[AuditBeat 7.0.1] This metricset does not support OS family

[mesudip]

I downloaded the official deb file for version 7.0.1.
I am getting the error below on the fresh installation.

root@Linux-Mint:/etc/auditbeat# uname -a
Linux Linux-Mint 4.15.0-20-generic #21-Ubuntu SMP Tue Apr 24 06:16:15 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

INFO        instance/beat.go:571        Home path: [/usr/share/auditbeat] Config path: [/etc/auditbeat] Data path: [/var/lib/auditbeat] Logs path: [/var/log/auditbeat]
INFO        instance/beat.go:579        Beat ID: 86223b61-acd0-4ce2-bbd4-8044485c67e1
INFO        [index-management.ilm]        ilm/ilm.go:129        Policy name: auditbeat-7.0.1
INFO        [seccomp]        seccomp/seccomp.go:116        Syscall filter successfully installed
INFO        [beat]        instance/beat.go:827        Beat info        {"system_info": {"beat": {"path": {"config": "/etc/auditbeat", "data": "/var/lib/auditbeat", "home": "/usr/share/auditbeat", "logs": "/var/log/auditbeat"}, "type": "auditbeat", "uuid": "86223b61-acd0-4ce2-bbd4-8044485c67e1"}}}
INFO        [beat]        instance/beat.go:836        Build info        {"system_info": {"build": {"commit": "cbffb4dcc8d1d2b0ef2078cb7d7546092ee86e57", "libbeat": "7.0.1", "time": "2019-04-29T12:07:29.000Z", "version": "7.0.1"}}}
INFO        [beat]        instance/beat.go:839        Go runtime info        {"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":8,"version":"go1.11.5"}}}
INFO        [beat]        instance/beat.go:843        Host info        {"system_info": {"host": {"architecture":"x86_64","boot_time":"2019-05-10T21:03:43+05:45","containerized":false,"name":"Linux-Mint","ip":["127.0.0.1/8","::1/128","192.168.1.139/24","fe80::5223:5f99:c6ab:ff6e/64","10.0.3.1/24","10.234.9.1/24","fe80::4c48:d3ff:fe82:914/64","172.24.0.1/16","172.23.0.1/16","172.17.0.1/16","fe80::42:bcff:fe77:638d/64","172.26.0.1/16","172.21.0.1/16","fe80::42:e0ff:fe6a:a990/64","172.18.0.1/16","172.25.0.1/16","172.28.0.1/16","fe80::42:62ff:fec2:fc2d/64","172.22.0.1/16","fe80::42:f5ff:fe50:ea7f/64","172.27.0.1/16","172.20.0.1/16","172.19.0.1/16","fe80::506b:26ff:fedb:d0dc/64","fe80::44fe:7ff:fe46:91b8/64","fe80::687f:51ff:fe79:3fc2/64","fe80::6837:84ff:fe41:1b3d/64","fe80::98b7:42ff:fe80:bb73/64","fe80::d884:35ff:fe41:b015/64","fe80::389b:8fff:fe4e:da30/64","fe80::8cc7:89ff:fecb:782e/64","fe80::7ce5:79ff:fe94:37aa/64","fe80::1cdc:f5ff:fed2:ba15/64"],"kernel_version":"4.15.0-20-generic","mac":["58:8a:5a:48:21:4e","5c:ea:1d:7e:c9:0b","00:16:3e:00:00:00","4e:48:d3:82:09:14","02:42:4b:e7:3c:1d","02:42:70:e4:a0:9c","02:42:bc:77:63:8d","02:42:f0:64:62:28","02:42:e0:6a:a9:90","02:42:0b:59:ee:8e","02:42:a6:98:e3:ad","02:42:62:c2:fc:2d","02:42:f5:50:ea:7f","02:42:54:4b:90:7d","02:42:1d:8a:cd:5a","02:42:87:95:fc:0c","52:6b:26:db:d0:dc","46:fe:07:46:91:b8","6a:7f:51:79:3f:c2","6a:37:84:41:1b:3d","9a:b7:42:80:bb:73","da:84:35:41:b0:15","3a:9b:8f:4e:da:30","8e:c7:89:cb:78:2e","7e:e5:79:94:37:aa","1e:dc:f5:d2:ba:15"],"os":{"family":"","platform":"linuxmint","name":"Linux Mint","version":"19 (Tara)","major":19,"minor":0,"patch":0,"codename":"tara"},"timezone":"+0545","timezone_offset_sec":20700,"id":"ef635a010d284bc38d762d2b9f0e65ac"}}}
INFO        [beat]        instance/beat.go:872        Process info        {"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"ambient":null}, "cwd": "/", "exe": "/usr/share/auditbeat/bin/auditbeat", "name": "auditbeat", "pid": 11398, "ppid": 1, "seccomp": {"mode":"filter","no_new_privs":true}, "start_time": "2019-05-11T18:14:32.150+0545"}}}
INFO        instance/beat.go:280        Setup Beat: auditbeat; Version: 7.0.1
INFO        [index-management]        idxmgmt/std.go:165        Set output.elasticsearch.index to 'auditbeat-7.0.1' as ILM is enabled.
INFO        elasticsearch/client.go:165        Elasticsearch url: http://localhost:9200
INFO        [publisher]        pipeline/module.go:97        Beat name: Linux-Mint
INFO        [auditd]        auditd/audit_linux.go:104        auditd module is running as euid=0 on kernel=4.15.0-20-generic
INFO        [auditd]        auditd/audit_linux.go:131        socket_type=multicast will be used.
WARN        [cfgwarn]        host/host.go:163        BETA: The system/host dataset is beta
WARN        [cfgwarn]        login/login.go:95        BETA: The system/login dataset is beta
WARN        [cfgwarn]        package/package.go:185        BETA: The system/package dataset is beta
WARN        [cfgwarn]        process/process.go:128        BETA: The system/process dataset is beta
WARN        [cfgwarn]        socket/socket.go:210        BETA: The system/socket dataset is beta
WARN        [cfgwarn]        user/user.go:205        BETA: The system/user dataset is beta
INFO        instance/beat.go:361        auditbeat stopped.
ERROR        instance/beat.go:802        Exiting: 1 error: 1 error: this metricset does not support OS family

[andrewkroh]

"os":{"family":"","platform":"linuxmint","name":"Linux Mint","version":"19 (Tara)","major":19,"minor":0,"patch":0,"codename":"tara"}

Looks like we need to classify linuxmint as part of the debian family since it’s based on Debian/Ubuntu and uses dpkg.

[cwurm]

@mesudip This should be fixed in versions 6.8.1 and 7.2.0. Please let us know if this problem persists.