Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Auditbeat] Fails to start with package dataset on Amazon Linux #11490

Closed
andrewkroh opened this issue Mar 27, 2019 · 3 comments
Closed

[Auditbeat] Fails to start with package dataset on Amazon Linux #11490

andrewkroh opened this issue Mar 27, 2019 · 3 comments
Labels
Auditbeat bug

Comments

@andrewkroh
Copy link
Member

Auditbeat fails to start with "this metricset does not support OS family". Looks like the root cause is that the family value of amzn is not recognized as platform: redhat by go-sysinfo.

      "os": {
        "family": "",
        "platform": "amzn",

Logs

{
  "level": "info",
  "timestamp": "2019-03-27T01:29:04.669Z",
  "caller": "instance/beat.go:571",
  "message": "Home path: [/usr/share/auditbeat] Config path: [/etc/auditbeat] Data path: [/var/lib/auditbeat] Logs path: [/var/log/auditbeat]"
}
{
  "level": "info",
  "timestamp": "2019-03-27T01:29:04.672Z",
  "caller": "instance/beat.go:579",
  "message": "Beat ID: fc94cccc-f5eb-4998-aaad-a82b87de8aac"
}
{
  "level": "info",
  "timestamp": "2019-03-27T01:29:04.672Z",
  "logger": "index-management.ilm",
  "caller": "ilm/ilm.go:123",
  "message": "Policy name: auditbeat-8.0.0"
}
{
  "level": "info",
  "timestamp": "2019-03-27T01:29:04.672Z",
  "logger": "beat",
  "caller": "instance/beat.go:827",
  "message": "Beat info",
  "system_info": {
    "beat": {
      "path": {
        "config": "/etc/auditbeat",
        "data": "/var/lib/auditbeat",
        "home": "/usr/share/auditbeat",
        "logs": "/var/log/auditbeat"
      },
      "type": "auditbeat",
      "uuid": "fc94cccc-f5eb-4998-aaad-a82b87de8aac"
    }
  }
}
{
  "level": "info",
  "timestamp": "2019-03-27T01:29:04.672Z",
  "logger": "beat",
  "caller": "instance/beat.go:836",
  "message": "Build info",
  "system_info": {
    "build": {
      "commit": "7982422bbe3993dd5228bcb8d571f1b48bdb5dc9",
      "libbeat": "8.0.0",
      "time": "2019-03-27T00:44:17.000Z",
      "version": "8.0.0"
    }
  }
}
{
  "level": "info",
  "timestamp": "2019-03-27T01:29:04.672Z",
  "logger": "beat",
  "caller": "instance/beat.go:839",
  "message": "Go runtime info",
  "system_info": {
    "go": {
      "os": "linux",
      "arch": "amd64",
      "max_procs": 1,
      "version": "go1.11.5"
    }
  }
}
{
  "level": "info",
  "timestamp": "2019-03-27T01:29:04.673Z",
  "logger": "beat",
  "caller": "instance/beat.go:843",
  "message": "Host info",
  "system_info": {
    "host": {
      "architecture": "x86_64",
      "boot_time": "2019-03-27T01:19:33Z",
      "containerized": true,
      "name": "localhost.localdomain",
      "ip": [
        "127.0.0.1/8",
        "::1/128",
        "10.0.2.15/24",
        "fe80::a00:27ff:feaf:8570/64",
        "192.168.33.78/24",
        "fe80::a00:27ff:fe7a:5c5/64"
      ],
      "kernel_version": "4.9.17-8.31.amzn1.x86_64",
      "mac": [
        "08:00:27:af:85:70",
        "08:00:27:7a:05:c5"
      ],
      "os": {
        "family": "",
        "platform": "amzn",
        "name": "Amazon Linux AMI",
        "version": "2017.03",
        "major": 2017,
        "minor": 3,
        "patch": 0
      },
      "timezone": "UTC",
      "timezone_offset_sec": 0
    }
  }
}
{
  "level": "info",
  "timestamp": "2019-03-27T01:29:04.673Z",
  "logger": "beat",
  "caller": "instance/beat.go:872",
  "message": "Process info",
  "system_info": {
    "process": {
      "capabilities": {
        "inheritable": null,
        "permitted": [
          "chown",
          "dac_override",
          "dac_read_search",
          "fowner",
          "fsetid",
          "kill",
          "setgid",
          "setuid",
          "setpcap",
          "linux_immutable",
          "net_bind_service",
          "net_broadcast",
          "net_admin",
          "net_raw",
          "ipc_lock",
          "ipc_owner",
          "sys_module",
          "sys_rawio",
          "sys_chroot",
          "sys_ptrace",
          "sys_pacct",
          "sys_admin",
          "sys_boot",
          "sys_nice",
          "sys_resource",
          "sys_time",
          "sys_tty_config",
          "mknod",
          "lease",
          "audit_write",
          "audit_control",
          "setfcap",
          "mac_override",
          "mac_admin",
          "syslog",
          "wake_alarm",
          "block_suspend",
          "audit_read"
        ],
        "effective": [
          "chown",
          "dac_override",
          "dac_read_search",
          "fowner",
          "fsetid",
          "kill",
          "setgid",
          "setuid",
          "setpcap",
          "linux_immutable",
          "net_bind_service",
          "net_broadcast",
          "net_admin",
          "net_raw",
          "ipc_lock",
          "ipc_owner",
          "sys_module",
          "sys_rawio",
          "sys_chroot",
          "sys_ptrace",
          "sys_pacct",
          "sys_admin",
          "sys_boot",
          "sys_nice",
          "sys_resource",
          "sys_time",
          "sys_tty_config",
          "mknod",
          "lease",
          "audit_write",
          "audit_control",
          "setfcap",
          "mac_override",
          "mac_admin",
          "syslog",
          "wake_alarm",
          "block_suspend",
          "audit_read"
        ],
        "bounding": [
          "chown",
          "dac_override",
          "dac_read_search",
          "fowner",
          "fsetid",
          "kill",
          "setgid",
          "setuid",
          "setpcap",
          "linux_immutable",
          "net_bind_service",
          "net_broadcast",
          "net_admin",
          "net_raw",
          "ipc_lock",
          "ipc_owner",
          "sys_module",
          "sys_rawio",
          "sys_chroot",
          "sys_ptrace",
          "sys_pacct",
          "sys_admin",
          "sys_boot",
          "sys_nice",
          "sys_resource",
          "sys_time",
          "sys_tty_config",
          "mknod",
          "lease",
          "audit_write",
          "audit_control",
          "setfcap",
          "mac_override",
          "mac_admin",
          "syslog",
          "wake_alarm",
          "block_suspend",
          "audit_read"
        ],
        "ambient": null
      },
      "cwd": "/",
      "exe": "/usr/share/auditbeat/bin/auditbeat",
      "name": "auditbeat",
      "pid": 19913,
      "ppid": 19912,
      "seccomp": {
        "mode": "disabled"
      },
      "start_time": "2019-03-27T01:29:04.370Z"
    }
  }
}
{
  "level": "info",
  "timestamp": "2019-03-27T01:29:04.673Z",
  "caller": "instance/beat.go:280",
  "message": "Setup Beat: auditbeat; Version: 8.0.0"
}
{
  "level": "info",
  "timestamp": "2019-03-27T01:29:04.673Z",
  "caller": "fileout/file.go:98",
  "message": "Initialized file output. path=/var/log/auditbeat/output.json max_size_bytes=10485760 max_backups=7 permissions=-rw-------"
}
{
  "level": "info",
  "timestamp": "2019-03-27T01:29:04.674Z",
  "logger": "publisher",
  "caller": "pipeline/module.go:97",
  "message": "Beat name: localhost.localdomain"
}
{
  "level": "info",
  "timestamp": "2019-03-27T01:29:04.674Z",
  "logger": "auditd",
  "caller": "auditd/audit_linux.go:104",
  "message": "auditd module is running as euid=0 on kernel=4.9.17-8.31.amzn1.x86_64"
}
{
  "level": "info",
  "timestamp": "2019-03-27T01:29:04.724Z",
  "logger": "auditd",
  "caller": "auditd/audit_linux.go:131",
  "message": "socket_type=unicast will be used."
}
{
  "level": "warn",
  "timestamp": "2019-03-27T01:29:04.725Z",
  "logger": "cfgwarn",
  "caller": "host/host.go:163",
  "message": "BETA: The system/host dataset is beta"
}
{
  "level": "warn",
  "timestamp": "2019-03-27T01:29:04.728Z",
  "logger": "cfgwarn",
  "caller": "process/process.go:128",
  "message": "BETA: The system/process dataset is beta"
}
{
  "level": "warn",
  "timestamp": "2019-03-27T01:29:04.728Z",
  "logger": "cfgwarn",
  "caller": "socket/socket.go:195",
  "message": "BETA: The system/socket dataset is beta"
}
{
  "level": "warn",
  "timestamp": "2019-03-27T01:29:04.734Z",
  "logger": "cfgwarn",
  "caller": "user/user.go:205",
  "message": "BETA: The system/user dataset is beta"
}
{
  "level": "warn",
  "timestamp": "2019-03-27T01:29:04.736Z",
  "logger": "cfgwarn",
  "caller": "login/login.go:95",
  "message": "BETA: The system/login dataset is beta"
}
{
  "level": "warn",
  "timestamp": "2019-03-27T01:29:04.737Z",
  "logger": "cfgwarn",
  "caller": "package/package.go:184",
  "message": "BETA: The system/package dataset is beta"
}
{
  "level": "error",
  "timestamp": "2019-03-27T01:29:04.737Z",
  "caller": "instance/beat.go:802",
  "message": "Exiting: 1 error: 1 error: this metricset does not support OS family "
}
@andrewkroh
Copy link
Member Author

I opened elastic/go-sysinfo#45 to address this.

This was referenced Mar 27, 2019
Merged
Merged
andrewkroh added a commit to andrewkroh/beats that referenced this issue Mar 27, 2019
@andrewkroh
Update github.com/elastic/go-sysinfo
89828d1 
Fixes elastic#11490

(cherry picked from commit 548dbae7da49c69d4180c15249dd9384449e6c6b)
andrewkroh added a commit to andrewkroh/beats that referenced this issue Mar 28, 2019
@andrewkroh
Update github.com/elastic/go-sysinfo
1995d07 
Fixes elastic#11490
andrewkroh added a commit that referenced this issue Mar 28, 2019
@andrewkroh
Update github.com/elastic/go-sysinfo (#11494)
e044c9c 
Fixes #11490
Fixes #9134
andrewkroh added a commit that referenced this issue Mar 28, 2019
@andrewkroh
Cherry-pick #11494 to 7.0: Update github.com/elastic/go-sysinfo (#11499)
ab074bc 
* Update github.com/elastic/go-sysinfo

Fixes #11490 
Fixes #9134

(cherry picked from commit 548dbae7da49c69d4180c15249dd9384449e6c6b)
@Zeal0us
Copy link

Zeal0us commented Apr 4, 2019

Is there a workaround for this? Currently running 6.7, would love to be able to use the system module on RHEL.

@andrewkroh andrewkroh mentioned this issue Apr 8, 2019
Merged
andrewkroh added a commit to andrewkroh/beats that referenced this issue Apr 8, 2019
@andrewkroh
Update github.com/elastic/go-sysinfo (elastic#11494)
251f66e 
Fixes elastic#11490
Fixes elastic#9134

(cherry picked from commit e044c9c)
@andrewkroh
Copy link
Member Author

I opened a backport to get the fix into the 6.7 branch. I didn't backport it earlier b/c the 6.7 branch was in a freeze for the 6.7.1 release.

andrewkroh added a commit that referenced this issue Apr 9, 2019
@andrewkroh
Cherry-pick #11494 to 6.7: Update github.com/elastic/go-sysinfo (#11710)
e2ea061 
* Update github.com/elastic/go-sysinfo (#11494)

Fixes #11490
Fixes #9134

(cherry picked from commit e044c9c)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Auditbeat bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@andrewkroh @Zeal0us