.neigh.eth0.delay_first_probe_time = 5
net.ipv6.neigh.eth0.gc_stale_time = 60
net.ipv6.neigh.eth0.locktime = 0
net.ipv6.neigh.eth0.mcast_resolicit = 0
net.ipv6.neigh.eth0.mcast_solicit = 3
net.ipv6.neigh.eth0.proxy_delay = 80
net.ipv6.neigh.eth0.proxy_qlen = 64
net.ipv6.neigh.eth0.retrans_time_ms = 1000
net.ipv6.neigh.eth0.ucast_solicit = 3
net.ipv6.neigh.eth0.unres_qlen = 101
net.ipv6.neigh.eth0.unres_qlen_bytes = 212992
net.ipv6.neigh.lo.anycast_delay = 100
net.ipv6.neigh.lo.app_solicit = 0
net.ipv6.neigh.lo.base_reachable_time_ms = 30000
net.ipv6.neigh.lo.delay_first_probe_time = 5
net.ipv6.neigh.lo.gc_stale_time = 60
net.ipv6.neigh.lo.locktime = 0
net.ipv6.neigh.lo.mcast_resolicit = 0
net.ipv6.neigh.lo.mcast_solicit = 3
net.ipv6.neigh.lo.proxy_delay = 80
net.ipv6.neigh.lo.proxy_qlen = 64
net.ipv6.neigh.lo.retrans_time_ms = 1000
net.ipv6.neigh.lo.ucast_solicit = 3
net.ipv6.neigh.lo.unres_qlen = 101
net.ipv6.neigh.lo.unres_qlen_bytes = 212992
net.ipv6.neigh.wg0.anycast_delay = 100
net.ipv6.neigh.wg0.app_solicit = 0
net.ipv6.neigh.wg0.base_reachable_time_ms = 30000
net.ipv6.neigh.wg0.delay_first_probe_time = 5
net.ipv6.neigh.wg0.gc_stale_time = 60
net.ipv6.neigh.wg0.locktime = 0
net.ipv6.neigh.wg0.mcast_resolicit = 0
net.ipv6.neigh.wg0.mcast_solicit = 3
net.ipv6.neigh.wg0.proxy_delay = 80
net.ipv6.neigh.wg0.proxy_qlen = 64
net.ipv6.neigh.wg0.retrans_time_ms = 1000
net.ipv6.neigh.wg0.ucast_solicit = 3
net.ipv6.neigh.wg0.unres_qlen = 101
net.ipv6.neigh.wg0.unres_qlen_bytes = 212992
net.ipv6.route.gc_elasticity = 9
net.ipv6.route.gc_interval = 30
net.ipv6.route.gc_min_interval = 0
net.ipv6.route.gc_min_interval_ms = 500
net.ipv6.route.gc_thresh = 1024
net.ipv6.route.gc_timeout = 60
net.ipv6.route.max_size = 4096
net.ipv6.route.min_adv_mss = 1220
net.ipv6.route.mtu_expires = 600
net.ipv6.xfrm6_gc_thresh = 32768
"ip -6 a add fd12:3456::1111 dev lo" does not output anything but finishes successful and adding the ip to my loopback interface.
System: CentOS 7.7.1908
[cco@test ~]$ uname -a
Linux test 3.10.0-1062.1.2.el7.x86_64 #1 SMP Mon Sep 30 14:19:46 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
[cco@test ~]$ cat /etc/centos-release
CentOS Linux release 7.7.1908 (Core)
The system already has an IPv6 address. Adding the unique local address to interface 'lo' also works.
[cco@test~]$ sudo ip -6 a add fd12:3456::1111 dev lo
[cco@test~]$ ip -6 a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
inet6 fd12:3456::1111/128 scope global
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
inet6 2a00:adc0:ccdd::160/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::250:56ff:fea0:2825/64 scope link
valid_lft forever preferred_lft forever
Running auditbeat shows the following error:
[cco@test~]$ sudo auditbeat run -e -d '*'
2019-10-08T10:56:02.039+0200 INFO instance/beat.go:607 Home path: [/usr/share/auditbeat] Config path: [/etc/auditbeat] Data path: [/var/lib/auditbeat] Logs path: [/var/log/auditbeat]
2019-10-08T10:56:02.039+0200 DEBUG [beat] instance/beat.go:659 Beat metadata path: /var/lib/auditbeat/meta.json
2019-10-08T10:56:02.040+0200 INFO instance/beat.go:615 Beat ID: 0d76a2ef-4db7-4df9-a4eb-128a4b3f6d02
2019-10-08T10:56:02.043+0200 DEBUG [processors] processors/processor.go:101 Generated new processors: add_host_metadata=[netinfo.enabled=[false], cache.ttl=[5m0s]], add_tags=central
2019-10-08T10:56:02.043+0200 DEBUG [seccomp] seccomp/seccomp.go:117 Loading syscall filter {"seccomp_filter": {"no_new_privs":true,"flag":"tsync","policy":{"default_action":"errno","syscalls":[{"names":["accept","accept4","access","arch_prctl","bind","brk","clock_gettime","clone","close","connect","dup","dup2","epoll_create","epoll_create1","epoll_ctl","epoll_pwait","epoll_wait","exit","exit_group","fchdir","fchmod","fchown","fcntl","fdatasync","flock","fstat","fstatfs","fsync","ftruncate","futex","getcwd","getdents","getdents64","geteuid","getgid","getpeername","getpid","getppid","getrandom","getrlimit","getrusage","getsockname","getsockopt","gettid","gettimeofday","getuid","inotify_add_watch","inotify_init1","inotify_rm_watch","ioctl","kill","listen","lseek","lstat","madvise","mincore","mkdirat","mmap","mprotect","munmap","nanosleep","newfstatat","open","openat","pipe","pipe2","poll","ppoll","pread64","pselect6","pwrite64","read","readlink","readlinkat","recvfrom","recvmmsg","recvmsg","rename","renameat","rt_sigaction","rt_sigprocmask","rt_sigreturn","sched_getaffinity","sched_yield","sendfile","sendmmsg","sendmsg","sendto","set_robust_list","setitimer","setsockopt","shutdown","sigaltstack","socket","splice","stat","statfs","sysinfo","tgkill","time","tkill","uname","unlink","unlinkat","wait4","waitid","write","writev","umask","mremap","perf_event_open","eventfd2","mount","umount2"],"action":"allow"}]}}}
2019-10-08T10:56:02.043+0200 INFO [seccomp] seccomp/seccomp.go:124 Syscall filter successfully installed
2019-10-08T10:56:02.043+0200 INFO [beat] instance/beat.go:903 Beat info {"system_info": {"beat": {"path": {"config": "/etc/auditbeat", "data": "/var/lib/auditbeat", "home": "/usr/share/auditbeat", "logs": "/var/log/auditbeat"}, "type": "auditbeat", "uuid": "0d76a2ef-4db7-4df9-a4eb-128a4b3f6d02"}}}
2019-10-08T10:56:02.044+0200 INFO [beat] instance/beat.go:912 Build info {"system_info": {"build": {"commit": "f940c36884d3749901a9c99bea5463a6030cdd9c", "libbeat": "7.4.0", "time": "2019-09-27T07:42:54.000Z", "version": "7.4.0"}}}
2019-10-08T10:56:02.044+0200 INFO [beat] instance/beat.go:915 Go runtime info {"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":2,"version":"go1.12.9"}}}
2019-10-08T10:56:02.045+0200 INFO [beat] instance/beat.go:919 Host info {"system_info": {"host": {"architecture":"x86_64","boot_time":"2019-10-08T10:53:46+02:00","containerized":false,"name":"test","ip":["127.0.0.1/8","::1/128","2a00:adc0:ccdd::160/64","fe80::250:56ff:fea0:2825/64"],"kernel_version":"3.10.0-1062.1.2.el7.x86_64","mac":["00:50:56:a0:28:25"],"os":{"family":"redhat","platform":"centos","name":"CentOS Linux","version":"7 (Core)","major":7,"minor":7,"patch":1908,"codename":"Core"},"timezone":"CEST","timezone_offset_sec":7200,"id":"653ca41406934f44b817de479abfc082"}}}
2019-10-08T10:56:02.046+0200 INFO [beat] instance/beat.go:948 Process info {"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend"],"ambient":null}, "cwd": "/home/cco", "exe": "/usr/share/auditbeat/bin/auditbeat", "name": "auditbeat", "pid": 1407, "ppid": 1406, "seccomp": {"mode":"filter","no_new_privs":true}, "start_time": "2019-10-08T10:56:01.110+0200"}}}
2019-10-08T10:56:02.047+0200 INFO instance/beat.go:292 Setup Beat: auditbeat; Version: 7.4.0
2019-10-08T10:56:02.047+0200 DEBUG [beat] instance/beat.go:318 Initializing output plugins
2019-10-08T10:56:02.047+0200 INFO [index-management] idxmgmt/std.go:178 Set output.elasticsearch.index to 'auditbeat-7.4.0' as ILM is enabled.
2019-10-08T10:56:02.048+0200 DEBUG [tls] tlscommon/tls.go:155 successfully loaded CA certificate: /etc/auditbeat/ssl/ca.crt
2019-10-08T10:56:02.048+0200 INFO elasticsearch/client.go:170 Elasticsearch url: https://[OMITTED]:9200
2019-10-08T10:56:02.048+0200 INFO elasticsearch/client.go:170 Elasticsearch url: https://[OMITTED]:9200
2019-10-08T10:56:02.049+0200 DEBUG [publisher] pipeline/consumer.go:137 start pipeline event consumer
2019-10-08T10:56:02.049+0200 INFO [publisher] pipeline/module.go:97 Beat name: test
2019-10-08T10:56:02.049+0200 DEBUG [modules] beater/metricbeat.go:121 Available modules and metricsets: Register [ModuleFactory:[system], MetricSetFactory:[auditd/auditd, file_integrity/file, system/host, system/login, system/package, system/process, system/socket, system/user]]
2019-10-08T10:56:02.064+0200 INFO [auditd] auditd/audit_linux.go:106 auditd module is running as euid=0 on kernel=3.10.0-1062.1.2.el7.x86_64
2019-10-08T10:56:02.115+0200 INFO [auditd] auditd/audit_linux.go:133 socket_type=unicast will be used.
2019-10-08T10:56:02.115+0200 DEBUG [file_integrity] file_integrity/metricset.go:97 Initialized the file event reader. Running as euid=0
2019-10-08T10:56:02.118+0200 WARN [cfgwarn] host/host.go:167 BETA: The system/host dataset is beta
2019-10-08T10:56:02.121+0200 DEBUG [system] host/host.go:448 Restored last host information from disk.
2019-10-08T10:56:02.121+0200 WARN [cfgwarn] login/login.go:95 BETA: The system/login dataset is beta
2019-10-08T10:56:02.123+0200 DEBUG [login] login/utmp.go:539 Restored 4 UTMP file records from disk
2019-10-08T10:56:02.123+0200 DEBUG [login] login/utmp.go:571 Restored 1 open login sessions from disk
2019-10-08T10:56:02.123+0200 WARN [cfgwarn] package/package.go:170 BETA: The system/package dataset is beta
2019-10-08T10:56:02.125+0200 DEBUG [package] package/package.go:201 Last state was sent at 2019-10-08 09:25:04.542397974 +0200 CEST. Next state update by 2019-10-08 15:25:04.542397974 +0200 CEST.
2019-10-08T10:56:02.127+0200 DEBUG [package] package/package.go:211 Restored 448 packages from disk
2019-10-08T10:56:02.128+0200 WARN [cfgwarn] process/process.go:131 BETA: The system/process dataset is beta
2019-10-08T10:56:02.130+0200 DEBUG [process] process/process.go:168 Last state was sent at 2019-10-08 09:25:59.586246016 +0200 CEST. Next state update by 2019-10-08 15:25:59.586246016 +0200 CEST.
2019-10-08T10:56:02.130+0200 WARN [cfgwarn] socket/socket_linux.go:81 BETA: The system/socket dataset is beta.
2019-10-08T10:56:02.130+0200 INFO [socket] socket/socket_linux.go:197 Setting up system/socket for kernel 3.10.0-1062.1.2.el7.x86_64
2019-10-08T10:56:02.134+0200 DEBUG [socket] socket/socket_linux.go:244 IPv6 supported: true
2019-10-08T10:56:02.134+0200 DEBUG [socket] socket/socket_linux.go:251 IPv6 enabled: true
2019-10-08T10:56:02.221+0200 DEBUG [socket] socket/socket_linux.go:304 Selected kernel function ip_local_out_sk for IP_LOCAL_OUT
2019-10-08T10:56:02.221+0200 DEBUG [socket] socket/socket_linux.go:304 Selected kernel function __skb_recv_datagram for RECV_UDP_DATAGRAM
2019-10-08T10:56:02.221+0200 DEBUG [socket] socket/socket_linux.go:304 Selected kernel function SyS_execve for SYS_EXECVE
2019-10-08T10:56:02.221+0200 DEBUG [socket] socket/socket_linux.go:304 Selected kernel function SyS_gettimeofday for SYS_GETTIMEOFDAY
2019-10-08T10:56:02.221+0200 DEBUG [socket] socket/socket_linux.go:304 Selected kernel function SyS_newuname for SYS_UNAME
2019-10-08T10:56:02.224+0200 INFO [socket] guess/guess.go:258 Running 16 guesses ...
2019-10-08T10:56:02.315+0200 DEBUG [socket] guess/guess.go:287 Guess guess_struct_socket_sk completed: {"SOCKET_SOCK":32}
2019-10-08T10:56:02.376+0200 DEBUG [socket] guess/guess.go:287 Guess tcp_sendmsg_guess completed: {"TCP_SENDMSG_LEN":"%cx"}
2019-10-08T10:56:02.426+0200 DEBUG [socket] guess/guess.go:287 Guess guess_struct_creds completed: {"STRUCT_CRED_EGID":24,"STRUCT_CRED_EUID":20,"STRUCT_CRED_GID":8,"STRUCT_CRED_UID":4}
2019-10-08T10:56:17.482+0200 WARN [cfgwarn] user/user.go:205 BETA: The system/user dataset is beta
2019-10-08T10:56:17.484+0200 DEBUG [user] user/user.go:245 Last state was sent at 2019-10-08 09:25:27.893422968 +0200 CEST. Next state update by 2019-10-08 15:25:27.893422968 +0200 CEST.
2019-10-08T10:56:17.485+0200 DEBUG [user] user/user.go:255 Restored 23 users from disk
2019-10-08T10:56:17.486+0200 INFO instance/beat.go:385 auditbeat stopped.
2019-10-08T10:56:17.486+0200 ERROR instance/beat.go:878 Exiting: 1 error: 1 error: system/socket dataset setup failed: unable to guess one or more required parameters: guess_sockaddr_in6 failed: timeout while waiting for trigger to complete
Exiting: 1 error: 1 error: system/socket dataset setup failed: unable to guess one or more required parameters: guess_sockaddr_in6 failed: timeout while waiting for trigger to complete
auditbeat.yml:
auditbeat.modules:
- module: system
datasets:
- host # General host information, e.g. uptime, IPs
- login # User logins, logouts, and system boots.
- package # Installed, updated, and removed packages
- process # Started and stopped processes
- socket # Opened and closed sockets
- user # User information
# How often datasets send state updates with the
# current state of the system (e.g. all currently
# running processes, all open sockets).
state.period: 6h
# Enabled by default. Auditbeat will read password fields in
# /etc/passwd and /etc/shadow and store a hash locally to
# detect any changes.
user.detect_password_changes: true
# File patterns of the login record files.
login.wtmp_file_pattern: /var/log/wtmp*
login.btmp_file_pattern: /var/log/btmp*
output.elasticsearch:
hosts: ["OMITTED", "OMITTED"]
protocol: "https"
username: "auditbeat_writer"
password: "OMITTED"
ssl.certificate_authorities: ["/etc/auditbeat/ssl/ca.crt"]
processors:
- add_host_metadata: ~
monitoring.enabled: true
logging.metrics.enabled: false
Workaround: Adding the following option in auditbeat.yml:
- module: system
socket.enable_ipv6: false
Thanks for the detailed information. I think I've addresses all the problems in #13966.
Just built a snapshot on top of 7.4.0, can you try it and report the outcome here? It shouldn't need socket.enable_ipv6: false
.
Hi adriansr, this did not fix it for me. In #13966 you wrote that your patch fixes problems when ipv6 is disabled. I do not have ipv6 disabled. IPv6 ist enabled and working fine.
stephan@root~ 0 > sudo dpkg -i auditbeat-7.4.0-SNAPSHOT-amd64.deb
(Reading database ... 102912 files and directories currently installed.)
Preparing to unpack auditbeat-7.4.0-SNAPSHOT-amd64.deb ...
Unpacking auditbeat (7.4.0) over (7.4.0) ...
Setting up auditbeat (7.4.0) ...
Processing triggers for systemd (237-3ubuntu10.29) ...
Processing triggers for ureadahead (0.100.0-21) ...
stephan@root~ 0 > sudo auditbeat run -e -d '*'
INFO instance/beat.go:607 Home path: [/usr/share/auditbeat] Config path: [/etc/auditbeat] Data path: [/var/lib/auditbeat] Logs path: [/var/log/auditbeat]
DEBUG [beat] instance/beat.go:659 Beat metadata path: /var/lib/auditbeat/meta.json
INFO instance/beat.go:615 Beat ID: afa2df26-38eb-4571-82da-9e4758f51031
DEBUG [filters] add_cloud_metadata/providers.go:126 add_cloud_metadata: starting to fetch metadata, timeout=3s
DEBUG [filters] add_cloud_metadata/providers.go:162 add_cloud_metadata: received disposition for az after 7.390705ms. result=[provider:az, error=failed with http status code 404, metadata={}]
DEBUG [filters] add_cloud_metadata/providers.go:162 add_cloud_metadata: received disposition for gcp after 7.806732ms. result=[provider:gcp, error=failed with http status code 404, metadata={}]
DEBUG [filters] add_cloud_metadata/providers.go:162 add_cloud_metadata: received disposition for openstack after 8.021241ms. result=[provider:openstack, error=failed with http status code 404, metadata={}]
DEBUG [filters] add_cloud_metadata/providers.go:162 add_cloud_metadata: received disposition for aws after 8.094352ms. result=[provider:aws, error=failed with http status code 404, metadata={}]
DEBUG [filters] add_cloud_metadata/providers.go:162 add_cloud_metadata: received disposition for digitalocean after 31.029801ms. result=[provider:digitalocean, error=<nil>, metadata={"instance":{"id":"137391861"},"provider":"digitalocean","region":"fra1"}]
DEBUG [filters] add_cloud_metadata/providers.go:129 add_cloud_metadata: fetchMetadata ran for 31.146688ms
INFO add_cloud_metadata/add_cloud_metadata.go:91 add_cloud_metadata: hosting provider type detected as digitalocean, metadata={"instance":{"id":"137391861"},"provider":"digitalocean","region":"fra1"}
DEBUG [processors] processors/processor.go:101 Generated new processors: add_host_metadata=[netinfo.enabled=[false], cache.ttl=[5m0s]], add_cloud_metadata={"instance":{"id":"137391861"},"provider":"digitalocean","region":"fra1"}
DEBUG [seccomp] seccomp/seccomp.go:117 Loading syscall filter {"seccomp_filter": {"no_new_privs":true,"flag":"tsync","policy":{"default_action":"errno","syscalls":[{"names":["accept","accept4","access","arch_prctl","bind","brk","clock_gettime","clone","close","connect","dup","dup2","epoll_create","epoll_create1","epoll_ctl","epoll_pwait","epoll_wait","exit","exit_group","fchdir","fchmod","fchown","fcntl","fdatasync","flock","fstat","fstatfs","fsync","ftruncate","futex","getcwd","getdents","getdents64","geteuid","getgid","getpeername","getpid","getppid","getrandom","getrlimit","getrusage","getsockname","getsockopt","gettid","gettimeofday","getuid","inotify_add_watch","inotify_init1","inotify_rm_watch","ioctl","kill","listen","lseek","lstat","madvise","mincore","mkdirat","mmap","mprotect","munmap","nanosleep","newfstatat","open","openat","pipe","pipe2","poll","ppoll","pread64","pselect6","pwrite64","read","readlink","readlinkat","recvfrom","recvmmsg","recvmsg","rename","renameat","rt_sigaction","rt_sigprocmask","rt_sigreturn","sched_getaffinity","sched_yield","sendfile","sendmmsg","sendmsg","sendto","set_robust_list","setitimer","setsockopt","shutdown","sigaltstack","socket","splice","stat","statfs","sysinfo","tgkill","time","tkill","uname","unlink","unlinkat","wait4","waitid","write","writev","umask","mremap","perf_event_open","eventfd2","mount","umount2"],"action":"allow"}]}}}
INFO [seccomp] seccomp/seccomp.go:124 Syscall filter successfully installed
INFO [beat] instance/beat.go:903 Beat info {"system_info": {"beat": {"path": {"config": "/etc/auditbeat", "data": "/var/lib/auditbeat", "home": "/usr/share/auditbeat", "logs": "/var/log/auditbeat"}, "type": "auditbeat", "uuid": "afa2df26-38eb-4571-82da-9e4758f51031"}}}
INFO [beat] instance/beat.go:912 Build info {"system_info": {"build": {"commit": "fe2f4f53d95f7a0137767f2d8e6d23a909829412", "libbeat": "7.4.0", "time": "2019-10-08T16:08:43.000Z", "version": "7.4.0"}}}
INFO [beat] instance/beat.go:915 Go runtime info {"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":1,"version":"go1.12.9"}}}
INFO [beat] instance/beat.go:919 Host info {"system_info": {"host": {"architecture":"x86_64","boot_time":"2019-10-01T19:14:26+02:00","containerized":false,"name":"root","ip":["127.0.0.1/8","fd12:3456::1111/128","::1/128","157.230.121.52/20","10.19.0.6/16","2a03:b0c0:3:e0::54:d001/64","fe80::4e8:54ff:fe4d:9427/64","10.10.10.1/24"],"kernel_version":"4.15.0-65-generic","mac":["06:e8:54:4d:94:27"],"os":{"family":"debian","platform":"ubuntu","name":"Ubuntu","version":"18.04.3 LTS (Bionic Beaver)","major":18,"minor":4,"patch":3,"codename":"bionic"},"timezone":"CEST","timezone_offset_sec":7200,"id":"434477ac15fa492da53d0a1effd2ba74"}}}
INFO [beat] instance/beat.go:948 Process info {"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"ambient":null}, "cwd": "/home/stephan", "exe": "/usr/share/auditbeat/bin/auditbeat", "name": "auditbeat", "pid": 18710, "ppid": 18709, "seccomp": {"mode":"filter","no_new_privs":true}, "start_time": "2019-10-09T09:49:12.840+0200"}}}
INFO instance/beat.go:292 Setup Beat: auditbeat; Version: 7.4.0
DEBUG [beat] instance/beat.go:318 Initializing output plugins
INFO [index-management] idxmgmt/std.go:178 Set output.elasticsearch.index to 'auditbeat-7.4.0' as ILM is enabled.
INFO elasticsearch/client.go:170 Elasticsearch url: https://elasticsearch.sherbers.de:443
DEBUG [publisher] pipeline/consumer.go:137 start pipeline event consumer
INFO [publisher] pipeline/module.go:97 Beat name: root
DEBUG [modules] beater/metricbeat.go:121 Available modules and metricsets: Register [ModuleFactory:[system], MetricSetFactory:[auditd/auditd, file_integrity/file, system/host, system/login, system/package, system/process, system/socket, system/user]]
INFO [auditd] auditd/audit_linux.go:106 auditd module is running as euid=0 on kernel=4.15.0-65-generic
INFO [auditd] auditd/audit_linux.go:133 socket_type=unicast will be used.
DEBUG [file_integrity] file_integrity/metricset.go:97 Initialized the file event reader. Running as euid=0
WARN [cfgwarn] host/host.go:167 BETA: The system/host dataset is beta
DEBUG [system] host/host.go:448 Restored last host information from disk.
WARN [cfgwarn] login/login.go:95 BETA: The system/login dataset is beta
DEBUG [login] login/utmp.go:539 Restored 4 UTMP file records from disk
DEBUG [login] login/utmp.go:571 Restored 1 open login sessions from disk
WARN [cfgwarn] package/package.go:170 BETA: The system/package dataset is beta
DEBUG [package] package/package.go:201 Last state was sent at 2019-10-08 23:26:40.760038424 +0200 CEST. Next state update by 2019-10-09 11:26:40.760038424 +0200 CEST.
DEBUG [package] package/package.go:211 Restored 652 packages from disk
WARN [cfgwarn] user/user.go:205 BETA: The system/user dataset is beta
DEBUG [user] user/user.go:245 Last state was sent at 2019-10-08 23:25:31.50370576 +0200 CEST. Next state update by 2019-10-09 11:25:31.50370576 +0200 CEST.
DEBUG [user] user/user.go:255 Restored 45 users from disk
WARN [cfgwarn] process/process.go:131 BETA: The system/process dataset is beta
DEBUG [process] process/process.go:168 Last state was sent at 2019-10-08 23:07:54.307304306 +0200 CEST. Next state update by 2019-10-09 11:07:54.307304306 +0200 CEST.
WARN [cfgwarn] socket/socket_linux.go:81 BETA: The system/socket dataset is beta.
INFO [socket] socket/socket_linux.go:197 Setting up system/socket for kernel 4.15.0-65-generic
DEBUG [socket] socket/socket_linux.go:245 IPv6 supported: true
DEBUG [socket] socket/socket_linux.go:252 IPv6 enabled: true
DEBUG [socket] socket/socket_linux.go:305 Selected kernel function ip_local_out for IP_LOCAL_OUT
DEBUG [socket] socket/socket_linux.go:305 Selected kernel function __skb_recv_udp for RECV_UDP_DATAGRAM
DEBUG [socket] socket/socket_linux.go:305 Selected kernel function SyS_execve for SYS_EXECVE
DEBUG [socket] socket/socket_linux.go:305 Selected kernel function SyS_gettimeofday for SYS_GETTIMEOFDAY
DEBUG [socket] socket/socket_linux.go:305 Selected kernel function SyS_newuname for SYS_UNAME
INFO [socket] guess/guess.go:258 Running 16 guesses ...
DEBUG [socket] guess/guess.go:112 --- result of guess_inet_sock run #1: {"INET_SOCK_LADDR":[4,84,720,856],"INET_SOCK_LPORT":[728,866],"INET_SOCK_RADDR":[0,68,860],"INET_SOCK_RPORT":[12,864]}
DEBUG [socket] guess/guess.go:112 --- result of guess_inet_sock run #2: {"INET_SOCK_LADDR":[4,84,720,856],"INET_SOCK_LPORT":[728,866],"INET_SOCK_RADDR":[0,68,860],"INET_SOCK_RPORT":[12,864]}
DEBUG [socket] guess/guess.go:112 --- result of guess_inet_sock run #3: {"INET_SOCK_LADDR":[4,84,720,856],"INET_SOCK_LPORT":[728,866],"INET_SOCK_RADDR":[0,68,860],"INET_SOCK_RPORT":[12,864]}
DEBUG [socket] guess/guess.go:112 --- result of guess_inet_sock run #4: {"INET_SOCK_LADDR":[4,84,720,856],"INET_SOCK_LPORT":[728,866],"INET_SOCK_RADDR":[0,68,860],"INET_SOCK_RPORT":[12,864]}
DEBUG [socket] guess/guess.go:287 Guess guess_inet_sock completed: {"INET_SOCK_LADDR":4,"INET_SOCK_LADDR_LIST":[4,84,720,856],"INET_SOCK_LPORT":728,"INET_SOCK_LPORT_LIST":[728,866],"INET_SOCK_RADDR":0,"INET_SOCK_RADDR_LIST":[0,68,860],"INET_SOCK_RPORT":12,"INET_SOCK_RPORT_LIST":[12,864]}
DEBUG [socket] guess/guess.go:287 Guess guess_sockaddr_in completed: {"SOCKADDR_IN_ADDR":4,"SOCKADDR_IN_AF":0,"SOCKADDR_IN_PORT":2}
DEBUG [socket] guess/guess.go:112 --- result of guess_sk_buff_proto run #1: {"SK_BUFF_PROTO":[192]}
DEBUG [socket] guess/guess.go:112 --- result of guess_sk_buff_proto run #2: {"SK_BUFF_PROTO":[192,544,640]}
DEBUG [socket] guess/guess.go:112 --- result of guess_sk_buff_proto run #3: {"SK_BUFF_PROTO":[192]}
DEBUG [socket] guess/guess.go:112 --- result of guess_sk_buff_proto run #4: {"SK_BUFF_PROTO":[192,544,640]}
DEBUG [socket] guess/guess.go:112 --- result of guess_sk_buff_proto run #5: {"SK_BUFF_PROTO":[192]}
DEBUG [socket] guess/guess.go:112 --- result of guess_sk_buff_proto run #6: {"SK_BUFF_PROTO":[192,544,640]}
DEBUG [socket] guess/guess.go:112 --- result of guess_sk_buff_proto run #7: {"SK_BUFF_PROTO":[192]}
DEBUG [socket] guess/guess.go:112 --- result of guess_sk_buff_proto run #8: {"SK_BUFF_PROTO":[192,544,640]}
DEBUG [socket] guess/guess.go:287 Guess guess_sk_buff_proto completed: {"SK_BUFF_PROTO":192}
DEBUG [socket] guess/guess.go:287 Guess guess_syscall_args completed: {"SYS_P1":"%di","SYS_P2":"%si","SYS_P3":"%dx","SYS_P4":"%cx","SYS_P5":"%r8","SYS_P6":"%r9"}
DEBUG [socket] guess/guess.go:287 Guess guess_udp_sendmsg completed: {"UDP_SENDMSG_LEN":"%dx","UDP_SENDMSG_MSG":"%si","UDP_SENDMSG_SOCK":"%di"}
DEBUG [socket] guess/guess.go:287 Guess guess_inet6_csk_xmit completed: {"INET6_CSK_XMIT_SKBUFF":"%si","INET6_CSK_XMIT_SOCK":"%di"}
DEBUG [socket] guess/guess.go:121 --- guess_sk_buff_data_ptr run #0
DEBUG [socket] guess/guess.go:121 --- guess_sk_buff_data_ptr run #1
DEBUG [socket] guess/guess.go:287 Guess guess_sk_buff_data_ptr completed: {"SK_BUFF_HAS_POINTERS":false,"SK_BUFF_HEAD":208,"SK_BUFF_MAC":198,"SK_BUFF_NETWORK":196,"SK_BUFF_TRANSPORT":194}
INFO instance/beat.go:385 auditbeat stopped.
ERROR instance/beat.go:878 Exiting: 1 error: 1 error: system/socket dataset setup failed: unable to guess one or more required parameters: guess_sockaddr_in6 failed: timeout while waiting for trigger to complete
Exiting: 1 error: 1 error: system/socket dataset setup failed: unable to guess one or more required parameters: guess_sockaddr_in6 failed: timeout while waiting for trigger to complete
Thanks @stephan13360, I will investigate this problem.
Does it work for you when setting socket. enable_ipv6: true
?
No, I get the exact same error.
INFO instance/beat.go:607 Home path: [/usr/share/auditbeat] Config path: [/etc/auditbeat] Data path: [/var/lib/auditbeat] Logs path: [/var/log/auditbeat]
DEBUG [beat] instance/beat.go:659 Beat metadata path: /var/lib/auditbeat/meta.json
INFO instance/beat.go:615 Beat ID: afa2df26-38eb-4571-82da-9e4758f51031
DEBUG [filters] add_cloud_metadata/providers.go:126 add_cloud_metadata: starting to fetch metadata, timeout=3s
DEBUG [filters] add_cloud_metadata/providers.go:162 add_cloud_metadata: received disposition for gcp after 8.662612ms. result=[provider:gcp, error=failed with http status code 404, metadata={}]
DEBUG [filters] add_cloud_metadata/providers.go:162 add_cloud_metadata: received disposition for az after 8.820512ms. result=[provider:az, error=failed with http status code 404, metadata={}]
DEBUG [filters] add_cloud_metadata/providers.go:162 add_cloud_metadata: received disposition for aws after 8.90406ms. result=[provider:aws, error=failed with http status code 404, metadata={}]
DEBUG [filters] add_cloud_metadata/providers.go:162 add_cloud_metadata: received disposition for openstack after 9.70986ms. result=[provider:openstack, error=failed with http status code 404, metadata={}]
DEBUG [filters] add_cloud_metadata/providers.go:162 add_cloud_metadata: received disposition for digitalocean after 33.8957ms. result=[provider:digitalocean, error=, metadata={"instance":{"id":"137391861"},"provider":"digitalocean","region":"fra1"}]
DEBUG [filters] add_cloud_metadata/providers.go:129 add_cloud_metadata: fetchMetadata ran for 34.001184ms
INFO add_cloud_metadata/add_cloud_metadata.go:91 add_cloud_metadata: hosting provider type detected as digitalocean, metadata={"instance":{"id":"137391861"},"provider":"digitalocean","region":"fra1"}
DEBUG [processors] processors/processor.go:101 Generated new processors: add_host_metadata=[netinfo.enabled=[false], cache.ttl=[5m0s]], add_cloud_metadata={"instance":{"id":"137391861"},"provider":"digitalocean","region":"fra1"}
DEBUG [seccomp] seccomp/seccomp.go:117 Loading syscall filter {"seccomp_filter": {"no_new_privs":true,"flag":"tsync","policy":{"default_action":"errno","syscalls":[{"names":["accept","accept4","access","arch_prctl","bind","brk","clock_gettime","clone","close","connect","dup","dup2","epoll_create","epoll_create1","epoll_ctl","epoll_pwait","epoll_wait","exit","exit_group","fchdir","fchmod","fchown","fcntl","fdatasync","flock","fstat","fstatfs","fsync","ftruncate","futex","getcwd","getdents","getdents64","geteuid","getgid","getpeername","getpid","getppid","getrandom","getrlimit","getrusage","getsockname","getsockopt","gettid","gettimeofday","getuid","inotify_add_watch","inotify_init1","inotify_rm_watch","ioctl","kill","listen","lseek","lstat","madvise","mincore","mkdirat","mmap","mprotect","munmap","nanosleep","newfstatat","open","openat","pipe","pipe2","poll","ppoll","pread64","pselect6","pwrite64","read","readlink","readlinkat","recvfrom","recvmmsg","recvmsg","rename","renameat","rt_sigaction","rt_sigprocmask","rt_sigreturn","sched_getaffinity","sched_yield","sendfile","sendmmsg","sendmsg","sendto","set_robust_list","setitimer","setsockopt","shutdown","sigaltstack","socket","splice","stat","statfs","sysinfo","tgkill","time","tkill","uname","unlink","unlinkat","wait4","waitid","write","writev","umask","mremap","perf_event_open","eventfd2","mount","umount2"],"action":"allow"}]}}}
INFO [seccomp] seccomp/seccomp.go:124 Syscall filter successfully installed
INFO [beat] instance/beat.go:903 Beat info {"system_info": {"beat": {"path": {"config": "/etc/auditbeat", "data": "/var/lib/auditbeat", "home": "/usr/share/auditbeat", "logs": "/var/log/auditbeat"}, "type": "auditbeat", "uuid": "afa2df26-38eb-4571-82da-9e4758f51031"}}}
INFO [beat] instance/beat.go:912 Build info {"system_info": {"build": {"commit": "fe2f4f53d95f7a0137767f2d8e6d23a909829412", "libbeat": "7.4.0", "time": "2019-10-08T16:08:43.000Z", "version": "7.4.0"}}}
INFO [beat] instance/beat.go:915 Go runtime info {"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":1,"version":"go1.12.9"}}}
INFO [beat] instance/beat.go:919 Host info {"system_info": {"host": {"architecture":"x86_64","boot_time":"2019-10-01T19:14:26+02:00","containerized":false,"name":"root","ip":["127.0.0.1/8","fd12:3456::1111/128","::1/128","157.230.121.52/20","10.19.0.6/16","2a03:b0c0:3:e0::54:d001/64","fe80::4e8:54ff:fe4d:9427/64","10.10.10.1/24"],"kernel_version":"4.15.0-65-generic","mac":["06:e8:54:4d:94:27"],"os":{"family":"debian","platform":"ubuntu","name":"Ubuntu","version":"18.04.3 LTS (Bionic Beaver)","major":18,"minor":4,"patch":3,"codename":"bionic"},"timezone":"CEST","timezone_offset_sec":7200,"id":"434477ac15fa492da53d0a1effd2ba74"}}}
INFO [beat] instance/beat.go:948 Process info {"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"ambient":null}, "cwd": "/home/stephan", "exe": "/usr/share/auditbeat/bin/auditbeat", "name": "auditbeat", "pid": 20281, "ppid": 20280, "seccomp": {"mode":"filter","no_new_privs":true}, "start_time": "2019-10-09T10:41:17.770+0200"}}}
INFO instance/beat.go:292 Setup Beat: auditbeat; Version: 7.4.0
DEBUG [beat] instance/beat.go:318 Initializing output plugins
INFO [index-management] idxmgmt/std.go:178 Set output.elasticsearch.index to 'auditbeat-7.4.0' as ILM is enabled.
INFO elasticsearch/client.go:170 Elasticsearch url: https://elasticsearch.sherbers.de:443
DEBUG [publisher] pipeline/consumer.go:137 start pipeline event consumer
INFO [publisher] pipeline/module.go:97 Beat name: root
DEBUG [modules] beater/metricbeat.go:121 Available modules and metricsets: Register [ModuleFactory:[system], MetricSetFactory:[auditd/auditd, file_integrity/file, system/host, system/login, system/package, system/process, system/socket, system/user]]
INFO [auditd] auditd/audit_linux.go:106 auditd module is running as euid=0 on kernel=4.15.0-65-generic
INFO [auditd] auditd/audit_linux.go:133 socket_type=unicast will be used.
DEBUG [file_integrity] file_integrity/metricset.go:97 Initialized the file event reader. Running as euid=0
WARN [cfgwarn] host/host.go:167 BETA: The system/host dataset is beta
DEBUG [system] host/host.go:448 Restored last host information from disk.
WARN [cfgwarn] login/login.go:95 BETA: The system/login dataset is beta
DEBUG [login] login/utmp.go:539 Restored 4 UTMP file records from disk
DEBUG [login] login/utmp.go:571 Restored 2 open login sessions from disk
WARN [cfgwarn] package/package.go:170 BETA: The system/package dataset is beta
DEBUG [package] package/package.go:201 Last state was sent at 2019-10-08 23:26:40.760038424 +0200 CEST. Next state update by 2019-10-09 11:26:40.760038424 +0200 CEST.
DEBUG [package] package/package.go:211 Restored 652 packages from disk
WARN [cfgwarn] user/user.go:205 BETA: The system/user dataset is beta
DEBUG [user] user/user.go:245 Last state was sent at 2019-10-08 23:25:31.50370576 +0200 CEST. Next state update by 2019-10-09 11:25:31.50370576 +0200 CEST.
DEBUG [user] user/user.go:255 Restored 45 users from disk
WARN [cfgwarn] process/process.go:131 BETA: The system/process dataset is beta
DEBUG [process] process/process.go:168 Last state was sent at 2019-10-08 23:07:54.307304306 +0200 CEST. Next state update by 2019-10-09 11:07:54.307304306 +0200 CEST.
WARN [cfgwarn] socket/socket_linux.go:81 BETA: The system/socket dataset is beta.
INFO [socket] socket/socket_linux.go:197 Setting up system/socket for kernel 4.15.0-65-generic
DEBUG [socket] socket/socket_linux.go:245 IPv6 supported: true
DEBUG [socket] socket/socket_linux.go:252 IPv6 enabled: true
DEBUG [socket] socket/socket_linux.go:305 Selected kernel function ip_local_out for IP_LOCAL_OUT
DEBUG [socket] socket/socket_linux.go:305 Selected kernel function __skb_recv_udp for RECV_UDP_DATAGRAM
DEBUG [socket] socket/socket_linux.go:305 Selected kernel function SyS_execve for SYS_EXECVE
DEBUG [socket] socket/socket_linux.go:305 Selected kernel function SyS_gettimeofday for SYS_GETTIMEOFDAY
DEBUG [socket] socket/socket_linux.go:305 Selected kernel function SyS_newuname for SYS_UNAME
INFO [socket] guess/guess.go:258 Running 16 guesses ...
DEBUG [socket] guess/guess.go:287 Guess guess_struct_socket_sk completed: {"SOCKET_SOCK":32}
DEBUG [socket] guess/guess.go:287 Guess guess_syscall_args completed: {"SYS_P1":"%di","SYS_P2":"%si","SYS_P3":"%dx","SYS_P4":"%cx","SYS_P5":"%r8","SYS_P6":"%r9"}
DEBUG [socket] guess/guess.go:287 Guess guess_sockaddr_in completed: {"SOCKADDR_IN_ADDR":4,"SOCKADDR_IN_AF":0,"SOCKADDR_IN_PORT":2}
DEBUG [socket] guess/guess.go:287 Guess tcp_sendmsg_guess completed: {"TCP_SENDMSG_LEN":"%dx"}
DEBUG [socket] guess/guess.go:112 --- result of guess_inet_sock run #1: {"INET_SOCK_LADDR":[4,84,720,856],"INET_SOCK_LPORT":[728,866],"INET_SOCK_RADDR":[0,68,860],"INET_SOCK_RPORT":[12,864]}
DEBUG [socket] guess/guess.go:112 --- result of guess_inet_sock run #2: {"INET_SOCK_LADDR":[4,84,720,856],"INET_SOCK_LPORT":[728,866],"INET_SOCK_RADDR":[0,68,860],"INET_SOCK_RPORT":[12,864]}
DEBUG [socket] guess/guess.go:112 --- result of guess_inet_sock run #3: {"INET_SOCK_LADDR":[4,84,720,856],"INET_SOCK_LPORT":[728,866],"INET_SOCK_RADDR":[0,68,860],"INET_SOCK_RPORT":[12,864]}
DEBUG [socket] guess/guess.go:112 --- result of guess_inet_sock run #4: {"INET_SOCK_LADDR":[4,84,720,856],"INET_SOCK_LPORT":[728,866],"INET_SOCK_RADDR":[0,68,860],"INET_SOCK_RPORT":[12,864]}
DEBUG [socket] guess/guess.go:287 Guess guess_inet_sock completed: {"INET_SOCK_LADDR":4,"INET_SOCK_LADDR_LIST":[4,84,720,856],"INET_SOCK_LPORT":728,"INET_SOCK_LPORT_LIST":[728,866],"INET_SOCK_RADDR":0,"INET_SOCK_RADDR_LIST":[0,68,860],"INET_SOCK_RPORT":12,"INET_SOCK_RPORT_LIST":[12,864]}
DEBUG [socket] guess/guess.go:112 --- result of guess_sk_buff_proto run #1: {"SK_BUFF_PROTO":[192]}
DEBUG [socket] guess/guess.go:112 --- result of guess_sk_buff_proto run #2: {"SK_BUFF_PROTO":[192]}
DEBUG [socket] guess/guess.go:112 --- result of guess_sk_buff_proto run #3: {"SK_BUFF_PROTO":[192]}
DEBUG [socket] guess/guess.go:112 --- result of guess_sk_buff_proto run #4: {"SK_BUFF_PROTO":[192]}
DEBUG [socket] guess/guess.go:112 --- result of guess_sk_buff_proto run #5: {"SK_BUFF_PROTO":[192]}
DEBUG [socket] guess/guess.go:112 --- result of guess_sk_buff_proto run #6: {"SK_BUFF_PROTO":[192]}
DEBUG [socket] guess/guess.go:112 --- result of guess_sk_buff_proto run #7: {"SK_BUFF_PROTO":[192]}
DEBUG [socket] guess/guess.go:112 --- result of guess_sk_buff_proto run #8: {"SK_BUFF_PROTO":[192]}
DEBUG [socket] guess/guess.go:287 Guess guess_sk_buff_proto completed: {"SK_BUFF_PROTO":192}
INFO instance/beat.go:385 auditbeat stopped.
ERROR instance/beat.go:878 Exiting: 1 error: 1 error: system/socket dataset setup failed: unable to guess one or more required parameters: guess_sockaddr_in6 failed: timeout while waiting for trigger to complete
Exiting: 1 error: 1 error: system/socket dataset setup failed: unable to guess one or more required parameters: guess_sockaddr_in6 failed: timeout while waiting for trigger to complete
Sorry I mean socket.enable_ipv6: false
.
Setting it to false works, as stated in my original discuss post. Same behavior now with your patched version.
I will keep trying to reproduce. Same distro / kernel works fine for me so there must be some difference in configuration.
The weird thing is, I have two server, one Intel NUC and one Digitalocean VM. Both are configured throught ansible, so there shoud be no configuration difference (except the different software running on them). On my NUC audirbeat working fine.
I would be ok with giving you access to my VM if this is something that would help you debug this. There is nothing private on it.
The weird thing is, I have two server, one Intel NUC and one Digitalocean VM. Both are configured throught ansible, so there shoud be no configuration difference (except the different software running on them). On my NUC audirbeat working fine.
I would be ok with giving you access to my VM if this is something that would help you debug this. There is nothing private on it.
Are they both the same OS/Image/Kernel?
The weird thing is, I have two server, one Intel NUC and one Digitalocean VM. Both are configured throught ansible, so there shoud be no configuration difference (except the different software running on them). On my NUC audirbeat working fine. I would be ok with giving you access to my VM if this is something that would help you debug this. There is nothing private on it.
Are they both the same OS/Image/Kernel?
Yes, both are running Ubuntu 18.04 with default kernel
Linux root 4.15.0-65-generic #74-Ubuntu SMP Tue Sep 17 17:06:04 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
I would be ok with giving you access to my VM if this is something that would help you debug this. There is nothing private on it.
@stephan13360 that would be great, because I'm running out of ideas. Can you send me the access credentials to adrian at elastic dot co?
The packages in https://ela.st/auditbeat740-ipv6-fix have been updated.
Can confirm. This fixes it for me.
Maybe not your target distro but can confirm this works in Arch Linux.
service:guacamole com.docker.compose.version:1.27.4 execID:0f27f30e31c418cc540aaca040114ad928fefaf8110c0b90231e283878527e41 exitCode:0 image:jumpserver/guacamole:v2.7.1 name:jms_guacamole]} local 1614488222 1614488222300889116} 2021-02-28T04:57:03.082Z WARN [cfgwarn] user/user.go:232 BETA: The system/user dataset is beta 2021-02-28T04:57:03.083Z DEBUG [user] user/user.go:272 Last state was sent at 2021-02-28 04:18:55.190692216 +0000 UTC. Next state update by 2021-02-28 16:18:55.190692216 +0000 UTC. 2021-02-28T04:57:03.084Z DEBUG [user] user/user.go:282 Restored 27 users from disk 2021-02-28T04:57:03.084Z DEBUG [add_docker_metadata] docker/watcher.go:308 Watcher stopped 2021-02-28T04:57:03.084Z INFO instance/beat.go:437 auditbeat stopped. 2021-02-28T04:57:03.084Z ERROR instance/beat.go:971 Exiting: 1 error: system/socket dataset setup failed: unable to guess one or more required parameters: guess_inet_sock failed: timeout while waiting for event Exiting: 1 error: system/socket dataset setup failed: unable to guess one or more required parameters: guess_inet_sock failed: timeout while waiting for event [root@en-us-public-mgr auditbeat]# [root@en-us-public-mgr auditbeat]#
Please include configurations and logs if available.
For confirmed bugs, please report: