[Auditbeat] Unable to start; unable to guess one or more required parameters: guess_ip_local_out failed #18755

Aqualie · 2020-05-26T22:42:34Z

Linux 5.6.14-arch1-1
Auditbeat 7.7.0

May 26 18:33:36 REPLACED systemd[1]: Started Audit the activities of users and processes on your system..
May 26 18:33:36 REPLACED auditbeat[182610]: 2020-05-26T18:33:36.632-0400        INFO        instance/beat.go:621        Home path: [/opt/elastic/auditbeat] Config path: [/opt/elastic/auditbeat/conf] Data path: [/opt/elastic/auditbeat/data] Logs path: [/opt/elastic/auditbeat/logs]
May 26 18:33:36 REPLACED auditbeat[182610]: 2020-05-26T18:33:36.632-0400        INFO        instance/beat.go:629        Beat ID: REPLACED
May 26 18:33:36 REPLACED auditbeat[182610]: 2020-05-26T18:33:36.663-0400        INFO        [seccomp]        seccomp/seccomp.go:124        Syscall filter successfully installed
May 26 18:33:36 REPLACED auditbeat[182610]: 2020-05-26T18:33:36.663-0400        INFO        [beat]        instance/beat.go:957        Beat info        {"system_info": {"beat": {"path": {"config": "/opt/elastic/auditbeat/conf", "data": "/opt/elastic/auditbeat/data", "home": "/opt/elastic/auditbeat", "logs": "/opt/elastic/auditbeat/logs"}, "type": "auditbeat", "uuid": "REPLACED"}}}
May 26 18:33:36 REPLACED auditbeat[182610]: 2020-05-26T18:33:36.663-0400        INFO        [beat]        instance/beat.go:966        Build info        {"system_info": {"build": {"commit": "5e69e25b920e3d93bec76a09a31da3ab35a55607", "libbeat": "7.7.0", "time": "2020-05-17T13:09:33.000Z", "version": "7.7.0"}}}
May 26 18:33:36 REPLACED auditbeat[182610]: 2020-05-26T18:33:36.663-0400        INFO        [beat]        instance/beat.go:969        Go runtime info        {"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":8,"version":"go1.13.9"}}}
May 26 18:33:36 REPLACED auditbeat[182610]: 2020-05-26T18:33:36.664-0400        INFO        [beat]        instance/beat.go:973        Host info        {"system_info": {"host": {"architecture":"x86_64","boot_time":"2020-05-26T14:13:53-04:00","containerized":false,"name":"REPLACED","ip":["127.0.0.1/8","169.254.169.22/16","REPLACED","REPLACED","REPLACED","172.17.0.1/16","172.18.0.1/16"],"kernel_version":"5.6.14-arch1-1","mac":["REPLACED","REPLACED","REPLACED","REPLACED","REPLACED","REPLACED","REPLACED","REPLACED","REPLACED"],"os":{"family":"","platform":"arch","name":"Arch Linux","version":"","major":0,"minor":0,"patch":0,"build":"rolling"},"timezone":"EDT","timezone_offset_sec":-14400,"id":"REPLACED"}}}
May 26 18:33:36 REPLACED auditbeat[182610]: 2020-05-26T18:33:36.664-0400        INFO        [beat]        instance/beat.go:1002        Process info        {"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"ambient":null}, "cwd": "/", "exe": "/opt/elastic/auditbeat/auditbeat", "name": "auditbeat", "pid": 182610, "ppid": 1, "seccomp": {"mode":"filter","no_new_privs":true}, "start_time": "2020-05-26T18:33:36.410-0400"}}}
May 26 18:33:36 REPLACED auditbeat[182610]: 2020-05-26T18:33:36.664-0400        INFO        instance/beat.go:297        Setup Beat: auditbeat; Version: 7.7.0
May 26 18:33:36 REPLACED auditbeat[182610]: 2020-05-26T18:33:36.665-0400        INFO        [publisher]        pipeline/module.go:110        Beat name: REPLACED
May 26 18:33:36 REPLACED auditbeat[182610]: 2020-05-26T18:33:36.667-0400        INFO        [auditd]        auditd/audit_linux.go:106        auditd module is running as euid=0 on kernel=5.6.14-arch1-1
May 26 18:33:36 REPLACED auditbeat[182610]: 2020-05-26T18:33:36.667-0400        INFO        [auditd]        auditd/audit_linux.go:133        socket_type=unicast will be used.
May 26 18:33:36 REPLACED auditbeat[182610]: 2020-05-26T18:33:36.668-0400        WARN        [cfgwarn]        host/host.go:167        BETA: The system/host dataset is beta
May 26 18:33:36 REPLACED auditbeat[182610]: 2020-05-26T18:33:36.670-0400        WARN        [cfgwarn]        login/login.go:95        BETA: The system/login dataset is beta
May 26 18:33:36 REPLACED auditbeat[182610]: 2020-05-26T18:33:36.672-0400        WARN        [cfgwarn]        user/user.go:205        BETA: The system/user dataset is beta
May 26 18:33:36 REPLACED auditbeat[182610]: 2020-05-26T18:33:36.674-0400        WARN        [cfgwarn]        process/process.go:131        BETA: The system/process dataset is beta
May 26 18:33:36 REPLACED auditbeat[182610]: 2020-05-26T18:33:36.675-0400        WARN        [cfgwarn]        socket/socket_linux.go:87        BETA: The system/socket dataset is beta.
May 26 18:33:36 REPLACED auditbeat[182610]: 2020-05-26T18:33:36.694-0400        INFO        [socket]        socket/socket_linux.go:227        Setting up system/socket for kernel 5.6.14-arch1-1
May 26 18:33:36 REPLACED auditbeat[182610]: 2020-05-26T18:33:36.956-0400        INFO        [socket]        guess/guess.go:258        Running 17 guesses ...
May 26 18:33:36 REPLACED auditbeat[182311]: 2020-05-26T18:33:36.300-0400        INFO        instance/beat.go:411        auditbeat stopped.
May 26 18:33:36 REPLACED auditbeat[182311]: 2020-05-26T18:33:36.300-0400        ERROR        instance/beat.go:932        Exiting: 1 error: system/socket dataset setup failed: unable to guess one or more required parameters: guess_ip_local_out failed: timeout while waiting for event
May 26 18:33:36 REPLACED auditbeat[182311]: Exiting: 1 error: system/socket dataset setup failed: unable to guess one or more required parameters: guess_ip_local_out failed: timeout while waiting for event
May 26 18:33:36 REPLACED systemd[1]: auditbeat.service: Main process exited, code=exited, status=1/FAILURE
May 26 18:33:36 REPLACED systemd[1]: auditbeat.service: Failed with result 'exit-code'.
May 26 18:33:36 REPLACED systemd[1]: auditbeat.service: Scheduled restart job, restart counter is at 1.
May 26 18:33:36 REPLACED systemd[1]: Stopped Audit the activities of users and processes on your system..

The text was updated successfully, but these errors were encountered:

elasticmachine · 2020-05-26T23:06:12Z

Pinging @elastic/siem (Team:SIEM)

BBQigniter · 2020-06-03T10:22:37Z

to finally be able to test auditbeat on my Fedora 32 machine I had to disable "socket"-stuff completely by setting

- module: system
  datasets:
    - host    # General host information, e.g. uptime, IPs
    - login   # User logins, logouts, and system boots.
    - process # Started and stopped processes
#    - socket  # Opened and closed sockets
    - user    # User information

kimsyversen · 2020-06-11T16:23:40Z

I can confirm similar behaviour on Ubuntu 20.04 Server LTS.

Aqualie · 2020-06-19T20:06:56Z

Still broken in 7.8

nickchappell · 2020-06-23T01:53:14Z

I'm running into this as well on CentOS 8.1, 5.6 kernel.

MakoWish · 2020-10-06T22:42:47Z

Same on Kali Linux 2020.3 (Debian) using Auditbeat 7.9.2.

legoguy1000 · 2020-10-08T21:38:10Z

same on centos 7.8 with auditbeat 7.8.1 and 7.9.2

xennn · 2020-11-06T10:27:13Z

Same on Kali 2020.3 with Auditbeat 7.9.3

adriansr · 2020-11-06T11:55:37Z

Thanks all for your reports. Can you please provide the kernel version (uname -a)?

Also, does it always fail for the same "guess", or do you get different guess names in the error:

unable to guess one or more required parameters: guess_ip_local_out failed

Does adding socket.guess_timeout: 1m make a difference?

 - module: system
   datasets:
     - host    # General host information, e.g. uptime, IPs
     - login   # User logins, logouts, and system boots.
     - process # Started and stopped processes
     - socket  # Opened and closed sockets
     - user    # User information

   # How often datasets send state updates with the
   # current state of the system (e.g. all currently
   # running processes, all open sockets).
   state.period: 12h

   # Enabled by default. Auditbeat will read password fields in
   # /etc/passwd and /etc/shadow and store a hash locally to
   # detect any changes.
   user.detect_password_changes: true

   # File patterns of the login record files.
   login.wtmp_file_pattern: /var/log/wtmp*
   login.btmp_file_pattern: /var/log/btmp*
+  socket.guess_timeout: 1m

Aqualie · 2020-11-06T12:00:09Z

Thanks all for your reports. Can you please provide the kernel version (uname -a)?

Also, does it always fail for the same "guess", or do you get different guess names in the error:

unable to guess one or more required parameters: guess_ip_local_out failed

Does adding socket.guess_timeout: 1m make a difference?

 - module: system
   datasets:
     - host    # General host information, e.g. uptime, IPs
     - login   # User logins, logouts, and system boots.
     - process # Started and stopped processes
     - socket  # Opened and closed sockets
     - user    # User information

   # How often datasets send state updates with the
   # current state of the system (e.g. all currently
   # running processes, all open sockets).
   state.period: 12h

   # Enabled by default. Auditbeat will read password fields in
   # /etc/passwd and /etc/shadow and store a hash locally to
   # detect any changes.
   user.detect_password_changes: true

   # File patterns of the login record files.
   login.wtmp_file_pattern: /var/log/wtmp*
   login.btmp_file_pattern: /var/log/btmp*
+  socket.guess_timeout: 1m

5.8.3-arch-1-1

Added in socket.guess_timeout: 1m

Nov 06 06:57:55 xxxxxx auditbeat[3173119]: 2020-11-06T06:57:55.991-0500        INFO        [publisher]        pipeline/module.go:113        Beat name: xxxxxx
Nov 06 06:57:55 xxxxxx auditbeat[3173119]: 2020-11-06T06:57:55.996-0500        INFO        [auditd]        auditd/audit_linux.go:106        auditd module is running as euid=0 on kernel=5.8.3-arch1-1
Nov 06 06:57:55 xxxxxx auditbeat[3173119]: 2020-11-06T06:57:55.997-0500        INFO        [auditd]        auditd/audit_linux.go:133        socket_type=unicast will be used.
Nov 06 06:57:56 xxxxxx auditbeat[3173119]: 2020-11-06T06:57:56.000-0500        WARN        [cfgwarn]        host/host.go:184        BETA: The system/host dataset is beta
Nov 06 06:57:56 xxxxxx auditbeat[3173119]: 2020-11-06T06:57:56.001-0500        WARN        [cfgwarn]        login/login.go:95        BETA: The system/login dataset is beta
Nov 06 06:57:56 xxxxxx auditbeat[3173119]: 2020-11-06T06:57:56.002-0500        WARN        [cfgwarn]        user/user.go:232        BETA: The system/user dataset is beta
Nov 06 06:57:56 xxxxxx auditbeat[3173119]: 2020-11-06T06:57:56.005-0500        WARN        [cfgwarn]        process/process.go:146        BETA: The system/process dataset is beta
Nov 06 06:57:56 xxxxxx auditbeat[3173119]: 2020-11-06T06:57:56.006-0500        WARN        [cfgwarn]        socket/socket_linux.go:87        BETA: The system/socket dataset is beta.
Nov 06 06:57:56 xxxxxx auditbeat[3173119]: 2020-11-06T06:57:56.027-0500        INFO        [socket]        socket/socket_linux.go:227        Setting up system/socket for kernel 5.8.3-arch1-1
Nov 06 06:57:56 xxxxxx auditbeat[3173119]: 2020-11-06T06:57:56.399-0500        INFO        [socket]        guess/guess.go:258        Running 17 guesses ...
Nov 06 06:59:00 xxxxxx auditbeat[3173119]: 2020-11-06T06:59:00.026-0500        INFO        instance/beat.go:436        auditbeat stopped.
Nov 06 06:59:00 xxxxxx auditbeat[3173119]: 2020-11-06T06:59:00.026-0500        ERROR        instance/beat.go:958        Exiting: 1 error: system/socket dataset setup failed: unable to guess one or more required parameters: guess_ip_local_out failed: timeout while waiting for event
Nov 06 06:59:00 xxxxxx auditbeat[3173119]: Exiting: 1 error: system/socket dataset setup failed: unable to guess one or more required parameters: guess_ip_local_out failed: timeout while waiting for event
Nov 06 06:59:00 xxxxxx systemd[1]: auditbeat.service: Main process exited, code=exited, status=1/FAILURE
Nov 06 06:59:00 xxxxxx systemd[1]: auditbeat.service: Failed with result 'exit-code'.
Nov 06 06:59:00 xxxxxx systemd[1]: auditbeat.service: Scheduled restart job, restart counter is at 1.

xennn · 2020-11-06T12:38:37Z

Uninstall old Packeage with dpkg -P auditbeat. Then reinstall works for me! Then the service start.
But the config has now problems:

root@hostname:/etc/auditbeat# auditbeat test config
Exiting: 1 error: system/socket dataset setup failed: unable to guess one or more required parameters: guess_ip_local_out failed: timeout while waiting for event

With Kernel
Linux 5.8.0-kali2-amd64 #1 SMP Debian 5.8.10-1kali1 (2020-09-22) x86_64 GNU/Linux

adriansr · 2020-11-16T18:47:58Z

There's a few things that can be going wrong:

Check that /proc/sys/kernel/ftrace_enabled is 1.
Check that /sys/kernel/debug/kprobes/enabled is 1.
Make sure that the system/socket dataset is started from an auditbeat.modules entry in auditbeat.yml (default), and not from a separate file in modules.d via auditbeat.config.modules. That will fail due to Auditbeat system/socket fails when started by config reloading #20851

rcmelendez · 2020-11-20T02:50:33Z

Same error on Fedora 33, kernel 5.8.16-300.fc33.x86_64 and auditbeat 7.9.3. I also added socket.guess_timeout: 1m but the same.

Aqualie · 2020-11-24T12:42:39Z

There's a few things that can be going wrong:

Check that /proc/sys/kernel/ftrace_enabled is 1.

Check that /sys/kernel/debug/kprobes/enabled is 1.

Make sure that the system/socket dataset is started from an auditbeat.modules entry in auditbeat.yml (default), and not from a separate file in modules.d via auditbeat.config.modules. That will fail due to Auditbeat system/socket fails when started by config reloading #20851

cat /sys/kernel/debug/kprobes/enabled
1
sudo cat /sys/kernel/debug/kprobes/enabled
1

system/socket is being run from auditbeat.yml

111andre111 · 2020-11-27T13:45:35Z

@adriansr
I have tested this one on Archlinux with Kernel
Linux archlinux 5.9.10-arch1-1 #1 SMP PREEMPT Sun, 22 Nov 2020 14:16:59 +0000 x86_64 GNU/Linux
by executing only the socket like this:

touch empty.yml
./auditbeat -c empty.yml -E auditbeat.modules.0.module=system -E auditbeat.modules.0.datasets.0=socket -E output.console.pretty=true -e -d '*' > 2>&1 >auditbeat-debug.log

And under Auditbeat 7.7.0 it crashed immediately:
auditbeat-debug.log
error message was:

ERROR	instance/beat.go:932	Exiting: 1 error: system/socket dataset setup failed: unable to guess one or more required parameters: guess_sk_buff_proto failed: failed to add kprobe 'r:guess_recv_datagram {{.RECV_UDP_DATAGRAM}} +0({{.RET}}):u64 +8({{.RET}}):u64 +16({{.RET}}):u64 +24({{.RET}}):u64 +32({{.RET}}):u64 +40({{.RET}}):u64 +48({{.RET}}):u64 +56({{.RET}}):u64 +64({{.RET}}):u64 +72({{.RET}}):u64 +80({{.RET}}):u64 +88({{.RET}}):u64 +96({{.RET}}):u64 +104({{.RET}}):u64 +112({{.RET}}):u64 +120({{.RET}}):u64 +128({{.RET}}):u64 +136({{.RET}}):u64 +144({{.RET}}):u64 +152({{.RET}}):u64 +160({{.RET}}):u64 +168({{.RET}}):u64 +176({{.RET}}):u64 +184({{.RET}}):u64 +192({{.RET}}):u64 +200({{.RET}}):u64 +208({{.RET}}):u64 +216({{.RET}}):u64 +224({{.RET}}):u64 +232({{.RET}}):u64 +240({{.RET}}):u64 +248({{.RET}}):u64 +256({{.RET}}):u64 +264({{.RET}}):u64 +272({{.RET}}):u64 +280({{.RET}}):u64 +288({{.RET}}):u64 +296({{.RET}}):u64 +304({{.RET}}):u64 +312({{.RET}}):u64 +320({{.RET}}):u64 +328({{.RET}}):u64 +336({{.RET}}):u64 +344({{.RET}}):u64 +352({{.RET}}):u64 +360({{.RET}}):u64 +368({{.RET}}):u64 +376({{.RET}}):u64 +384({{.RET}}):u64 +392({{.RET}}):u64 +400({{.RET}}):u64 +408({{.RET}}):u64 +416({{.RET}}):u64 +424({{.RET}}):u64 +432({{.RET}}):u64 +440({{.RET}}):u64 +448({{.RET}}):u64 +456({{.RET}}):u64 +464({{.RET}}):u64 +472({{.RET}}):u64 +480({{.RET}}):u64 +488({{.RET}}):u64 +496({{.RET}}):u64 +504({{.RET}}):u64 +512({{.RET}}):u64 +520({{.RET}}):u64 +528({{.RET}}):u64 +536({{.RET}}):u64 +544({{.RET}}):u64 +552({{.RET}}):u64 +560({{.RET}}):u64 +568({{.RET}}):u64 +576({{.RET}}):u64 +584({{.RET}}):u64 +592({{.RET}}):u64 +600({{.RET}}):u64 +608({{.RET}}):u64 +616({{.RET}}):u64 +624({{.RET}}):u64 +632({{.RET}}):u64 +640({{.RET}}):u64 +648({{.RET}}):u64 +656({{.RET}}):u64 +664({{.RET}}):u64 +672({{.RET}}):u64 +680({{.RET}}):u64 +688({{.RET}}):u64 +696({{.RET}}):u64 +704({{.RET}}):u64 +712({{.RET}}):u64 +720({{.RET}}):u64 +728({{.RET}}):u64 +736({{.RET}}):u64 +744({{.RET}}):u64 +752({{.RET}}):u64 +760({{.RET}}):u64 +768({{.RET}}):u64 +776({{.RET}}):u64 +784({{.RET}}):u64 +792({{.RET}}):u64 +800({{.RET}}):u64 +808({{.RET}}):u64 +816({{.RET}}):u64 +824({{.RET}}):u64 +832({{.RET}}):u64 +840({{.RET}}):u64 +848({{.RET}}):u64 +856({{.RET}}):u64 +864({{.RET}}):u64 +872({{.RET}}):u64 +880({{.RET}}):u64 +888({{.RET}}):u64 +896({{.RET}}):u64 +904({{.RET}}):u64 +912({{.RET}}):u64 +920({{.RET}}):u64 +928({{.RET}}):u64 +936({{.RET}}):u64 +944({{.RET}}):u64 +952({{.RET}}):u64 +960({{.RET}}):u64 +968({{.RET}}):u64 +976({{.RET}}):u64 +984({{.RET}}):u64 +992({{.RET}}):u64 +1000({{.RET}}):u64 +1008({{.RET}}):u64 +1016({{.RET}}):u64': failed installing probe 'r:auditbeat/guess_recv_datagram __skb_recv_udp +0(%ax):u64 +8(%ax):u64 +16(%ax):u64 +24(%ax):u64 +32(%ax):u64 +40(%ax):u64 +48(%ax):u64 +56(%ax):u64 +64(%ax):u64 +72(%ax):u64 +80(%ax):u64 +88(%ax):u64 +96(%ax):u64 +104(%ax):u64 +112(%ax):u64 +120(%ax):u64 +128(%ax):u64 +136(%ax):u64 +144(%ax):u64 +152(%ax):u64 +160(%ax):u64 +168(%ax):u64 +176(%ax):u64 +184(%ax):u64 +192(%ax):u64 +200(%ax):u64 +208(%ax):u64 +216(%ax):u64 +224(%ax):u64 +232(%ax):u64 +240(%ax):u64 +248(%ax):u64 +256(%ax):u64 +264(%ax):u64 +272(%ax):u64 +280(%ax):u64 +288(%ax):u64 +296(%ax):u64 +304(%ax):u64 +312(%ax):u64 +320(%ax):u64 +328(%ax):u64 +336(%ax):u64 +344(%ax):u64 +352(%ax):u64 +360(%ax):u64 +368(%ax):u64 +376(%ax):u64 +384(%ax):u64 +392(%ax):u64 +400(%ax):u64 +408(%ax):u64 +416(%ax):u64 +424(%ax):u64 +432(%ax):u64 +440(%ax):u64 +448(%ax):u64 +456(%ax):u64 +464(%ax):u64 +472(%ax):u64 +480(%ax):u64 +488(%ax):u64 +496(%ax):u64 +504(%ax):u64 +512(%ax):u64 +520(%ax):u64 +528(%ax):u64 +536(%ax):u64 +544(%ax):u64 +552(%ax):u64 +560(%ax):u64 +568(%ax):u64 +576(%ax):u64 +584(%ax):u64 +592(%ax):u64 +600(%ax):u64 +608(%ax):u64 +616(%ax):u64 +624(%ax):u64 +632(%ax):u64 +640(%ax):u64 +648(%ax):u64 +656(%ax):u64 +664(%ax):u64 +672(%ax):u64 +680(%ax):u64 +688(%ax):u64 +696(%ax):u64 +704(%ax):u64 +712(%ax):u64 +720(%ax):u64 +728(%ax):u64 +736(%ax):u64 +744(%ax):u64 +752(%ax):u64 +760(%ax):u64 +768(%ax):u64 +776(%ax):u64 +784(%ax):u64 +792(%ax):u64 +800(%ax):u64 +808(%ax):u64 +816(%ax):u64 +824(%ax):u64 +832(%ax):u64 +840(%ax):u64 +848(%ax):u64 +856(%ax):u64 +864(%ax):u64 +872(%ax):u64 +880(%ax):u64 +888(%ax):u64 +896(%ax):u64 +904(%ax):u64 +912(%ax):u64 +920(%ax):u64 +928(%ax):u64 +936(%ax):u64 +944(%ax):u64 +952(%ax):u64 +960(%ax):u64 +968(%ax):u64 +976(%ax):u64 +984(%ax):u64 +992(%ax):u64 +1000(%ax):u64 +1008(%ax):u64 +1016(%ax):u64': write /sys/kernel/tracing/kprobe_events: file exists
Exiting: 1 error: system/socket dataset setup failed: unable to guess one or more required parameters: guess_sk_buff_proto failed: failed to add kprobe 'r:guess_recv_datagram {{.RECV_UDP_DATAGRAM}} +0({{.RET}}):u64 +8({{.RET}}):u64 +16({{.RET}}):u64 +24({{.RET}}):u64 +32({{.RET}}):u64 +40({{.RET}}):u64 +48({{.RET}}):u64 +56({{.RET}}):u64 +64({{.RET}}):u64 +72({{.RET}}):u64 +80({{.RET}}):u64 +88({{.RET}}):u64 +96({{.RET}}):u64 +104({{.RET}}):u64 +112({{.RET}}):u64 +120({{.RET}}):u64 +128({{.RET}}):u64 +136({{.RET}}):u64 +144({{.RET}}):u64 +152({{.RET}}):u64 +160({{.RET}}):u64 +168({{.RET}}):u64 +176({{.RET}}):u64 +184({{.RET}}):u64 +192({{.RET}}):u64 +200({{.RET}}):u64 +208({{.RET}}):u64 +216({{.RET}}):u64 +224({{.RET}}):u64 +232({{.RET}}):u64 +240({{.RET}}):u64 +248({{.RET}}):u64 +256({{.RET}}):u64 +264({{.RET}}):u64 +272({{.RET}}):u64 +280({{.RET}}):u64 +288({{.RET}}):u64 +296({{.RET}}):u64 +304({{.RET}}):u64 +312({{.RET}}):u64 +320({{.RET}}):u64 +328({{.RET}}):u64 +336({{.RET}}):u64 +344({{.RET}}):u64 +352({{.RET}}):u64 +360({{.RET}}):u64 +368({{.RET}}):u64 +376({{.RET}}):u64 +384({{.RET}}):u64 +392({{.RET}}):u64 +400({{.RET}}):u64 +408({{.RET}}):u64 +416({{.RET}}):u64 +424({{.RET}}):u64 +432({{.RET}}):u64 +440({{.RET}}):u64 +448({{.RET}}):u64 +456({{.RET}}):u64 +464({{.RET}}):u64 +472({{.RET}}):u64 +480({{.RET}}):u64 +488({{.RET}}):u64 +496({{.RET}}):u64 +504({{.RET}}):u64 +512({{.RET}}):u64 +520({{.RET}}):u64 +528({{.RET}}):u64 +536({{.RET}}):u64 +544({{.RET}}):u64 +552({{.RET}}):u64 +560({{.RET}}):u64 +568({{.RET}}):u64 +576({{.RET}}):u64 +584({{.RET}}):u64 +592({{.RET}}):u64 +600({{.RET}}):u64 +608({{.RET}}):u64 +616({{.RET}}):u64 +624({{.RET}}):u64 +632({{.RET}}):u64 +640({{.RET}}):u64 +648({{.RET}}):u64 +656({{.RET}}):u64 +664({{.RET}}):u64 +672({{.RET}}):u64 +680({{.RET}}):u64 +688({{.RET}}):u64 +696({{.RET}}):u64 +704({{.RET}}):u64 +712({{.RET}}):u64 +720({{.RET}}):u64 +728({{.RET}}):u64 +736({{.RET}}):u64 +744({{.RET}}):u64 +752({{.RET}}):u64 +760({{.RET}}):u64 +768({{.RET}}):u64 +776({{.RET}}):u64 +784({{.RET}}):u64 +792({{.RET}}):u64 +800({{.RET}}):u64 +808({{.RET}}):u64 +816({{.RET}}):u64 +824({{.RET}}):u64 +832({{.RET}}):u64 +840({{.RET}}):u64 +848({{.RET}}):u64 +856({{.RET}}):u64 +864({{.RET}}):u64 +872({{.RET}}):u64 +880({{.RET}}):u64 +888({{.RET}}):u64 +896({{.RET}}):u64 +904({{.RET}}):u64 +912({{.RET}}):u64 +920({{.RET}}):u64 +928({{.RET}}):u64 +936({{.RET}}):u64 +944({{.RET}}):u64 +952({{.RET}}):u64 +960({{.RET}}):u64 +968({{.RET}}):u64 +976({{.RET}}):u64 +984({{.RET}}):u64 +992({{.RET}}):u64 +1000({{.RET}}):u64 +1008({{.RET}}):u64 +1016({{.RET}}):u64': failed installing probe 'r:auditbeat/guess_recv_datagram __skb_recv_udp +0(%ax):u64 +8(%ax):u64 +16(%ax):u64 +24(%ax):u64 +32(%ax):u64 +40(%ax):u64 +48(%ax):u64 +56(%ax):u64 +64(%ax):u64 +72(%ax):u64 +80(%ax):u64 +88(%ax):u64 +96(%ax):u64 +104(%ax):u64 +112(%ax):u64 +120(%ax):u64 +128(%ax):u64 +136(%ax):u64 +144(%ax):u64 +152(%ax):u64 +160(%ax):u64 +168(%ax):u64 +176(%ax):u64 +184(%ax):u64 +192(%ax):u64 +200(%ax):u64 +208(%ax):u64 +216(%ax):u64 +224(%ax):u64 +232(%ax):u64 +240(%ax):u64 +248(%ax):u64 +256(%ax):u64 +264(%ax):u64 +272(%ax):u64 +280(%ax):u64 +288(%ax):u64 +296(%ax):u64 +304(%ax):u64 +312(%ax):u64 +320(%ax):u64 +328(%ax):u64 +336(%ax):u64 +344(%ax):u64 +352(%ax):u64 +360(%ax):u64 +368(%ax):u64 +376(%ax):u64 +384(%ax):u64 +392(%ax):u64 +400(%ax):u64 +408(%ax):u64 +416(%ax):u64 +424(%ax):u64 +432(%ax):u64 +440(%ax):u64 +448(%ax):u64 +456(%ax):u64 +464(%ax):u64 +472(%ax):u64 +480(%ax):u64 +488(%ax):u64 +496(%ax):u64 +504(%ax):u64 +512(%ax):u64 +520(%ax):u64 +528(%ax):u64 +536(%ax):u64 +544(%ax):u64 +552(%ax):u64 +560(%ax):u64 +568(%ax):u64 +576(%ax):u64 +584(%ax):u64 +592(%ax):u64 +600(%ax):u64 +608(%ax):u64 +616(%ax):u64 +624(%ax):u64 +632(%ax):u64 +640(%ax):u64 +648(%ax):u64 +656(%ax):u64 +664(%ax):u64 +672(%ax):u64 +680(%ax):u64 +688(%ax):u64 +696(%ax):u64 +704(%ax):u64 +712(%ax):u64 +720(%ax):u64 +728(%ax):u64 +736(%ax):u64 +744(%ax):u64 +752(%ax):u64 +760(%ax):u64 +768(%ax):u64 +776(%ax):u64 +784(%ax):u64 +792(%ax):u64 +800(%ax):u64 +808(%ax):u64 +816(%ax):u64 +824(%ax):u64 +832(%ax):u64 +840(%ax):u64 +848(%ax):u64 +856(%ax):u64 +864(%ax):u64 +872(%ax):u64 +880(%ax):u64 +888(%ax):u64 +896(%ax):u64 +904(%ax):u64 +912(%ax):u64 +920(%ax):u64 +928(%ax):u64 +936(%ax):u64 +944(%ax):u64 +952(%ax):u64 +960(%ax):u64 +968(%ax):u64 +976(%ax):u64 +984(%ax):u64 +992(%ax):u64 +1000(%ax):u64 +1008(%ax):u64 +1016(%ax):u64': write /sys/kernel/tracing/kprobe_events: file exists

However under 7.10.0 it didn't crash:
auditbeat-debug-7.10.0.log

And that sounds like this issue #20851 or this one: #16046

111andre111 · 2020-11-27T13:47:42Z

@legoguy1000 @Aqualie @xennn
Can you please test auditbeat 7.10.0?

Aqualie · 2020-11-27T16:28:11Z

Finished upgrading both kernel and auditbeat still having the same error:

» uname -a Linux xxxxxxx 5.9.10-arch1-1 #1 SMP PREEMPT Sun, 22 Nov 2020 14:16:59 +0000 x86_64 GNU/Linux

Nov 27 11:22:59 xxxxx auditbeat[xxx]: 2020-11-27T11:22:59.415-0500        INFO        instance/beat.go:645        Home path: [/opt/elastic/auditbeat] Config path: [/opt/elastic/auditbeat/conf] Data path: [/opt/elastic/auditbeat/data] Logs path: [/opt/elastic/auditbeat/logs]
Nov 27 11:22:59 xxxxx auditbeat[xxx]: 2020-11-27T11:22:59.415-0500        INFO        instance/beat.go:653        Beat ID: xxxxxxxxxxxxxxxx
Nov 27 11:22:59 xxxxx auditbeat[xxx]: 2020-11-27T11:22:59.448-0500        INFO        [seccomp]        seccomp/seccomp.go:124        Syscall filter successfully installed
Nov 27 11:22:59 xxxxx auditbeat[xxx]: 2020-11-27T11:22:59.448-0500        INFO        [beat]        instance/beat.go:981        Beat info        {"system_info": {"beat": {"path": {"config": "/opt/elastic/auditbeat/conf", "data": "/opt/elastic/auditbeat/data", "home": "/opt/elastic/auditbeat", "logs": "/opt/elastic/auditbeat/logs"}, "type": "auditbeat", "uuid": "xxxxxxxxxxx"}}}
Nov 27 11:22:59 xxxxx auditbeat[xxx]: 2020-11-27T11:22:59.448-0500        INFO        [beat]        instance/beat.go:990        Build info        {"system_info": {"build": {"commit": "1428d58cf2ed945441fb2ed03961cafa9e4ad3eb", "libbeat": "7.10.0", "time": "2020-11-09T19:51:05.000Z", "version": "7.10.0"}}}
Nov 27 11:22:59 xxxxx auditbeat[xxx]: 2020-11-27T11:22:59.448-0500        INFO        [beat]        instance/beat.go:993        Go runtime info        {"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":8,"version":"go1.14.7"}}}
Nov 27 11:22:59 xxxxx auditbeat[xxx]: 2020-11-27T11:22:59.450-0500        INFO        [beat]        instance/beat.go:997        Host info        {"system_info": {"host": {"architecture":"x86_64","boot_time":"2020-11-27T10:18:20-05:00","containerized":false,"name":"xxxxx","ip":["xxxxxxxxxxxx"],"kernel_version":"5.9.10-arch1-1","mac":["xxxxxxxx"],"os":{"family":"","platform":"arch","name":"Arch Linux","version":"","major":0,"minor":0,"patch":0,"build":"rolling"},"timezone":"EST","timezone_offset_sec":-18000,"id":"xxxxxx"}}}
Nov 27 11:22:59 xxxxx auditbeat[xxx]: 2020-11-27T11:22:59.450-0500        INFO        [beat]        instance/beat.go:1026        Process info        {"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"ambient":null}, "cwd": "/", "exe": "/opt/elastic/auditbeat/auditbeat", "name": "auditbeat", "pid": xxxxx, "ppid": 1, "seccomp": {"mode":"filter","no_new_privs":true}, "start_time": "2020-11-27T11:22:58.790-0500"}}}
Nov 27 11:22:59 xxxxx auditbeat[xxx]: 2020-11-27T11:22:59.451-0500        INFO        instance/beat.go:299        Setup Beat: auditbeat; Version: 7.10.0
Nov 27 11:22:59 xxxxx auditbeat[xxx]: 2020-11-27T11:22:59.451-0500        INFO        [publisher]        pipeline/module.go:113        Beat name: xxxxx
Nov 27 11:22:59 xxxxx auditbeat[xxx]: 2020-11-27T11:22:59.454-0500        INFO        [auditd]        auditd/audit_linux.go:106        auditd module is running as euid=0 on kernel=5.9.10-arch1-1
Nov 27 11:22:59 xxxxx auditbeat[xxx]: 2020-11-27T11:22:59.454-0500        INFO        [auditd]        auditd/audit_linux.go:133        socket_type=unicast will be used.
Nov 27 11:22:59 xxxxx auditbeat[xxx]: 2020-11-27T11:22:59.455-0500        WARN        [cfgwarn]        host/host.go:184        BETA: The system/host dataset is beta
Nov 27 11:22:59 xxxxx auditbeat[xxx]: 2020-11-27T11:22:59.458-0500        WARN        [cfgwarn]        login/login.go:95        BETA: The system/login dataset is beta
Nov 27 11:22:59 xxxxx auditbeat[xxx]: 2020-11-27T11:22:59.460-0500        WARN        [cfgwarn]        user/user.go:232        BETA: The system/user dataset is beta
Nov 27 11:22:59 xxxxx auditbeat[xxx]: 2020-11-27T11:22:59.464-0500        WARN        [cfgwarn]        process/process.go:146        BETA: The system/process dataset is beta
Nov 27 11:22:59 xxxxx auditbeat[xxx]: 2020-11-27T11:22:59.470-0500        WARN        [cfgwarn]        socket/socket_linux.go:91        BETA: The system/socket dataset is beta.
Nov 27 11:22:59 xxxxx auditbeat[xxx]: 2020-11-27T11:22:59.496-0500        INFO        [socket]        socket/socket_linux.go:231        Setting up system/socket for kernel 5.9.10-arch1-1
Nov 27 11:22:59 xxxxx auditbeat[xxx]: 2020-11-27T11:22:59.784-0500        INFO        [socket]        guess/guess.go:258        Running 17 guesses ...
Nov 27 11:23:16 xxxxx auditbeat[xxx]: 2020-11-27T11:23:16.698-0500        INFO        instance/beat.go:424        auditbeat stopped.
Nov 27 11:23:16 xxxxx auditbeat[xxx]: 2020-11-27T11:23:16.699-0500        ERROR        instance/beat.go:956        Exiting: 1 error: system/socket dataset setup failed: unable to guess one or more required parameters: guess_ip_local_out failed: timeout while waiting for event
Nov 27 11:23:16 xxxxx auditbeat[xxx]: Exiting: 1 error: system/socket dataset setup failed: unable to guess one or more required parameters: guess_ip_local_out failed: timeout while waiting for event
Nov 27 11:23:16 xxxxx systemd[1]: auditbeat.service: Main process exited, code=exited, status=1/FAILURE
Nov 27 11:23:16 xxxxx systemd[1]: auditbeat.service: Failed with result 'exit-code'.
Nov 27 11:23:16 xxxxx systemd[1]: auditbeat.service: Scheduled restart job, restart counter is at 201.

sysctl if it makes a difference:

net.ipv4.ip_local_port_range = 2048 65535
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
vm.max_map_count = 262144
net.core.rmem_max=33554432
net.core.rmem_default=262144
net.core.somaxconn=65535
net.core.netdev_max_backlog=65536
net.core.optmem_max=25165824
net.ipv4.udp_rmem_min=131072
net.ipv4.udp_mem=2097152 4194304 8388608

Aqualie · 2020-11-27T16:54:46Z

Also to add this machine has multiple vlan's with a bridged interface (same network configuration I've had since using auditbeat since version 6)

111andre111 · 2020-11-27T22:13:14Z

@Aqualie
Would you mind to execute the 2 commands for the oneliner and post the debug log.
Please obfuscate first what you want to hide from the log like the machine name:

touch empty.yml
./auditbeat -c empty.yml -E auditbeat.modules.0.module=system -E auditbeat.modules.0.datasets.0=socket -E output.console.pretty=true -e -d '*' > 2>&1 >auditbeat-debug.log

And last but not least it might be helpful to understand how this network config looks like: ip -d addr show

Aqualie · 2020-11-27T22:25:35Z

Had to modify the output abit as I'm using zsh and directory ownership is different:
sudo -E ./auditbeat -c empty.yml -E auditbeat.modules.0.module=system -E auditbeat.modules.0.datasets.0=socket -E output.console.pretty=true -e -d '*' &>auditbeat-debug.log

2020-11-27T17:20:07.743-0500	INFO	instance/beat.go:645	Home path: [/opt/elastic/auditbeat] Config path: [/opt/elastic/auditbeat] Data path: [/opt/elastic/auditbeat/data] Logs path: [/opt/elastic/auditbeat/logs]
2020-11-27T17:20:07.743-0500	DEBUG	[beat]	instance/beat.go:697	Beat metadata path: /opt/elastic/auditbeat/data/meta.json
2020-11-27T17:20:07.743-0500	INFO	instance/beat.go:653	Beat ID: xxxxxxxxxxxxxxx
2020-11-27T17:20:07.743-0500	DEBUG	[seccomp]	seccomp/seccomp.go:117	Loading syscall filter	{"seccomp_filter": {"no_new_privs":true,"flag":"tsync","policy":{"default_action":"errno","syscalls":[{"names":["accept","accept4","access","arch_prctl","bind","brk","chmod","chown","clock_gettime","clone","close","connect","dup","dup2","epoll_create","epoll_create1","epoll_ctl","epoll_pwait","epoll_wait","exit","exit_group","fchdir","fchmod","fchmodat","fchown","fchownat","fcntl","fdatasync","flock","fstat","fstatfs","fsync","ftruncate","futex","getcwd","getdents","getdents64","geteuid","getgid","getpeername","getpid","getppid","getrandom","getrlimit","getrusage","getsockname","getsockopt","gettid","gettimeofday","getuid","inotify_add_watch","inotify_init1","inotify_rm_watch","ioctl","kill","listen","lseek","lstat","madvise","mincore","mkdirat","mmap","mprotect","munmap","nanosleep","newfstatat","open","openat","pipe","pipe2","poll","ppoll","pread64","pselect6","pwrite64","read","readlink","readlinkat","recvfrom","recvmmsg","recvmsg","rename","renameat","rt_sigaction","rt_sigprocmask","rt_sigreturn","sched_getaffinity","sched_yield","sendfile","sendmmsg","sendmsg","sendto","set_robust_list","setitimer","setsockopt","shutdown","sigaltstack","socket","splice","stat","statfs","sysinfo","tgkill","time","tkill","uname","unlink","unlinkat","wait4","waitid","write","writev","umask","mremap","perf_event_open","eventfd2","mount","umount2"],"action":"allow"}]}}}
2020-11-27T17:20:07.744-0500	INFO	[seccomp]	seccomp/seccomp.go:124	Syscall filter successfully installed
2020-11-27T17:20:07.744-0500	INFO	[beat]	instance/beat.go:981	Beat info	{"system_info": {"beat": {"path": {"config": "/opt/elastic/auditbeat", "data": "/opt/elastic/auditbeat/data", "home": "/opt/elastic/auditbeat", "logs": "/opt/elastic/auditbeat/logs"}, "type": "auditbeat", "uuid": "xxxxxxxxxxxxxxx"}}}
2020-11-27T17:20:07.744-0500	INFO	[beat]	instance/beat.go:990	Build info	{"system_info": {"build": {"commit": "1428d58cf2ed945441fb2ed03961cafa9e4ad3eb", "libbeat": "7.10.0", "time": "2020-11-09T19:51:05.000Z", "version": "7.10.0"}}}
2020-11-27T17:20:07.744-0500	INFO	[beat]	instance/beat.go:993	Go runtime info	{"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":8,"version":"go1.14.7"}}}
2020-11-27T17:20:07.745-0500	INFO	[beat]	instance/beat.go:997	Host info	{"system_info": {"host": {"architecture":"x86_64","boot_time":"2020-11-27T12:00:02-05:00","containerized":false,"name":"xxxxxxxxxxxxxxx","ip":["xxxxxxxxxxxxxxx"],"kernel_version":"5.9.10-arch1-1","mac":["xxxxxxxxxxxxxxx"],"os":{"family":"","platform":"arch","name":"Arch Linux","version":"","major":0,"minor":0,"patch":0,"build":"rolling"},"timezone":"EST","timezone_offset_sec":-18000,"id":"xxxxxxxxxxxxx}}}
2020-11-27T17:20:07.745-0500	INFO	[beat]	instance/beat.go:1026	Process info	{"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"ambient":null}, "cwd": "/opt/elastic/auditbeat", "exe": "/opt/elastic/auditbeat/auditbeat", "name": "auditbeat", "pid": xxxxx, "ppid": xxxx, "seccomp": {"mode":"filter","no_new_privs":true}, "start_time": "2020-11-27T17:20:07.630-0500"}}}
2020-11-27T17:20:07.745-0500	INFO	instance/beat.go:299	Setup Beat: auditbeat; Version: 7.10.0
2020-11-27T17:20:07.745-0500	DEBUG	[beat]	instance/beat.go:325	Initializing output plugins
2020-11-27T17:20:07.745-0500	DEBUG	[publisher]	pipeline/consumer.go:148	start pipeline event consumer
2020-11-27T17:20:07.745-0500	INFO	[publisher]	pipeline/module.go:113	Beat name: xxxxxx
2020-11-27T17:20:07.745-0500	DEBUG	[modules]	beater/metricbeat.go:151	Available modules and metricsets: Register [ModuleFactory:[system], MetricSetFactory:[auditd/auditd, file_integrity/file, system/host, system/login, system/package, system/process, system/socket, system/user]]
2020-11-27T17:20:07.748-0500	WARN	[cfgwarn]	socket/socket_linux.go:91	BETA: The system/socket dataset is beta.
2020-11-27T17:20:07.775-0500	INFO	[socket]	socket/socket_linux.go:231	Setting up system/socket for kernel 5.9.10-arch1-1
2020-11-27T17:20:07.776-0500	DEBUG	[socket]	socket/socket_linux.go:279	IPv6 supported: false
2020-11-27T17:20:07.776-0500	DEBUG	[socket]	socket/socket_linux.go:286	IPv6 enabled: false
2020-11-27T17:20:08.196-0500	DEBUG	[socket]	socket/socket_linux.go:347	Selected kernel function __x64_sys_execve for SYS_EXECVE
2020-11-27T17:20:08.196-0500	DEBUG	[socket]	socket/socket_linux.go:347	Selected kernel function __x64_sys_gettimeofday for SYS_GETTIMEOFDAY
2020-11-27T17:20:08.196-0500	DEBUG	[socket]	socket/socket_linux.go:347	Selected kernel function __x64_sys_newuname for SYS_UNAME
2020-11-27T17:20:08.196-0500	DEBUG	[socket]	socket/socket_linux.go:347	Selected kernel function ip_local_out for IP_LOCAL_OUT
2020-11-27T17:20:08.196-0500	DEBUG	[socket]	socket/socket_linux.go:347	Selected kernel function __skb_recv_udp for RECV_UDP_DATAGRAM
2020-11-27T17:20:08.202-0500	INFO	[socket]	guess/guess.go:258	Running 17 guesses ...
2020-11-27T17:20:08.366-0500	DEBUG	[socket]	guess/guess.go:287	Guess guess_udp_sendmsg completed: {"UDP_SENDMSG_LEN":"%dx","UDP_SENDMSG_MSG":"%si","UDP_SENDMSG_SOCK":"%di"}
2020-11-27T17:20:08.513-0500	DEBUG	[socket]	guess/guess.go:112	 --- result of guess_inet_sock run #1: {"INET_SOCK_LADDR":[4,84,768,920],"INET_SOCK_LPORT":[776,930],"INET_SOCK_RADDR":[0,68,924],"INET_SOCK_RPORT":[12,928]}
2020-11-27T17:20:08.646-0500	DEBUG	[socket]	guess/guess.go:112	 --- result of guess_inet_sock run #2: {"INET_SOCK_LADDR":[4,84,768,920],"INET_SOCK_LPORT":[776,930],"INET_SOCK_RADDR":[0,68,924],"INET_SOCK_RPORT":[12,928]}
2020-11-27T17:20:08.749-0500	DEBUG	[socket]	guess/guess.go:112	 --- result of guess_inet_sock run #3: {"INET_SOCK_LADDR":[4,84,768,920],"INET_SOCK_LPORT":[776,930],"INET_SOCK_RADDR":[0,68,924],"INET_SOCK_RPORT":[12,928]}
2020-11-27T17:20:08.879-0500	DEBUG	[socket]	guess/guess.go:112	 --- result of guess_inet_sock run #4: {"INET_SOCK_LADDR":[4,84,768,920],"INET_SOCK_LPORT":[776,930],"INET_SOCK_RADDR":[0,68,924],"INET_SOCK_RPORT":[12,928]}
2020-11-27T17:20:08.880-0500	DEBUG	[socket]	guess/guess.go:287	Guess guess_inet_sock completed: {"INET_SOCK_LADDR":4,"INET_SOCK_LADDR_LIST":[4,84,768,920],"INET_SOCK_LPORT":776,"INET_SOCK_LPORT_LIST":[776,930],"INET_SOCK_RADDR":0,"INET_SOCK_RADDR_LIST":[0,68,924],"INET_SOCK_RPORT":12,"INET_SOCK_RPORT_LIST":[12,928]}
2020-11-27T17:20:09.079-0500	DEBUG	[socket]	guess/guess.go:287	Guess guess_struct_socket_sk completed: {"SOCKET_SOCK":24}
2020-11-27T17:20:09.166-0500	DEBUG	[socket]	guess/guess.go:287	Guess guess_syscall_args completed: {"SYS_P1":"+0x70(%di)","SYS_P2":"+0x68(%di)","SYS_P3":"+0x60(%di)","SYS_P4":"+0x38(%di)","SYS_P5":"+0x48(%di)","SYS_P6":"+0x40(%di)"}
2020-11-27T17:20:09.166-0500	DEBUG	[socket]	guess/guess.go:270	Guess guess_inet_sock_ipv6 skipped.
2020-11-27T17:20:09.281-0500	DEBUG	[socket]	guess/guess.go:112	 --- result of guess_inet_sock_af run #1: {"INET_SOCK_AF":[16]}
2020-11-27T17:20:09.409-0500	DEBUG	[socket]	guess/guess.go:112	 --- result of guess_inet_sock_af run #2: {"INET_SOCK_AF":[16]}
2020-11-27T17:20:09.526-0500	DEBUG	[socket]	guess/guess.go:112	 --- result of guess_inet_sock_af run #3: {"INET_SOCK_AF":[16]}
2020-11-27T17:20:09.626-0500	DEBUG	[socket]	guess/guess.go:112	 --- result of guess_inet_sock_af run #4: {"INET_SOCK_AF":[16]}
2020-11-27T17:20:09.722-0500	DEBUG	[socket]	guess/guess.go:112	 --- result of guess_inet_sock_af run #5: {"INET_SOCK_AF":[16]}
2020-11-27T17:20:09.780-0500	DEBUG	[socket]	guess/guess.go:112	 --- result of guess_inet_sock_af run #6: {"INET_SOCK_AF":[16]}
2020-11-27T17:20:09.872-0500	DEBUG	[socket]	guess/guess.go:112	 --- result of guess_inet_sock_af run #7: {"INET_SOCK_AF":[16]}
2020-11-27T17:20:09.976-0500	DEBUG	[socket]	guess/guess.go:112	 --- result of guess_inet_sock_af run #8: {"INET_SOCK_AF":[16]}
2020-11-27T17:20:10.072-0500	DEBUG	[socket]	guess/guess.go:112	 --- result of guess_inet_sock_af run #9: {"INET_SOCK_AF":[16]}
2020-11-27T17:20:10.176-0500	DEBUG	[socket]	guess/guess.go:112	 --- result of guess_inet_sock_af run #10: {"INET_SOCK_AF":[16]}
2020-11-27T17:20:10.176-0500	DEBUG	[socket]	guess/guess.go:287	Guess guess_inet_sock_af completed: {"INET_SOCK_AF":16}
2020-11-27T17:20:10.282-0500	DEBUG	[socket]	guess/guess.go:112	 --- result of guess_sk_buff_proto run #1: {"SK_BUFF_PROTO":[156,176]}
2020-11-27T17:20:10.378-0500	DEBUG	[socket]	guess/guess.go:112	 --- result of guess_sk_buff_proto run #2: {"SK_BUFF_PROTO":[176,432,944]}
2020-11-27T17:20:10.526-0500	DEBUG	[socket]	guess/guess.go:112	 --- result of guess_sk_buff_proto run #3: {"SK_BUFF_PROTO":[176,432,688,944]}
2020-11-27T17:20:10.636-0500	DEBUG	[socket]	guess/guess.go:112	 --- result of guess_sk_buff_proto run #4: {"SK_BUFF_PROTO":[176]}
2020-11-27T17:20:10.746-0500	DEBUG	[socket]	guess/guess.go:112	 --- result of guess_sk_buff_proto run #5: {"SK_BUFF_PROTO":[176]}
2020-11-27T17:20:10.833-0500	DEBUG	[socket]	guess/guess.go:112	 --- result of guess_sk_buff_proto run #6: {"SK_BUFF_PROTO":[176,540,546,796,802]}
2020-11-27T17:20:10.926-0500	DEBUG	[socket]	guess/guess.go:112	 --- result of guess_sk_buff_proto run #7: {"SK_BUFF_PROTO":[176,432,688,944]}
2020-11-27T17:20:11.056-0500	DEBUG	[socket]	guess/guess.go:112	 --- result of guess_sk_buff_proto run #8: {"SK_BUFF_PROTO":[176,432,688,944]}
2020-11-27T17:20:11.056-0500	DEBUG	[socket]	guess/guess.go:287	Guess guess_sk_buff_proto completed: {"SK_BUFF_PROTO":176}
2020-11-27T17:20:11.056-0500	DEBUG	[socket]	guess/guess.go:270	Guess guess_inet6_csk_xmit skipped.
2020-11-27T17:20:11.056-0500	DEBUG	[socket]	guess/guess.go:270	Guess guess_deref skipped.
2020-11-27T17:20:11.156-0500	DEBUG	[socket]	guess/guess.go:287	Guess tcp_sendmsg_guess completed: {"TCP_SENDMSG_LEN":"%dx"}
2020-11-27T17:20:11.243-0500	DEBUG	[socket]	guess/guess.go:287	Guess guess_tcp_sendmsg_sock completed: {"TCP_SENDMSG_SOCK":"%di"}
2020-11-27T17:20:11.326-0500	DEBUG	[socket]	guess/guess.go:287	Guess guess_struct_creds completed: {"STRUCT_CRED_EGID":24,"STRUCT_CRED_EUID":20,"STRUCT_CRED_GID":8,"STRUCT_CRED_UID":4}
2020-11-27T17:20:11.326-0500	DEBUG	[socket]	guess/guess.go:121	 --- guess_sk_buff_data_ptr run #0
2020-11-27T17:20:11.505-0500	DEBUG	[socket]	guess/guess.go:121	 --- guess_sk_buff_data_ptr run #1
2020-11-27T17:20:11.662-0500	DEBUG	[socket]	guess/guess.go:287	Guess guess_sk_buff_data_ptr completed: {"SK_BUFF_HAS_POINTERS":false,"SK_BUFF_HEAD":192,"SK_BUFF_MAC":182,"SK_BUFF_NETWORK":180,"SK_BUFF_TRANSPORT":178}
2020-11-27T17:20:11.752-0500	DEBUG	[socket]	guess/guess.go:287	Guess guess_sockaddr_in completed: {"SOCKADDR_IN_ADDR":4,"SOCKADDR_IN_AF":0,"SOCKADDR_IN_PORT":2}
2020-11-27T17:20:11.752-0500	DEBUG	[socket]	guess/guess.go:270	Guess guess_sockaddr_in6 skipped.
2020-11-27T17:20:26.929-0500	INFO	instance/beat.go:424	auditbeat stopped.
2020-11-27T17:20:26.941-0500	ERROR	instance/beat.go:956	Exiting: 1 error: system/socket dataset setup failed: unable to guess one or more required parameters: guess_ip_local_out failed: timeout while waiting for event
Exiting: 1 error: system/socket dataset setup failed: unable to guess one or more required parameters: guess_ip_local_out failed: timeout while waiting for event

111andre111 · 2020-11-28T01:42:15Z

@Aqualie
What kernel package are you using under ArchLinux?
pacman -Q | grep linux
And I have seen you disabled IPv6.
How did you do do that?
And would you mind to show the network config?
ip -d addr show

Aqualie · 2020-11-28T01:54:35Z

pacman -Q | grep linux

archlinux-keyring 20201028-1
linux 5.9.10.arch1-1
linux-api-headers 5.8-1
linux-firmware 20201113.2ea8667-1
linux-headers 5.9.10.arch1-1
linux-lts-headers 5.4.79-1
linux-mainline-docs 5.4rc1-1
linuxdoc-tools 0.9.82-1
util-linux 2.36.1-3
util-linux-libs 2.36.1-3

cat /etc/sysctl.d/99-sysctl.conf | grep ipv6

net.ipv6.conf.all.disable_ipv6 = 1

ip -d addr show

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 promiscuity 0 minmtu 0 maxmtu 0 numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: enp1s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br0 state UP group default qlen 1000
    link/ether xxxxxxxxxxxx brd xxxxxxxxxxxx promiscuity 1 minmtu 60 maxmtu 9000
    bridge_slave state forwarding priority 32 cost 4 hairpin off guard off root_block off fastleave off learning on flood on port_id 0x8001 port_no 0x1 designated_port 32769 designated_cost 0 designated_bridge 8000.a6:xxxxxxxxxxxx designated_root 8000.a6:xxxxxxxxxxxx hold_timer    0.00 message_age_timer    0.00 forward_delay_timer    0.00 topology_change_ack 0 config_pending 0 proxy_arp off proxy_arp_wifi off mcast_router 1 mcast_fast_leave off mcast_flood on mcast_to_unicast off neigh_suppress off group_fwd_mask 0 group_fwd_mask_str 0x0 vlan_tunnel off isolated off numtxqueues 5 numrxqueues 5 gso_max_size 65536 gso_max_segs 65535
3: wlp1s20u1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 2312 qdisc mq master br0 state UP group default qlen 1000
    link/ether xxxxxxxxxxxx brd xxxxxxxxxxxx promiscuity 1 minmtu 60 maxmtu 2312
    bridge_slave state forwarding priority 32 cost 100 hairpin off guard off root_block off fastleave off learning on flood on port_id 0x8002 port_no 0x2 designated_port 32770 designated_cost 0 designated_bridge 8000.a6:xxxxxxxxxxxx designated_root 8000.a6:xxxxxxxxxxxx hold_timer    0.00 message_age_timer    0.00 forward_delay_timer    0.00 topology_change_ack 0 config_pending 0 proxy_arp off proxy_arp_wifi off mcast_router 1 mcast_fast_leave off mcast_flood on mcast_to_unicast off neigh_suppress off group_fwd_mask 0 group_fwd_mask_str 0x0 vlan_tunnel off isolated off numtxqueues 4 numrxqueues 4 gso_max_size 65536 gso_max_segs 65535
4: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether xxxxxxxxxxxx brd xxxxxxxxxxxx promiscuity 0 minmtu 68 maxmtu 65535
    bridge forward_delay 1499 hello_time 199 max_age 1999 ageing_time 29999 stp_state 0 priority 32768 vlan_filtering 0 vlan_protocol 802.1Q bridge_id 8000.a6:xxxxxxxxxxxx designated_root 8000.a6:xxxxxxxxxxxx root_port 0 root_path_cost 0 topology_change 0 topology_change_detected 0 hello_timer    0.00 tcn_timer    0.00 topology_change_timer    0.00 gc_timer   66.50 vlan_default_pvid 1 vlan_stats_enabled 0 vlan_stats_per_port 0 group_fwd_mask 0 group_address 01:80:xxxxxxxxxxxxmcast_snooping 1 mcast_router 1 mcast_query_use_ifaddr 0 mcast_querier 0 mcast_hash_elasticity 16 mcast_hash_max 4096 mcast_last_member_count 2 mcast_startup_query_count 2 mcast_last_member_interval 99 mcast_membership_interval 25999 mcast_querier_interval 25499 mcast_query_interval 12499 mcast_query_response_interval 999 mcast_startup_query_interval 3124 mcast_stats_enabled 0 mcast_igmp_version 2 mcast_mld_version 1 nf_call_iptables 0 nf_call_ip6tables 0 nf_call_arptables 0 numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535
    inet xxxxxxxxxxxx brd xxxxxxxxxxxx scope global br0
       valid_lft forever preferred_lft forever
5: enp1s0f0.98@enp1s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether xxxxxxxxxxxx brd xxxxxxxxxxxx promiscuity 0 minmtu 0 maxmtu 65535
    vlan protocol 802.1Q id 98 <REORDER_HDR> numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535
    inet xxxxxxxxxxxx brd xxxxxxxxxxxx scope global enp1s0f0.98
       valid_lft forever preferred_lft forever
6: enp1s0f0.80@enp1s0f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether xxxxxxxxxxxx brd xxxxxxxxxxxx promiscuity 0 minmtu 0 maxmtu 65535
    vlan protocol 802.1Q id 80 <REORDER_HDR> numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535
    inet xxxxxxxxxxxx brd xxxxxxxxxxxx scope global enp1s0f0.80
       valid_lft forever preferred_lft forever
7: br-6b6f6e752b74: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether xxxxxxxxxxxx brd xxxxxxxxxxxx promiscuity 0 minmtu 68 maxmtu 65535
    bridge forward_delay 1499 hello_time 199 max_age 1999 ageing_time 29999 stp_state 0 priority 32768 vlan_filtering 0 vlan_protocol 802.1Q bridge_id 8000.2:xxxxxxxxxxxx designated_root 8000.2:xxxxxxxxxxxx root_port 0 root_path_cost 0 topology_change 0 topology_change_detected 0 hello_timer    0.00 tcn_timer    0.00 topology_change_timer    0.00 gc_timer  194.82 vlan_default_pvid 1 vlan_stats_enabled 0 vlan_stats_per_port 0 group_fwd_mask 0 group_address 01:80:xxxxxxxxxxxx mcast_snooping 1 mcast_router 1 mcast_query_use_ifaddr 0 mcast_querier 0 mcast_hash_elasticity 16 mcast_hash_max 4096 mcast_last_member_count 2 mcast_startup_query_count 2 mcast_last_member_interval 99 mcast_membership_interval 25999 mcast_querier_interval 25499 mcast_query_interval 12499 mcast_query_response_interval 999 mcast_startup_query_interval 3124 mcast_stats_enabled 0 mcast_igmp_version 2 mcast_mld_version 1 nf_call_iptables 0 nf_call_ip6tables 0 nf_call_arptables 0 numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535
    inet xxxxxxxxxxxx brd xxxxxxxxxxxx scope global br-6b6f6e752b74
       valid_lft forever preferred_lft forever
8: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether xxxxxxxxxxxx brd xxxxxxxxxxxx promiscuity 0 minmtu 68 maxmtu 65535
    bridge forward_delay 1499 hello_time 199 max_age 1999 ageing_time 29999 stp_state 0 priority 32768 vlan_filtering 0 vlan_protocol 802.1Q bridge_id 8000.2:xxxxxxxxxxxx designated_root 8000.2:xxxxxxxxxxxx root_port 0 root_path_cost 0 topology_change 0 topology_change_detected 0 hello_timer    0.00 tcn_timer    0.00 topology_change_timer    0.00 gc_timer  186.50 vlan_default_pvid 1 vlan_stats_enabled 0 vlan_stats_per_port 0 group_fwd_mask 0 group_address 01:80:xxxxxxxxxxxx mcast_snooping 1 mcast_router 1 mcast_query_use_ifaddr 0 mcast_querier 0 mcast_hash_elasticity 16 mcast_hash_max 4096 mcast_last_member_count 2 mcast_startup_query_count 2 mcast_last_member_interval 99 mcast_membership_interval 25999 mcast_querier_interval 25499 mcast_query_interval 12499 mcast_query_response_interval 999 mcast_startup_query_interval 3124 mcast_stats_enabled 0 mcast_igmp_version 2 mcast_mld_version 1 nf_call_iptables 0 nf_call_ip6tables 0 nf_call_arptables 0 numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
10: veth54d6232@if9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
    link/ether xxxxxxxxxxxx brd xxxxxxxxxxxx link-netnsid 0 promiscuity 1 minmtu 68 maxmtu 65535
    veth
    bridge_slave state forwarding priority 32 cost 2 hairpin off guard off root_block off fastleave off learning on flood on port_id 0x8001 port_no 0x1 designated_port 32769 designated_cost 0 designated_bridge 8000.2:xxxxxxxxxxxx designated_root 8000.2:xxxxxxxxxxxx hold_timer    0.00 message_age_timer    0.00 forward_delay_timer    0.00 topology_change_ack 0 config_pending 0 proxy_arp off proxy_arp_wifi off mcast_router 1 mcast_fast_leave off mcast_flood on mcast_to_unicast off neigh_suppress off group_fwd_mask 0 group_fwd_mask_str 0x0 vlan_tunnel off isolated off numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535
12: veth441da46@if11: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master xxxxxxxxxxxx state UP group default
    link/ether xxxxxxxxxxxx brd xxxxxxxxxxxx link-netnsid 1 promiscuity 1 minmtu 68 maxmtu 65535
    veth
    bridge_slave state forwarding priority 32 cost 2 hairpin off guard off root_block off fastleave off learning on flood on port_id 0x8001 port_no 0x1 designated_port 32769 designated_cost 0 designated_bridge 8000.2:xxxxxxxxxxxx designated_root 8000.2:xxxxxxxxxxxx hold_timer    0.00 message_age_timer    0.00 forward_delay_timer    0.00 topology_change_ack 0 config_pending 0 proxy_arp off proxy_arp_wifi off mcast_router 1 mcast_fast_leave off mcast_flood on mcast_to_unicast off neigh_suppress off group_fwd_mask 0 group_fwd_mask_str 0x0 vlan_tunnel off isolated off numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535

Aqualie · 2020-11-30T21:36:46Z

Thanks @adriansr this works perfectly and I can see all the socket events in ES!

111andre111 · 2020-12-01T17:41:32Z

Nice to hear, that it's working for you now @Aqualie .
What about you @legoguy1000 @xennn

adriansr · 2020-12-01T17:46:44Z

Here's an updated snapshot build with an additional fix:

https://drive.google.com/drive/u/0/folders/1HJVrTF2iG45vYqSdBDcSynZjiiGSm31w

It includes:

fix for guess_ip_local_out always failing (system/socket: Add ip_local_out alternative #22787)
fix for startup errors (random guess failing) due to CPU affinity / offline CPUs ([Auditbeat] system/socket: Monitor all online CPUs #22827)

legoguy1000 · 2020-12-01T17:49:10Z

Nice to hear, that it's working for you now @Aqualie .
What about you @legoguy1000 @xennn

I haven't done anything with it in a while. The project I was working on was finished and we just left it out.

xennn · 2020-12-01T18:51:40Z

I give you next week a update. I'm out of office for this week

Auditbeat's system/socket dataset needs to install kprobes on all online CPUs. Previously, it was using runtime.NumCPU() to determine the CPUs in the system, and monitoring CPUs 0 to NumCPU. This was a mistake that lead to startup failures or loss of events in any of the following scenarios: - When Auditbeat is started with a CPU affinity mask that excludes some CPUs - When there are offline CPUs in the system. This patch updates the tracing library in Auditbeat to fetch the list of online CPUs from /sys/devices/system/cpu/online so that it can install kprobes in all of them regardless of its own affinity mask, and correctly skipping offline CPUs. Related elastic#18755

This commit adds a new function alternative, `__ip_local_out` for selecting a proper ip_local_out function, and fixes `guess_ip_local_out` logic in order to account for this new function. The new order of precedence is: - ip_local_out_sk (kernels before 3.16) - __ip_local_out (for kernels where ip_local_out calls are inlined) - ip_local_out (all others). Relates #18755

Auditbeat's system/socket dataset needs to install kprobes on all online CPUs. Previously, it was using runtime.NumCPU() to determine the CPUs in the system, and monitoring CPUs 0 to NumCPU. This was a mistake that lead to startup failures or loss of events in any of the following scenarios: - When Auditbeat is started with a CPU affinity mask that excludes some CPUs - When there are offline or isolated CPUs in the system. This patch updates the tracing library in Auditbeat to fetch the list of online CPUs from /sys/devices/system/cpu/online so that it can install kprobes in all of them regardless of its own affinity mask, and correctly skipping offline CPUs. Related #18755

This commit adds a new function alternative, `__ip_local_out` for selecting a proper ip_local_out function, and fixes `guess_ip_local_out` logic in order to account for this new function. The new order of precedence is: - ip_local_out_sk (kernels before 3.16) - __ip_local_out (for kernels where ip_local_out calls are inlined) - ip_local_out (all others). Relates elastic#18755 (cherry picked from commit b627fb7)

Auditbeat's system/socket dataset needs to install kprobes on all online CPUs. Previously, it was using runtime.NumCPU() to determine the CPUs in the system, and monitoring CPUs 0 to NumCPU. This was a mistake that lead to startup failures or loss of events in any of the following scenarios: - When Auditbeat is started with a CPU affinity mask that excludes some CPUs - When there are offline or isolated CPUs in the system. This patch updates the tracing library in Auditbeat to fetch the list of online CPUs from /sys/devices/system/cpu/online so that it can install kprobes in all of them regardless of its own affinity mask, and correctly skipping offline CPUs. Related elastic#18755 (cherry picked from commit 6356887)

#22869) * system/socket: Add ip_local_out alternative (#22787) This commit adds a new function alternative, `__ip_local_out` for selecting a proper ip_local_out function, and fixes `guess_ip_local_out` logic in order to account for this new function. The new order of precedence is: - ip_local_out_sk (kernels before 3.16) - __ip_local_out (for kernels where ip_local_out calls are inlined) - ip_local_out (all others). Relates #18755 (cherry picked from commit b627fb7)

…ve (#22870) * system/socket: Add ip_local_out alternative (#22787) This commit adds a new function alternative, `__ip_local_out` for selecting a proper ip_local_out function, and fixes `guess_ip_local_out` logic in order to account for this new function. The new order of precedence is: - ip_local_out_sk (kernels before 3.16) - __ip_local_out (for kernels where ip_local_out calls are inlined) - ip_local_out (all others). Relates #18755 (cherry picked from commit b627fb7) * Changelog entry

Auditbeat's system/socket dataset needs to install kprobes on all online CPUs. Previously, it was using runtime.NumCPU() to determine the CPUs in the system, and monitoring CPUs 0 to NumCPU. This was a mistake that lead to startup failures or loss of events in any of the following scenarios: - When Auditbeat is started with a CPU affinity mask that excludes some CPUs - When there are offline or isolated CPUs in the system. This patch updates the tracing library in Auditbeat to fetch the list of online CPUs from /sys/devices/system/cpu/online so that it can install kprobes in all of them regardless of its own affinity mask, and correctly skipping offline CPUs. Related #18755 (cherry picked from commit 6356887)

xennn · 2020-12-07T09:00:14Z

Its working for me.

Aqualie · 2020-12-09T23:54:52Z

I've started to upgrade my servers as this issue appeared to be fixed however after upgrading both the kernel and auditbeat to 7.10.1 which has the fix I'm still receiving the error. This host has IPV6 enabled with IPV6 addresses assigned and is running the linux-hardened kernel instead. Below is the debug file as requested before:

[root@REPLACED auditbeat]# pacman -Q | grep -i linux
archlinux-keyring 20201028-1
linux 5.9.13.arch1-1
linux-api-headers 5.8-1
linux-firmware 20201120.bc9cd0b-1
linux-hardened 5.9.12.a-1
util-linux 2.36.1-4
util-linux-libs 2.36.1-4

[root@REPLACED auditbeat]# ./auditbeat -c empty.yml -E auditbeat.modules.0.module=system -E auditbeat.modules.0.datasets.0=socket -E output.console.pretty=true -e -d '*' &>auditbeat-debug.log
[root@REPLACED auditbeat]# cat auditbeat-debug.log
2020-12-09T18:47:40.982-0500    INFO    instance/beat.go:645    Home path: [/opt/elastic/auditbeat] Config path: [/opt/elastic/auditbeat] Data path: [/opt/elastic/auditbeat/data] Logs path: [/opt/elastic/auditbeat/logs]
2020-12-09T18:47:40.982-0500    DEBUG   [beat]  instance/beat.go:697    Beat metadata path: /opt/elastic/auditbeat/data/meta.json
2020-12-09T18:47:40.982-0500    INFO    instance/beat.go:653    Beat ID: REPLACED
2020-12-09T18:47:40.982-0500    DEBUG   [seccomp]       seccomp/seccomp.go:117  Loading syscall filter  {"seccomp_filter": {"no_new_privs":true,"flag":"tsync","policy":{"default_action":"errno","syscalls":[{"names":["accept","accept4","access","arch_prctl","bind","brk","chmod","chown","clock_gettime","clone","close","connect","dup","dup2","epoll_create","epoll_create1","epoll_ctl","epoll_pwait","epoll_wait","exit","exit_group","fchdir","fchmod","fchmodat","fchown","fchownat","fcntl","fdatasync","flock","fstat","fstatfs","fsync","ftruncate","futex","getcwd","getdents","getdents64","geteuid","getgid","getpeername","getpid","getppid","getrandom","getrlimit","getrusage","getsockname","getsockopt","gettid","gettimeofday","getuid","inotify_add_watch","inotify_init1","inotify_rm_watch","ioctl","kill","listen","lseek","lstat","madvise","mincore","mkdirat","mmap","mprotect","munmap","nanosleep","newfstatat","open","openat","pipe","pipe2","poll","ppoll","pread64","pselect6","pwrite64","read","readlink","readlinkat","recvfrom","recvmmsg","recvmsg","rename","renameat","rt_sigaction","rt_sigprocmask","rt_sigreturn","sched_getaffinity","sched_yield","sendfile","sendmmsg","sendmsg","sendto","set_robust_list","setitimer","setsockopt","shutdown","sigaltstack","socket","splice","stat","statfs","sysinfo","tgkill","time","tkill","uname","unlink","unlinkat","wait4","waitid","write","writev","umask","mremap","perf_event_open","eventfd2","mount","umount2"],"action":"allow"}]}}}
2020-12-09T18:47:40.983-0500    INFO    [seccomp]       seccomp/seccomp.go:124  Syscall filter successfully installed
2020-12-09T18:47:40.983-0500    INFO    [beat]  instance/beat.go:981    Beat info       {"system_info": {"beat": {"path": {"config": "/opt/elastic/auditbeat", "data": "/opt/elastic/auditbeat/data", "home": "/opt/elastic/auditbeat", "logs": "/opt/elastic/auditbeat/logs"}, "type": "auditbeat", "uuid": "REPLACED"}}}
2020-12-09T18:47:40.983-0500    INFO    [beat]  instance/beat.go:990    Build info      {"system_info": {"build": {"commit": "1da173a9e716715a7a54bb3ff4db05b5c24fc8ce", "libbeat": "7.10.1", "time": "2020-12-04T23:20:49.000Z", "version": "7.10.1"}}}
2020-12-09T18:47:40.983-0500    INFO    [beat]  instance/beat.go:993    Go runtime info {"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":4,"version":"go1.14.12"}}}
2020-12-09T18:47:40.985-0500    INFO    [beat]  instance/beat.go:997    Host info       {"system_info": {"host": {"architecture":"x86_64","boot_time":"2020-12-09T18:26:29-05:00","containerized":false,"name":"REPLACED","ip":["REPLACED"],"kernel_version":"5.9.12.a-1-hardened","mac":["REPLACED"],"os":{"family":"","platform":"arch","name":"Arch Linux","version":"","major":0,"minor":0,"patch":0,"build":"rolling"},"timezone":"EST","timezone_offset_sec":-18000,"id":"REPLACED"}}}
2020-12-09T18:47:40.985-0500    INFO    [beat]  instance/beat.go:1026   Process info    {"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read","38","39","40"],"ambient":null}, "cwd": "/opt/elastic/auditbeat", "exe": "/opt/elastic/auditbeat/auditbeat", "name": "auditbeat", "pid": 2175, "ppid": 2159, "seccomp": {"mode":"filter","no_new_privs":true}, "start_time": "2020-12-09T18:47:40.840-0500"}}}
2020-12-09T18:47:40.985-0500    INFO    instance/beat.go:299    Setup Beat: auditbeat; Version: 7.10.1
2020-12-09T18:47:40.985-0500    DEBUG   [beat]  instance/beat.go:325    Initializing output plugins
2020-12-09T18:47:40.985-0500    DEBUG   [publisher]     pipeline/consumer.go:148        start pipeline event consumer
2020-12-09T18:47:40.985-0500    INFO    [publisher]     pipeline/module.go:113  Beat name: REPLACED
2020-12-09T18:47:40.986-0500    DEBUG   [modules]       beater/metricbeat.go:151        Available modules and metricsets: Register [ModuleFactory:[system], MetricSetFactory:[auditd/auditd, file_integrity/file, system/host, system/login, system/package, system/process, system/socket, system/user]]
2020-12-09T18:47:40.986-0500    WARN    [cfgwarn]       socket/socket_linux.go:124      BETA: The system/socket dataset is beta.
2020-12-09T18:47:41.020-0500    INFO    [socket]        socket/socket_linux.go:259      Setting up system/socket for kernel 5.9.12.a-1-hardened
2020-12-09T18:47:41.023-0500    DEBUG   [socket]        socket/socket_linux.go:306      IPv6 supported: true
2020-12-09T18:47:41.023-0500    DEBUG   [socket]        socket/socket_linux.go:313      IPv6 enabled: true
2020-12-09T18:47:41.207-0500    DEBUG   [socket]        socket/socket_linux.go:374      Selected kernel function ip_local_out for IP_LOCAL_OUT
2020-12-09T18:47:41.207-0500    DEBUG   [socket]        socket/socket_linux.go:374      Selected kernel function __skb_recv_udp for RECV_UDP_DATAGRAM
2020-12-09T18:47:41.207-0500    DEBUG   [socket]        socket/socket_linux.go:374      Selected kernel function __x64_sys_execve for SYS_EXECVE
2020-12-09T18:47:41.207-0500    DEBUG   [socket]        socket/socket_linux.go:374      Selected kernel function __x64_sys_gettimeofday for SYS_GETTIMEOFDAY
2020-12-09T18:47:41.207-0500    DEBUG   [socket]        socket/socket_linux.go:374      Selected kernel function __x64_sys_newuname for SYS_UNAME
2020-12-09T18:47:41.211-0500    INFO    [socket]        guess/guess.go:258      Running 17 guesses ...
2020-12-09T18:47:41.419-0500    DEBUG   [socket]        guess/guess.go:287      Guess guess_struct_socket_sk completed: {"SOCKET_SOCK":24}
2020-12-09T18:47:41.419-0500    DEBUG   [socket]        guess/guess.go:270      Guess guess_deref skipped.
2020-12-09T18:47:41.546-0500    DEBUG   [socket]        guess/guess.go:112       --- result of guess_inet_sock run #1: {"INET_SOCK_LADDR":[4,84,768,920],"INET_SOCK_LPORT":[776,930],"INET_SOCK_RADDR":[0,68,924],"INET_SOCK_RPORT":[12,928]}
2020-12-09T18:47:41.672-0500    DEBUG   [socket]        guess/guess.go:112       --- result of guess_inet_sock run #2: {"INET_SOCK_LADDR":[4,84,768,920],"INET_SOCK_LPORT":[776,930],"INET_SOCK_RADDR":[0,68,924],"INET_SOCK_RPORT":[12,928]}
2020-12-09T18:47:41.806-0500    DEBUG   [socket]        guess/guess.go:112       --- result of guess_inet_sock run #3: {"INET_SOCK_LADDR":[4,84,768,920],"INET_SOCK_LPORT":[776,930],"INET_SOCK_RADDR":[0,68,924],"INET_SOCK_RPORT":[12,928]}
2020-12-09T18:47:41.913-0500    DEBUG   [socket]        guess/guess.go:112       --- result of guess_inet_sock run #4: {"INET_SOCK_LADDR":[4,84,768,920],"INET_SOCK_LPORT":[776,930],"INET_SOCK_RADDR":[0,68,924],"INET_SOCK_RPORT":[12,928]}
2020-12-09T18:47:41.913-0500    DEBUG   [socket]        guess/guess.go:287      Guess guess_inet_sock completed: {"INET_SOCK_LADDR":4,"INET_SOCK_LADDR_LIST":[4,84,768,920],"INET_SOCK_LPORT":776,"INET_SOCK_LPORT_LIST":[776,930],"INET_SOCK_RADDR":0,"INET_SOCK_RADDR_LIST":[0,68,924],"INET_SOCK_RPORT":12,"INET_SOCK_RPORT_LIST":[12,928]}
2020-12-09T18:47:42.099-0500    DEBUG   [socket]        guess/guess.go:287      Guess guess_inet_sock_ipv6 completed: {"INET_SOCK_V6_LADDR_A":"+72","INET_SOCK_V6_LADDR_B":"+80","INET_SOCK_V6_LIMIT":56,"INET_SOCK_V6_RADDR_A":"+56","INET_SOCK_V6_RADDR_B":"+64","INET_SOCK_V6_TERM":":u64"}
2020-12-09T18:47:42.159-0500    DEBUG   [socket]        guess/guess.go:287      Guess guess_struct_creds completed: {"STRUCT_CRED_EGID":40,"STRUCT_CRED_EUID":36,"STRUCT_CRED_GID":24,"STRUCT_CRED_UID":20}
2020-12-09T18:47:42.243-0500    DEBUG   [socket]        guess/guess.go:287      Guess guess_sockaddr_in completed: {"SOCKADDR_IN_ADDR":4,"SOCKADDR_IN_AF":0,"SOCKADDR_IN_PORT":2}
2020-12-09T18:47:42.326-0500    DEBUG   [socket]        guess/guess.go:287      Guess guess_sockaddr_in6 completed: {"SOCKADDR_IN6_ADDRA":8,"SOCKADDR_IN6_ADDRB":16,"SOCKADDR_IN6_AF":0,"SOCKADDR_IN6_PORT":2}
2020-12-09T18:47:42.433-0500    DEBUG   [socket]        guess/guess.go:112       --- result of guess_inet_sock_af run #1: {"INET_SOCK_AF":[16]}
2020-12-09T18:47:42.529-0500    DEBUG   [socket]        guess/guess.go:112       --- result of guess_inet_sock_af run #2: {"INET_SOCK_AF":[16]}
2020-12-09T18:47:42.602-0500    DEBUG   [socket]        guess/guess.go:112       --- result of guess_inet_sock_af run #3: {"INET_SOCK_AF":[16]}
2020-12-09T18:47:42.699-0500    DEBUG   [socket]        guess/guess.go:112       --- result of guess_inet_sock_af run #4: {"INET_SOCK_AF":[16]}
2020-12-09T18:47:42.789-0500    DEBUG   [socket]        guess/guess.go:112       --- result of guess_inet_sock_af run #5: {"INET_SOCK_AF":[16]}
2020-12-09T18:47:42.899-0500    DEBUG   [socket]        guess/guess.go:112       --- result of guess_inet_sock_af run #6: {"INET_SOCK_AF":[16]}
2020-12-09T18:47:42.999-0500    DEBUG   [socket]        guess/guess.go:112       --- result of guess_inet_sock_af run #7: {"INET_SOCK_AF":[16]}
2020-12-09T18:47:43.086-0500    DEBUG   [socket]        guess/guess.go:112       --- result of guess_inet_sock_af run #8: {"INET_SOCK_AF":[16]}
2020-12-09T18:47:43.175-0500    DEBUG   [socket]        guess/guess.go:112       --- result of guess_inet_sock_af run #9: {"INET_SOCK_AF":[16]}
2020-12-09T18:47:43.285-0500    DEBUG   [socket]        guess/guess.go:112       --- result of guess_inet_sock_af run #10: {"INET_SOCK_AF":[16]}
2020-12-09T18:47:43.286-0500    DEBUG   [socket]        guess/guess.go:287      Guess guess_inet_sock_af completed: {"INET_SOCK_AF":16}
2020-12-09T18:47:43.393-0500    DEBUG   [socket]        guess/guess.go:112       --- result of guess_sk_buff_proto run #1: {"SK_BUFF_PROTO":[176]}
2020-12-09T18:47:43.526-0500    DEBUG   [socket]        guess/guess.go:112       --- result of guess_sk_buff_proto run #2: {"SK_BUFF_PROTO":[176]}
2020-12-09T18:47:43.636-0500    DEBUG   [socket]        guess/guess.go:112       --- result of guess_sk_buff_proto run #3: {"SK_BUFF_PROTO":[176]}
2020-12-09T18:47:43.739-0500    DEBUG   [socket]        guess/guess.go:112       --- result of guess_sk_buff_proto run #4: {"SK_BUFF_PROTO":[176]}
2020-12-09T18:47:43.865-0500    DEBUG   [socket]        guess/guess.go:112       --- result of guess_sk_buff_proto run #5: {"SK_BUFF_PROTO":[176]}
2020-12-09T18:47:44.019-0500    DEBUG   [socket]        guess/guess.go:112       --- result of guess_sk_buff_proto run #6: {"SK_BUFF_PROTO":[176]}
2020-12-09T18:47:44.138-0500    DEBUG   [socket]        guess/guess.go:112       --- result of guess_sk_buff_proto run #7: {"SK_BUFF_PROTO":[176]}
2020-12-09T18:47:44.226-0500    DEBUG   [socket]        guess/guess.go:112       --- result of guess_sk_buff_proto run #8: {"SK_BUFF_PROTO":[176]}
2020-12-09T18:47:44.226-0500    DEBUG   [socket]        guess/guess.go:287      Guess guess_sk_buff_proto completed: {"SK_BUFF_PROTO":176}
2020-12-09T18:47:44.283-0500    DEBUG   [socket]        guess/guess.go:287      Guess guess_syscall_args completed: {"SYS_P1":"+0x70(%di)","SYS_P2":"+0x68(%di)","SYS_P3":"+0x60(%di)","SYS_P4":"+0x38(%di)","SYS_P5":"+0x48(%di)","SYS_P6":"+0x40(%di)"}
2020-12-09T18:47:44.475-0500    DEBUG   [socket]        guess/guess.go:287      Guess guess_inet6_csk_xmit completed: {"INET6_CSK_XMIT_SKBUFF":"%si","INET6_CSK_XMIT_SOCK":"%di"}
2020-12-09T18:47:44.556-0500    DEBUG   [socket]        guess/guess.go:287      Guess tcp_sendmsg_guess completed: {"TCP_SENDMSG_LEN":"%dx"}
2020-12-09T18:47:44.646-0500    DEBUG   [socket]        guess/guess.go:287      Guess guess_tcp_sendmsg_sock completed: {"TCP_SENDMSG_SOCK":"%di"}
2020-12-09T18:47:44.744-0500    DEBUG   [socket]        guess/guess.go:287      Guess guess_udp_sendmsg completed: {"UDP_SENDMSG_LEN":"%dx","UDP_SENDMSG_MSG":"%si","UDP_SENDMSG_SOCK":"%di"}
2020-12-09T18:47:59.926-0500    INFO    instance/beat.go:424    auditbeat stopped.
2020-12-09T18:47:59.928-0500    ERROR   instance/beat.go:956    Exiting: 1 error: system/socket dataset setup failed: unable to guess one or more required parameters: guess_ip_local_out failed: timeout while waiting for event
Exiting: 1 error: system/socket dataset setup failed: unable to guess one or more required parameters: guess_ip_local_out failed: timeout while waiting for event

111andre111 · 2020-12-11T22:47:30Z

@Aqualie
I was able to reproduce that with hardened kernel
Would you mind please to try out this particular release?
https://drive.google.com/drive/folders/1HJVrTF2iG45vYqSdBDcSynZjiiGSm31w?usp=sharing
This one holds this former fix plus another one that was fixed here: #22827
Because with these 2 fixes in place, I didn't hit into issues with the hardened kernel.

Aqualie · 2020-12-12T13:15:17Z

This release fixed the problem it's working now, thank you.

111andre111 · 2020-12-12T17:05:55Z

That's nice to hear, that this fixed it for you.

adriansr · 2021-12-01T14:23:11Z

Issue fixed

botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label May 26, 2020

andrewkroh added Auditbeat Team:SIEM triage_needed labels May 26, 2020

botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label May 26, 2020

adriansr self-assigned this Jun 17, 2020

adriansr added bug and removed triage_needed labels Nov 17, 2020

adriansr mentioned this issue Dec 1, 2020

[Auditbeat] system/socket: Monitor all online CPUs #22827

Merged

4 tasks

adriansr mentioned this issue Dec 2, 2020

Cherry-pick #22787 to 7.x: system/socket: Add ip_local_out alternative #22869

Merged

3 tasks

adriansr mentioned this issue Dec 2, 2020

Cherry-pick #22787 to 7.10: system/socket: Add ip_local_out alternative #22870

Merged

3 tasks

adriansr mentioned this issue Dec 2, 2020

Cherry-pick #22827 to 7.x: [Auditbeat] system/socket: Monitor all online CPUs #22872

Merged

4 tasks

adriansr mentioned this issue Dec 2, 2020

Cherry-pick #22827 to 7.10: [Auditbeat] system/socket: Monitor all online CPUs #22873

Merged

4 tasks

adriansr closed this as completed Dec 1, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Auditbeat] Unable to start; unable to guess one or more required parameters: guess_ip_local_out failed #18755

[Auditbeat] Unable to start; unable to guess one or more required parameters: guess_ip_local_out failed #18755

Aqualie commented May 26, 2020

elasticmachine commented May 26, 2020

BBQigniter commented Jun 3, 2020

kimsyversen commented Jun 11, 2020

Aqualie commented Jun 19, 2020

nickchappell commented Jun 23, 2020

MakoWish commented Oct 6, 2020

legoguy1000 commented Oct 8, 2020

xennn commented Nov 6, 2020

adriansr commented Nov 6, 2020

Aqualie commented Nov 6, 2020

xennn commented Nov 6, 2020 •

edited

Loading

adriansr commented Nov 16, 2020 •

edited

Loading

rcmelendez commented Nov 20, 2020

Aqualie commented Nov 24, 2020

111andre111 commented Nov 27, 2020 •

edited

Loading

111andre111 commented Nov 27, 2020

Aqualie commented Nov 27, 2020

Aqualie commented Nov 27, 2020

111andre111 commented Nov 27, 2020 •

edited

Loading

Aqualie commented Nov 27, 2020

111andre111 commented Nov 28, 2020

Aqualie commented Nov 28, 2020

Aqualie commented Nov 30, 2020

111andre111 commented Dec 1, 2020

adriansr commented Dec 1, 2020

legoguy1000 commented Dec 1, 2020

xennn commented Dec 1, 2020

xennn commented Dec 7, 2020

Aqualie commented Dec 9, 2020

111andre111 commented Dec 11, 2020 •

edited

Loading

Aqualie commented Dec 12, 2020

111andre111 commented Dec 12, 2020

adriansr commented Dec 1, 2021

[Auditbeat] Unable to start; unable to guess one or more required parameters: guess_ip_local_out failed #18755

[Auditbeat] Unable to start; unable to guess one or more required parameters: guess_ip_local_out failed #18755

Comments

Aqualie commented May 26, 2020

elasticmachine commented May 26, 2020

BBQigniter commented Jun 3, 2020

kimsyversen commented Jun 11, 2020

Aqualie commented Jun 19, 2020

nickchappell commented Jun 23, 2020

MakoWish commented Oct 6, 2020

legoguy1000 commented Oct 8, 2020

xennn commented Nov 6, 2020

adriansr commented Nov 6, 2020

Aqualie commented Nov 6, 2020

xennn commented Nov 6, 2020 • edited Loading

adriansr commented Nov 16, 2020 • edited Loading

rcmelendez commented Nov 20, 2020

Aqualie commented Nov 24, 2020

111andre111 commented Nov 27, 2020 • edited Loading

111andre111 commented Nov 27, 2020

Aqualie commented Nov 27, 2020

Aqualie commented Nov 27, 2020

111andre111 commented Nov 27, 2020 • edited Loading

Aqualie commented Nov 27, 2020

111andre111 commented Nov 28, 2020

Aqualie commented Nov 28, 2020

Aqualie commented Nov 30, 2020

111andre111 commented Dec 1, 2020

adriansr commented Dec 1, 2020

legoguy1000 commented Dec 1, 2020

xennn commented Dec 1, 2020

xennn commented Dec 7, 2020

Aqualie commented Dec 9, 2020

111andre111 commented Dec 11, 2020 • edited Loading

Aqualie commented Dec 12, 2020

111andre111 commented Dec 12, 2020

adriansr commented Dec 1, 2021

xennn commented Nov 6, 2020 •

edited

Loading

adriansr commented Nov 16, 2020 •

edited

Loading

111andre111 commented Nov 27, 2020 •

edited

Loading

111andre111 commented Nov 27, 2020 •

edited

Loading

111andre111 commented Dec 11, 2020 •

edited

Loading