Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Auditbeat system/socket fails to start due to IPv6 #13953

Closed
adriansr opened this issue Oct 7, 2019 · 19 comments · Fixed by #13966
Closed

Auditbeat system/socket fails to start due to IPv6 #13953

adriansr opened this issue Oct 7, 2019 · 19 comments · Fixed by #13966

Comments

@adriansr
Copy link
Contributor

adriansr commented Oct 7, 2019

Please include configurations and logs if available.

For confirmed bugs, please report:

@adriansr adriansr added bug help wanted Indicates that a maintainer wants help on an issue or pull request Auditbeat Team:SIEM labels Oct 7, 2019
@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

@dancs85
Copy link

dancs85 commented Oct 7, 2019

Version: 7.4.0
Operating System: Ubuntu 18.04 LTS using stock Azure image (updated to latest - 5.0.0-1020-azure)
Discuss Forum URL: https://discuss.elastic.co/t/system-socket-module-stops-auditbeat-7-4-from-starting-ipv6-detection/201852/5
Steps to Reproduce: In auditbeat.yml config, under the system module, enable the socket dataset.
Note: Under the system module I have also added 'socket.enable_ipv6: false' to no effect

Error:
Oct 08 08:48:32 xxxxxxxx auditbeat[74319]: 2019-10-08T08:48:32.759+1100 WARN [cfgwarn] socket/socket_linux.go:81 BETA: The system/socket dataset is beta.
Oct 08 08:48:32 xxxxxxxx auditbeat[74319]: 2019-10-08T08:48:32.759+1100 INFO [socket] socket/socket_linux.go:197 Setting up system/socket for kernel 5.0.0-1020-azure
Oct 08 08:48:32 xxxxxxxx auditbeat[74319]: 2019-10-08T08:48:32.761+1100 WARN [cfgwarn] user/user.go:205 BETA: The system/user dataset is beta
Oct 08 08:48:32 xxxxxxxx auditbeat[74319]: 2019-10-08T08:48:32.769+1100 INFO instance/beat.go:385 auditbeat stopped.
Oct 08 08:48:32 xxxxxxxx auditbeat[74319]: 2019-10-08T08:48:32.769+1100 ERROR instance/beat.go:878 Exiting: 1 error: 1 error: system/socket dataset setup failed: error detecting IPv6 support: ipv6 socket failed: address family not supported by protocol
Oct 08 08:48:32 xxxxxxxx auditbeat[74319]: Exiting: 1 error: 1 error: system/socket dataset setup failed: error detecting IPv6 support: ipv6 socket failed: address family not supported by protocol

ip -6 a returns nothing, as IPv6 is disabled (we follow CIS hardening guidelines)
sysctl -a | grep ipv6 also returns nothing

@AntonAttano
Copy link

AntonAttano commented Oct 7, 2019

System: Ubuntu 18.04

auditbeat.modules:

- module: auditd
  audit_rules: |
    # Things that affect identity.
    -w /etc/group -p wa -k identity
    -w /etc/passwd -p wa -k identity
    -w /etc/gshadow -p wa -k identity
    -w /etc/shadow -p wa -k identity

    # Unauthorized access attempts to files (unsuccessful).
    -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
    -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
    -a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
    -a always,exit -F arch=b64 -S open,truncate,ftruncate,creat,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access

- module: file_integrity
  hash_types: [sha256]
  paths:
  - /bin
  - /usr/bin
  - /sbin
  - /usr/sbin
  - /etc

- module: system
  datasets:
    - host
    - login
    - package
    - user
  period: 1m

  user.detect_password_changes: true

- module: system
  datasets:
    - process
    - socket
  period: 1s

output.elasticsearch:
  hosts: ["https://elasticsearch.domain.tld:443"]
  username: "beats"
  password: "XXXXXX"

setup.ilm:
  policy_name: "beats"

processors:
  - add_host_metadata: ~
  - add_cloud_metadata: ~

monitoring:
  enabled: true

logging.level: warning
logging.to_syslog: true

INFO	instance/beat.go:607	Home path: [/usr/share/auditbeat] Config path: [/etc/auditbeat] Data path: [/var/lib/auditbeat] Logs path: [/var/log/auditbeat]
DEBUG	[beat]	instance/beat.go:659	Beat metadata path: /var/lib/auditbeat/meta.json
INFO	instance/beat.go:615	Beat ID: afa2df26-38eb-4571-82da-9e4758f51031
DEBUG	[filters]	add_cloud_metadata/providers.go:126	add_cloud_metadata: starting to fetch metadata, timeout=3s
DEBUG	[filters]	add_cloud_metadata/providers.go:162	add_cloud_metadata: received disposition for az after 7.285395ms. result=[provider:az, error=failed with http status code 404, metadata={}]
DEBUG	[filters]	add_cloud_metadata/providers.go:162	add_cloud_metadata: received disposition for openstack after 7.499822ms. result=[provider:openstack, error=failed with http status code 404, metadata={}]
DEBUG	[filters]	add_cloud_metadata/providers.go:162	add_cloud_metadata: received disposition for aws after 7.662903ms. result=[provider:aws, error=failed with http status code 404, metadata={}]
DEBUG	[filters]	add_cloud_metadata/providers.go:162	add_cloud_metadata: received disposition for gcp after 7.725518ms. result=[provider:gcp, error=failed with http status code 404, metadata={}]
DEBUG	[filters]	add_cloud_metadata/providers.go:162	add_cloud_metadata: received disposition for digitalocean after 26.59954ms. result=[provider:digitalocean, error=<nil>, metadata={"instance":{"id":"137391861"},"provider":"digitalocean","region":"fra1"}]
DEBUG	[filters]	add_cloud_metadata/providers.go:129	add_cloud_metadata: fetchMetadata ran for 26.755622ms
INFO	add_cloud_metadata/add_cloud_metadata.go:91	add_cloud_metadata: hosting provider type detected as digitalocean, metadata={"instance":{"id":"137391861"},"provider":"digitalocean","region":"fra1"}
DEBUG	[processors]	processors/processor.go:101	Generated new processors: add_host_metadata=[netinfo.enabled=[false], cache.ttl=[5m0s]], add_cloud_metadata={"instance":{"id":"137391861"},"provider":"digitalocean","region":"fra1"}
DEBUG	[seccomp]	seccomp/seccomp.go:117	Loading syscall filter	{"seccomp_filter": {"no_new_privs":true,"flag":"tsync","policy":{"default_action":"errno","syscalls":[{"names":["accept","accept4","access","arch_prctl","bind","brk","clock_gettime","clone","close","connect","dup","dup2","epoll_create","epoll_create1","epoll_ctl","epoll_pwait","epoll_wait","exit","exit_group","fchdir","fchmod","fchown","fcntl","fdatasync","flock","fstat","fstatfs","fsync","ftruncate","futex","getcwd","getdents","getdents64","geteuid","getgid","getpeername","getpid","getppid","getrandom","getrlimit","getrusage","getsockname","getsockopt","gettid","gettimeofday","getuid","inotify_add_watch","inotify_init1","inotify_rm_watch","ioctl","kill","listen","lseek","lstat","madvise","mincore","mkdirat","mmap","mprotect","munmap","nanosleep","newfstatat","open","openat","pipe","pipe2","poll","ppoll","pread64","pselect6","pwrite64","read","readlink","readlinkat","recvfrom","recvmmsg","recvmsg","rename","renameat","rt_sigaction","rt_sigprocmask","rt_sigreturn","sched_getaffinity","sched_yield","sendfile","sendmmsg","sendmsg","sendto","set_robust_list","setitimer","setsockopt","shutdown","sigaltstack","socket","splice","stat","statfs","sysinfo","tgkill","time","tkill","uname","unlink","unlinkat","wait4","waitid","write","writev","umask","mremap","perf_event_open","eventfd2","mount","umount2"],"action":"allow"}]}}}
INFO	[seccomp]	seccomp/seccomp.go:124	Syscall filter successfully installed
INFO	[beat]	instance/beat.go:903	Beat info	{"system_info": {"beat": {"path": {"config": "/etc/auditbeat", "data": "/var/lib/auditbeat", "home": "/usr/share/auditbeat", "logs": "/var/log/auditbeat"}, "type": "auditbeat", "uuid": "afa2df26-38eb-4571-82da-9e4758f51031"}}}
INFO	[beat]	instance/beat.go:912	Build info	{"system_info": {"build": {"commit": "f940c36884d3749901a9c99bea5463a6030cdd9c", "libbeat": "7.4.0", "time": "2019-09-27T07:42:54.000Z", "version": "7.4.0"}}}
INFO	[beat]	instance/beat.go:915	Go runtime info	{"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":1,"version":"go1.12.9"}}}
INFO	[beat]	instance/beat.go:919	Host info	{"system_info": {"host": {"architecture":"x86_64","boot_time":"2019-10-01T19:14:26+02:00","containerized":false,"name":"root","ip":["127.0.0.1/8","::1/128","157.230.121.52/20","10.19.0.6/16","2a03:b0c0:3:e0::54:d001/64","fe80::4e8:54ff:fe4d:9427/64","10.10.10.1/24"],"kernel_version":"4.15.0-65-generic","mac":["06:e8:54:4d:94:27"],"os":{"family":"debian","platform":"ubuntu","name":"Ubuntu","version":"18.04.3 LTS (Bionic Beaver)","major":18,"minor":4,"patch":3,"codename":"bionic"},"timezone":"CEST","timezone_offset_sec":7200,"id":"434477ac15fa492da53d0a1effd2ba74"}}}
INFO	[beat]	instance/beat.go:948	Process info	{"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"ambient":null}, "cwd": "/root", "exe": "/usr/share/auditbeat/bin/auditbeat", "name": "auditbeat", "pid": 5211, "ppid": 4986, "seccomp": {"mode":"filter","no_new_privs":true}, "start_time": "2019-10-07T23:53:13.540+0200"}}}
INFO	instance/beat.go:292	Setup Beat: auditbeat; Version: 7.4.0
DEBUG	[beat]	instance/beat.go:318	Initializing output plugins
INFO	[index-management]	idxmgmt/std.go:178	Set output.elasticsearch.index to 'auditbeat-7.4.0' as ILM is enabled.
INFO	elasticsearch/client.go:170	Elasticsearch url: https://elasticsearch.sherbers.de:443
DEBUG	[publisher]	pipeline/consumer.go:137	start pipeline event consumer
INFO	[publisher]	pipeline/module.go:97	Beat name: root
DEBUG	[modules]	beater/metricbeat.go:121	Available modules and metricsets: Register [ModuleFactory:[system], MetricSetFactory:[auditd/auditd, file_integrity/file, system/host, system/login, system/package, system/process, system/socket, system/user]]
INFO	[auditd]	auditd/audit_linux.go:106	auditd module is running as euid=0 on kernel=4.15.0-65-generic
INFO	[auditd]	auditd/audit_linux.go:133	socket_type=unicast will be used.
DEBUG	[file_integrity]	file_integrity/metricset.go:97	Initialized the file event reader. Running as euid=0
WARN	[cfgwarn]	host/host.go:167	BETA: The system/host dataset is beta
DEBUG	[system]	host/host.go:448	Restored last host information from disk.
WARN	[cfgwarn]	login/login.go:95	BETA: The system/login dataset is beta
DEBUG	[login]	login/utmp.go:539	Restored 4 UTMP file records from disk
DEBUG	[login]	login/utmp.go:571	Restored 1 open login sessions from disk
WARN	[cfgwarn]	package/package.go:170	BETA: The system/package dataset is beta
DEBUG	[package]	package/package.go:201	Last state was sent at 2019-10-07 23:25:38.784502657 +0200 CEST. Next state update by 2019-10-08 11:25:38.784502657 +0200 CEST.
DEBUG	[package]	package/package.go:211	Restored 652 packages from disk
WARN	[cfgwarn]	user/user.go:205	BETA: The system/user dataset is beta
DEBUG	[user]	user/user.go:245	Last state was sent at 2019-10-07 23:24:38.997360845 +0200 CEST. Next state update by 2019-10-08 11:24:38.997360845 +0200 CEST.
DEBUG	[user]	user/user.go:255	Restored 45 users from disk
WARN	[cfgwarn]	process/process.go:131	BETA: The system/process dataset is beta
DEBUG	[process]	process/process.go:168	Last state was sent at 2019-10-07 23:07:52.455978802 +0200 CEST. Next state update by 2019-10-08 11:07:52.455978802 +0200 CEST.
WARN	[cfgwarn]	socket/socket_linux.go:81	BETA: The system/socket dataset is beta.
INFO	[socket]	socket/socket_linux.go:197	Setting up system/socket for kernel 4.15.0-65-generic
DEBUG	[socket]	socket/socket_linux.go:244	IPv6 supported: true
DEBUG	[socket]	socket/socket_linux.go:251	IPv6 enabled: true
DEBUG	[socket]	socket/socket_linux.go:304	Selected kernel function SyS_gettimeofday for SYS_GETTIMEOFDAY
DEBUG	[socket]	socket/socket_linux.go:304	Selected kernel function SyS_newuname for SYS_UNAME
DEBUG	[socket]	socket/socket_linux.go:304	Selected kernel function ip_local_out for IP_LOCAL_OUT
DEBUG	[socket]	socket/socket_linux.go:304	Selected kernel function __skb_recv_udp for RECV_UDP_DATAGRAM
DEBUG	[socket]	socket/socket_linux.go:304	Selected kernel function SyS_execve for SYS_EXECVE
INFO	[socket]	guess/guess.go:258	Running 16 guesses ...
INFO	instance/beat.go:385	auditbeat stopped.
ERROR	instance/beat.go:878	Exiting: 1 error: 1 error: system/socket dataset setup failed: unable to guess one or more required parameters: guess_sockaddr_in6 failed: timeout while waiting for trigger to complete
Exiting: 1 error: 1 error: system/socket dataset setup failed: unable to guess one or more required parameters: guess_sockaddr_in6 failed: timeout while waiting for trigger to complete
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2a03:b0c0:3:e0::54:d001/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::4e8:54ff:fe4d:9427/64 scope link 
       valid_lft forever preferred_lft forever
net.ipv6.anycast_src_echo_reply = 0
net.ipv6.auto_flowlabels = 1
net.ipv6.bindv6only = 0
net.ipv6.calipso_cache_bucket_size = 10
net.ipv6.calipso_cache_enable = 1
net.ipv6.conf.all.accept_dad = 0
net.ipv6.conf.all.accept_ra = 1
net.ipv6.conf.all.accept_ra_defrtr = 1
net.ipv6.conf.all.accept_ra_from_local = 0
net.ipv6.conf.all.accept_ra_min_hop_limit = 1
net.ipv6.conf.all.accept_ra_mtu = 1
net.ipv6.conf.all.accept_ra_pinfo = 1
net.ipv6.conf.all.accept_ra_rt_info_max_plen = 0
net.ipv6.conf.all.accept_ra_rt_info_min_plen = 0
net.ipv6.conf.all.accept_ra_rtr_pref = 1
net.ipv6.conf.all.accept_redirects = 1
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.all.addr_gen_mode = 0
net.ipv6.conf.all.autoconf = 1
net.ipv6.conf.all.dad_transmits = 1
net.ipv6.conf.all.disable_ipv6 = 0
net.ipv6.conf.all.disable_policy = 0
net.ipv6.conf.all.drop_unicast_in_l2_multicast = 0
net.ipv6.conf.all.drop_unsolicited_na = 0
net.ipv6.conf.all.enhanced_dad = 1
net.ipv6.conf.all.force_mld_version = 0
net.ipv6.conf.all.force_tllao = 0
net.ipv6.conf.all.forwarding = 0
net.ipv6.conf.all.hop_limit = 64
net.ipv6.conf.all.ignore_routes_with_linkdown = 0
net.ipv6.conf.all.keep_addr_on_down = 0
net.ipv6.conf.all.max_addresses = 16
net.ipv6.conf.all.max_desync_factor = 600
net.ipv6.conf.all.mc_forwarding = 0
net.ipv6.conf.all.mldv1_unsolicited_report_interval = 10000
net.ipv6.conf.all.mldv2_unsolicited_report_interval = 1000
net.ipv6.conf.all.mtu = 1280
net.ipv6.conf.all.ndisc_notify = 0
net.ipv6.conf.all.ndisc_tclass = 0
net.ipv6.conf.all.proxy_ndp = 0
net.ipv6.conf.all.regen_max_retry = 3
net.ipv6.conf.all.router_probe_interval = 60
net.ipv6.conf.all.router_solicitation_delay = 1
net.ipv6.conf.all.router_solicitation_interval = 4
net.ipv6.conf.all.router_solicitation_max_interval = 3600
net.ipv6.conf.all.router_solicitations = -1
net.ipv6.conf.all.seg6_enabled = 0
net.ipv6.conf.all.seg6_require_hmac = 0
net.ipv6.conf.all.suppress_frag_ndisc = 1
net.ipv6.conf.all.temp_prefered_lft = 86400
net.ipv6.conf.all.temp_valid_lft = 604800
net.ipv6.conf.all.use_oif_addrs_only = 0
net.ipv6.conf.all.use_tempaddr = 0
net.ipv6.conf.default.accept_dad = 1
net.ipv6.conf.default.accept_ra = 1
net.ipv6.conf.default.accept_ra_defrtr = 1
net.ipv6.conf.default.accept_ra_from_local = 0
net.ipv6.conf.default.accept_ra_min_hop_limit = 1
net.ipv6.conf.default.accept_ra_mtu = 1
net.ipv6.conf.default.accept_ra_pinfo = 1
net.ipv6.conf.default.accept_ra_rt_info_max_plen = 0
net.ipv6.conf.default.accept_ra_rt_info_min_plen = 0
net.ipv6.conf.default.accept_ra_rtr_pref = 1
net.ipv6.conf.default.accept_redirects = 1
net.ipv6.conf.default.accept_source_route = 0
net.ipv6.conf.default.addr_gen_mode = 0
net.ipv6.conf.default.autoconf = 1
net.ipv6.conf.default.dad_transmits = 1
net.ipv6.conf.default.disable_ipv6 = 0
net.ipv6.conf.default.disable_policy = 0
net.ipv6.conf.default.drop_unicast_in_l2_multicast = 0
net.ipv6.conf.default.drop_unsolicited_na = 0
net.ipv6.conf.default.enhanced_dad = 1
net.ipv6.conf.default.force_mld_version = 0
net.ipv6.conf.default.force_tllao = 0
net.ipv6.conf.default.forwarding = 0
net.ipv6.conf.default.hop_limit = 64
net.ipv6.conf.default.ignore_routes_with_linkdown = 0
net.ipv6.conf.default.keep_addr_on_down = 0
net.ipv6.conf.default.max_addresses = 16
net.ipv6.conf.default.max_desync_factor = 600
net.ipv6.conf.default.mc_forwarding = 0
net.ipv6.conf.default.mldv1_unsolicited_report_interval = 10000
net.ipv6.conf.default.mldv2_unsolicited_report_interval = 1000
net.ipv6.conf.default.mtu = 1280
net.ipv6.conf.default.ndisc_notify = 0
net.ipv6.conf.default.ndisc_tclass = 0
net.ipv6.conf.default.proxy_ndp = 0
net.ipv6.conf.default.regen_max_retry = 3
net.ipv6.conf.default.router_probe_interval = 60
net.ipv6.conf.default.router_solicitation_delay = 1
net.ipv6.conf.default.router_solicitation_interval = 4
net.ipv6.conf.default.router_solicitation_max_interval = 3600
net.ipv6.conf.default.router_solicitations = -1
net.ipv6.conf.default.seg6_enabled = 0
net.ipv6.conf.default.seg6_require_hmac = 0
net.ipv6.conf.default.suppress_frag_ndisc = 1
net.ipv6.conf.default.temp_prefered_lft = 86400
net.ipv6.conf.default.temp_valid_lft = 604800
net.ipv6.conf.default.use_oif_addrs_only = 0
net.ipv6.conf.default.use_tempaddr = 0
net.ipv6.conf.eth0.accept_dad = 1
net.ipv6.conf.eth0.accept_ra = 0
net.ipv6.conf.eth0.accept_ra_defrtr = 1
net.ipv6.conf.eth0.accept_ra_from_local = 0
net.ipv6.conf.eth0.accept_ra_min_hop_limit = 1
net.ipv6.conf.eth0.accept_ra_mtu = 1
net.ipv6.conf.eth0.accept_ra_pinfo = 1
net.ipv6.conf.eth0.accept_ra_rt_info_max_plen = 0
net.ipv6.conf.eth0.accept_ra_rt_info_min_plen = 0
net.ipv6.conf.eth0.accept_ra_rtr_pref = 1
net.ipv6.conf.eth0.accept_redirects = 1
net.ipv6.conf.eth0.accept_source_route = 0
net.ipv6.conf.eth0.addr_gen_mode = 0
net.ipv6.conf.eth0.autoconf = 1
net.ipv6.conf.eth0.dad_transmits = 1
net.ipv6.conf.eth0.disable_ipv6 = 0
net.ipv6.conf.eth0.disable_policy = 0
net.ipv6.conf.eth0.drop_unicast_in_l2_multicast = 0
net.ipv6.conf.eth0.drop_unsolicited_na = 0
net.ipv6.conf.eth0.enhanced_dad = 1
net.ipv6.conf.eth0.force_mld_version = 0
net.ipv6.conf.eth0.force_tllao = 0
net.ipv6.conf.eth0.forwarding = 0
net.ipv6.conf.eth0.hop_limit = 64
net.ipv6.conf.eth0.ignore_routes_with_linkdown = 0
net.ipv6.conf.eth0.keep_addr_on_down = 0
net.ipv6.conf.eth0.max_addresses = 16
net.ipv6.conf.eth0.max_desync_factor = 600
net.ipv6.conf.eth0.mc_forwarding = 0
net.ipv6.conf.eth0.mldv1_unsolicited_report_interval = 10000
net.ipv6.conf.eth0.mldv2_unsolicited_report_interval = 1000
net.ipv6.conf.eth0.mtu = 1500
net.ipv6.conf.eth0.ndisc_notify = 0
net.ipv6.conf.eth0.ndisc_tclass = 0
net.ipv6.conf.eth0.proxy_ndp = 0
net.ipv6.conf.eth0.regen_max_retry = 3
net.ipv6.conf.eth0.router_probe_interval = 60
net.ipv6.conf.eth0.router_solicitation_delay = 1
net.ipv6.conf.eth0.router_solicitation_interval = 4
net.ipv6.conf.eth0.router_solicitation_max_interval = 3600
net.ipv6.conf.eth0.router_solicitations = -1
net.ipv6.conf.eth0.seg6_enabled = 0
net.ipv6.conf.eth0.seg6_require_hmac = 0
net.ipv6.conf.eth0.suppress_frag_ndisc = 1
net.ipv6.conf.eth0.temp_prefered_lft = 86400
net.ipv6.conf.eth0.temp_valid_lft = 604800
net.ipv6.conf.eth0.use_oif_addrs_only = 0
net.ipv6.conf.eth0.use_tempaddr = 0
net.ipv6.conf.lo.accept_dad = -1
net.ipv6.conf.lo.accept_ra = 1
net.ipv6.conf.lo.accept_ra_defrtr = 1
net.ipv6.conf.lo.accept_ra_from_local = 0
net.ipv6.conf.lo.accept_ra_min_hop_limit = 1
net.ipv6.conf.lo.accept_ra_mtu = 1
net.ipv6.conf.lo.accept_ra_pinfo = 1
net.ipv6.conf.lo.accept_ra_rt_info_max_plen = 0
net.ipv6.conf.lo.accept_ra_rt_info_min_plen = 0
net.ipv6.conf.lo.accept_ra_rtr_pref = 1
net.ipv6.conf.lo.accept_redirects = 1
net.ipv6.conf.lo.accept_source_route = 0
net.ipv6.conf.lo.addr_gen_mode = 0
net.ipv6.conf.lo.autoconf = 1
net.ipv6.conf.lo.dad_transmits = 1
net.ipv6.conf.lo.disable_ipv6 = 0
net.ipv6.conf.lo.disable_policy = 0
net.ipv6.conf.lo.drop_unicast_in_l2_multicast = 0
net.ipv6.conf.lo.drop_unsolicited_na = 0
net.ipv6.conf.lo.enhanced_dad = 1
net.ipv6.conf.lo.force_mld_version = 0
net.ipv6.conf.lo.force_tllao = 0
net.ipv6.conf.lo.forwarding = 0
net.ipv6.conf.lo.hop_limit = 64
net.ipv6.conf.lo.ignore_routes_with_linkdown = 0
net.ipv6.conf.lo.keep_addr_on_down = 0
net.ipv6.conf.lo.max_addresses = 16
net.ipv6.conf.lo.max_desync_factor = 600
net.ipv6.conf.lo.mc_forwarding = 0
net.ipv6.conf.lo.mldv1_unsolicited_report_interval = 10000
net.ipv6.conf.lo.mldv2_unsolicited_report_interval = 1000
net.ipv6.conf.lo.mtu = 65536
net.ipv6.conf.lo.ndisc_notify = 0
net.ipv6.conf.lo.ndisc_tclass = 0
net.ipv6.conf.lo.proxy_ndp = 0
net.ipv6.conf.lo.regen_max_retry = 3
net.ipv6.conf.lo.router_probe_interval = 60
net.ipv6.conf.lo.router_solicitation_delay = 1
net.ipv6.conf.lo.router_solicitation_interval = 4
net.ipv6.conf.lo.router_solicitation_max_interval = 3600
net.ipv6.conf.lo.router_solicitations = -1
net.ipv6.conf.lo.seg6_enabled = 0
net.ipv6.conf.lo.seg6_require_hmac = 0
net.ipv6.conf.lo.suppress_frag_ndisc = 1
net.ipv6.conf.lo.temp_prefered_lft = 86400
net.ipv6.conf.lo.temp_valid_lft = 604800
net.ipv6.conf.lo.use_oif_addrs_only = 0
net.ipv6.conf.lo.use_tempaddr = -1
net.ipv6.conf.wg0.accept_dad = -1
net.ipv6.conf.wg0.accept_ra = 1
net.ipv6.conf.wg0.accept_ra_defrtr = 1
net.ipv6.conf.wg0.accept_ra_from_local = 0
net.ipv6.conf.wg0.accept_ra_min_hop_limit = 1
net.ipv6.conf.wg0.accept_ra_mtu = 1
net.ipv6.conf.wg0.accept_ra_pinfo = 1
net.ipv6.conf.wg0.accept_ra_rt_info_max_plen = 0
net.ipv6.conf.wg0.accept_ra_rt_info_min_plen = 0
net.ipv6.conf.wg0.accept_ra_rtr_pref = 1
net.ipv6.conf.wg0.accept_redirects = 1
net.ipv6.conf.wg0.accept_source_route = 0
net.ipv6.conf.wg0.addr_gen_mode = 1
net.ipv6.conf.wg0.autoconf = 1
net.ipv6.conf.wg0.dad_transmits = 1
net.ipv6.conf.wg0.disable_ipv6 = 0
net.ipv6.conf.wg0.disable_policy = 0
net.ipv6.conf.wg0.drop_unicast_in_l2_multicast = 0
net.ipv6.conf.wg0.drop_unsolicited_na = 0
net.ipv6.conf.wg0.enhanced_dad = 1
net.ipv6.conf.wg0.force_mld_version = 0
net.ipv6.conf.wg0.force_tllao = 0
net.ipv6.conf.wg0.forwarding = 0
net.ipv6.conf.wg0.hop_limit = 64
net.ipv6.conf.wg0.ignore_routes_with_linkdown = 0
net.ipv6.conf.wg0.keep_addr_on_down = 0
net.ipv6.conf.wg0.max_addresses = 16
net.ipv6.conf.wg0.max_desync_factor = 600
net.ipv6.conf.wg0.mc_forwarding = 0
net.ipv6.conf.wg0.mldv1_unsolicited_report_interval = 10000
net.ipv6.conf.wg0.mldv2_unsolicited_report_interval = 1000
net.ipv6.conf.wg0.mtu = 1420
net.ipv6.conf.wg0.ndisc_notify = 0
net.ipv6.conf.wg0.ndisc_tclass = 0
net.ipv6.conf.wg0.proxy_ndp = 0
net.ipv6.conf.wg0.regen_max_retry = 3
net.ipv6.conf.wg0.router_probe_interval = 60
net.ipv6.conf.wg0.router_solicitation_delay = 1
net.ipv6.conf.wg0.router_solicitation_interval = 4
net.ipv6.conf.wg0.router_solicitation_max_interval = 3600
net.ipv6.conf.wg0.router_solicitations = -1
net.ipv6.conf.wg0.seg6_enabled = 0
net.ipv6.conf.wg0.seg6_require_hmac = 0
net.ipv6.conf.wg0.suppress_frag_ndisc = 1
net.ipv6.conf.wg0.temp_prefered_lft = 86400
net.ipv6.conf.wg0.temp_valid_lft = 604800
net.ipv6.conf.wg0.use_oif_addrs_only = 0
net.ipv6.conf.wg0.use_tempaddr = -1
net.ipv6.flowlabel_consistency = 1
net.ipv6.flowlabel_reflect = 0
net.ipv6.flowlabel_state_ranges = 0
net.ipv6.fwmark_reflect = 0
net.ipv6.icmp.ratelimit = 1000
net.ipv6.idgen_delay = 1
net.ipv6.idgen_retries = 3
net.ipv6.ip6frag_high_thresh = 262144
net.ipv6.ip6frag_low_thresh = 196608
net.ipv6.ip6frag_secret_interval = 0
net.ipv6.ip6frag_time = 60
net.ipv6.ip_nonlocal_bind = 0
net.ipv6.max_dst_opts_length = 2147483647
net.ipv6.max_dst_opts_number = 8
net.ipv6.max_hbh_length = 2147483647
net.ipv6.max_hbh_opts_number = 8
net.ipv6.mld_max_msf = 64
net.ipv6.mld_qrv = 2
net.ipv6.neigh.default.anycast_delay = 100
net.ipv6.neigh.default.app_solicit = 0
net.ipv6.neigh.default.base_reachable_time_ms = 30000
net.ipv6.neigh.default.delay_first_probe_time = 5
net.ipv6.neigh.default.gc_interval = 30
net.ipv6.neigh.default.gc_stale_time = 60
net.ipv6.neigh.default.gc_thresh1 = 128
net.ipv6.neigh.default.gc_thresh2 = 512
net.ipv6.neigh.default.gc_thresh3 = 1024
net.ipv6.neigh.default.locktime = 0
net.ipv6.neigh.default.mcast_resolicit = 0
net.ipv6.neigh.default.mcast_solicit = 3
net.ipv6.neigh.default.proxy_delay = 80
net.ipv6.neigh.default.proxy_qlen = 64
net.ipv6.neigh.default.retrans_time_ms = 1000
net.ipv6.neigh.default.ucast_solicit = 3
net.ipv6.neigh.default.unres_qlen = 101
net.ipv6.neigh.default.unres_qlen_bytes = 212992
net.ipv6.neigh.eth0.anycast_delay = 100
net.ipv6.neigh.eth0.app_solicit = 0
net.ipv6.neigh.eth0.base_reachable_time_ms = 30000
net.ipv6.neigh.eth0.delay_first_probe_time = 5
net.ipv6.neigh.eth0.gc_stale_time = 60
net.ipv6.neigh.eth0.locktime = 0
net.ipv6.neigh.eth0.mcast_resolicit = 0
net.ipv6.neigh.eth0.mcast_solicit = 3
net.ipv6.neigh.eth0.proxy_delay = 80
net.ipv6.neigh.eth0.proxy_qlen = 64
net.ipv6.neigh.eth0.retrans_time_ms = 1000
net.ipv6.neigh.eth0.ucast_solicit = 3
net.ipv6.neigh.eth0.unres_qlen = 101
net.ipv6.neigh.eth0.unres_qlen_bytes = 212992
net.ipv6.neigh.lo.anycast_delay = 100
net.ipv6.neigh.lo.app_solicit = 0
net.ipv6.neigh.lo.base_reachable_time_ms = 30000
net.ipv6.neigh.lo.delay_first_probe_time = 5
net.ipv6.neigh.lo.gc_stale_time = 60
net.ipv6.neigh.lo.locktime = 0
net.ipv6.neigh.lo.mcast_resolicit = 0
net.ipv6.neigh.lo.mcast_solicit = 3
net.ipv6.neigh.lo.proxy_delay = 80
net.ipv6.neigh.lo.proxy_qlen = 64
net.ipv6.neigh.lo.retrans_time_ms = 1000
net.ipv6.neigh.lo.ucast_solicit = 3
net.ipv6.neigh.lo.unres_qlen = 101
net.ipv6.neigh.lo.unres_qlen_bytes = 212992
net.ipv6.neigh.wg0.anycast_delay = 100
net.ipv6.neigh.wg0.app_solicit = 0
net.ipv6.neigh.wg0.base_reachable_time_ms = 30000
net.ipv6.neigh.wg0.delay_first_probe_time = 5
net.ipv6.neigh.wg0.gc_stale_time = 60
net.ipv6.neigh.wg0.locktime = 0
net.ipv6.neigh.wg0.mcast_resolicit = 0
net.ipv6.neigh.wg0.mcast_solicit = 3
net.ipv6.neigh.wg0.proxy_delay = 80
net.ipv6.neigh.wg0.proxy_qlen = 64
net.ipv6.neigh.wg0.retrans_time_ms = 1000
net.ipv6.neigh.wg0.ucast_solicit = 3
net.ipv6.neigh.wg0.unres_qlen = 101
net.ipv6.neigh.wg0.unres_qlen_bytes = 212992
net.ipv6.route.gc_elasticity = 9
net.ipv6.route.gc_interval = 30
net.ipv6.route.gc_min_interval = 0
net.ipv6.route.gc_min_interval_ms = 500
net.ipv6.route.gc_thresh = 1024
net.ipv6.route.gc_timeout = 60
net.ipv6.route.max_size = 4096
net.ipv6.route.min_adv_mss = 1220
net.ipv6.route.mtu_expires = 600
net.ipv6.xfrm6_gc_thresh = 32768

"ip -6 a add fd12:3456::1111 dev lo" does not output anything but finishes successful and adding the ip to my loopback interface.

@ccolic
Copy link

ccolic commented Oct 8, 2019

System: CentOS 7.7.1908

[cco@test ~]$ uname -a
Linux test 3.10.0-1062.1.2.el7.x86_64 #1 SMP Mon Sep 30 14:19:46 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

[cco@test ~]$ cat /etc/centos-release
CentOS Linux release 7.7.1908 (Core)

The system already has an IPv6 address. Adding the unique local address to interface 'lo' also works.

[cco@test~]$ sudo ip -6 a add fd12:3456::1111 dev lo
[cco@test~]$ ip -6 a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000
    inet6 fd12:3456::1111/128 scope global 
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 2a00:adc0:ccdd::160/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::250:56ff:fea0:2825/64 scope link 
       valid_lft forever preferred_lft forever

Running auditbeat shows the following error:

[cco@test~]$ sudo auditbeat run -e -d '*'

2019-10-08T10:56:02.039+0200    INFO    instance/beat.go:607    Home path: [/usr/share/auditbeat] Config path: [/etc/auditbeat] Data path: [/var/lib/auditbeat] Logs path: [/var/log/auditbeat]
2019-10-08T10:56:02.039+0200    DEBUG   [beat]  instance/beat.go:659    Beat metadata path: /var/lib/auditbeat/meta.json
2019-10-08T10:56:02.040+0200    INFO    instance/beat.go:615    Beat ID: 0d76a2ef-4db7-4df9-a4eb-128a4b3f6d02
2019-10-08T10:56:02.043+0200    DEBUG   [processors]    processors/processor.go:101     Generated new processors: add_host_metadata=[netinfo.enabled=[false], cache.ttl=[5m0s]], add_tags=central
2019-10-08T10:56:02.043+0200    DEBUG   [seccomp]       seccomp/seccomp.go:117  Loading syscall filter  {"seccomp_filter": {"no_new_privs":true,"flag":"tsync","policy":{"default_action":"errno","syscalls":[{"names":["accept","accept4","access","arch_prctl","bind","brk","clock_gettime","clone","close","connect","dup","dup2","epoll_create","epoll_create1","epoll_ctl","epoll_pwait","epoll_wait","exit","exit_group","fchdir","fchmod","fchown","fcntl","fdatasync","flock","fstat","fstatfs","fsync","ftruncate","futex","getcwd","getdents","getdents64","geteuid","getgid","getpeername","getpid","getppid","getrandom","getrlimit","getrusage","getsockname","getsockopt","gettid","gettimeofday","getuid","inotify_add_watch","inotify_init1","inotify_rm_watch","ioctl","kill","listen","lseek","lstat","madvise","mincore","mkdirat","mmap","mprotect","munmap","nanosleep","newfstatat","open","openat","pipe","pipe2","poll","ppoll","pread64","pselect6","pwrite64","read","readlink","readlinkat","recvfrom","recvmmsg","recvmsg","rename","renameat","rt_sigaction","rt_sigprocmask","rt_sigreturn","sched_getaffinity","sched_yield","sendfile","sendmmsg","sendmsg","sendto","set_robust_list","setitimer","setsockopt","shutdown","sigaltstack","socket","splice","stat","statfs","sysinfo","tgkill","time","tkill","uname","unlink","unlinkat","wait4","waitid","write","writev","umask","mremap","perf_event_open","eventfd2","mount","umount2"],"action":"allow"}]}}}
2019-10-08T10:56:02.043+0200    INFO    [seccomp]       seccomp/seccomp.go:124  Syscall filter successfully installed
2019-10-08T10:56:02.043+0200    INFO    [beat]  instance/beat.go:903    Beat info       {"system_info": {"beat": {"path": {"config": "/etc/auditbeat", "data": "/var/lib/auditbeat", "home": "/usr/share/auditbeat", "logs": "/var/log/auditbeat"}, "type": "auditbeat", "uuid": "0d76a2ef-4db7-4df9-a4eb-128a4b3f6d02"}}}
2019-10-08T10:56:02.044+0200    INFO    [beat]  instance/beat.go:912    Build info      {"system_info": {"build": {"commit": "f940c36884d3749901a9c99bea5463a6030cdd9c", "libbeat": "7.4.0", "time": "2019-09-27T07:42:54.000Z", "version": "7.4.0"}}}
2019-10-08T10:56:02.044+0200    INFO    [beat]  instance/beat.go:915    Go runtime info {"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":2,"version":"go1.12.9"}}}
2019-10-08T10:56:02.045+0200    INFO    [beat]  instance/beat.go:919    Host info       {"system_info": {"host": {"architecture":"x86_64","boot_time":"2019-10-08T10:53:46+02:00","containerized":false,"name":"test","ip":["127.0.0.1/8","::1/128","2a00:adc0:ccdd::160/64","fe80::250:56ff:fea0:2825/64"],"kernel_version":"3.10.0-1062.1.2.el7.x86_64","mac":["00:50:56:a0:28:25"],"os":{"family":"redhat","platform":"centos","name":"CentOS Linux","version":"7 (Core)","major":7,"minor":7,"patch":1908,"codename":"Core"},"timezone":"CEST","timezone_offset_sec":7200,"id":"653ca41406934f44b817de479abfc082"}}}
2019-10-08T10:56:02.046+0200    INFO    [beat]  instance/beat.go:948    Process info    {"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend"],"ambient":null}, "cwd": "/home/cco", "exe": "/usr/share/auditbeat/bin/auditbeat", "name": "auditbeat", "pid": 1407, "ppid": 1406, "seccomp": {"mode":"filter","no_new_privs":true}, "start_time": "2019-10-08T10:56:01.110+0200"}}}
2019-10-08T10:56:02.047+0200    INFO    instance/beat.go:292    Setup Beat: auditbeat; Version: 7.4.0
2019-10-08T10:56:02.047+0200    DEBUG   [beat]  instance/beat.go:318    Initializing output plugins
2019-10-08T10:56:02.047+0200    INFO    [index-management]      idxmgmt/std.go:178      Set output.elasticsearch.index to 'auditbeat-7.4.0' as ILM is enabled.
2019-10-08T10:56:02.048+0200    DEBUG   [tls]   tlscommon/tls.go:155    successfully loaded CA certificate: /etc/auditbeat/ssl/ca.crt
2019-10-08T10:56:02.048+0200    INFO    elasticsearch/client.go:170     Elasticsearch url: https://[OMITTED]:9200
2019-10-08T10:56:02.048+0200    INFO    elasticsearch/client.go:170     Elasticsearch url: https://[OMITTED]:9200
2019-10-08T10:56:02.049+0200    DEBUG   [publisher]     pipeline/consumer.go:137        start pipeline event consumer
2019-10-08T10:56:02.049+0200    INFO    [publisher]     pipeline/module.go:97   Beat name: test
2019-10-08T10:56:02.049+0200    DEBUG   [modules]       beater/metricbeat.go:121        Available modules and metricsets: Register [ModuleFactory:[system], MetricSetFactory:[auditd/auditd, file_integrity/file, system/host, system/login, system/package, system/process, system/socket, system/user]]
2019-10-08T10:56:02.064+0200    INFO    [auditd]        auditd/audit_linux.go:106       auditd module is running as euid=0 on kernel=3.10.0-1062.1.2.el7.x86_64
2019-10-08T10:56:02.115+0200    INFO    [auditd]        auditd/audit_linux.go:133       socket_type=unicast will be used.
2019-10-08T10:56:02.115+0200    DEBUG   [file_integrity]        file_integrity/metricset.go:97  Initialized the file event reader. Running as euid=0
2019-10-08T10:56:02.118+0200    WARN    [cfgwarn]       host/host.go:167        BETA: The system/host dataset is beta
2019-10-08T10:56:02.121+0200    DEBUG   [system]        host/host.go:448        Restored last host information from disk.
2019-10-08T10:56:02.121+0200    WARN    [cfgwarn]       login/login.go:95       BETA: The system/login dataset is beta
2019-10-08T10:56:02.123+0200    DEBUG   [login] login/utmp.go:539       Restored 4 UTMP file records from disk
2019-10-08T10:56:02.123+0200    DEBUG   [login] login/utmp.go:571       Restored 1 open login sessions from disk
2019-10-08T10:56:02.123+0200    WARN    [cfgwarn]       package/package.go:170  BETA: The system/package dataset is beta
2019-10-08T10:56:02.125+0200    DEBUG   [package]       package/package.go:201  Last state was sent at 2019-10-08 09:25:04.542397974 +0200 CEST. Next state update by 2019-10-08 15:25:04.542397974 +0200 CEST.
2019-10-08T10:56:02.127+0200    DEBUG   [package]       package/package.go:211  Restored 448 packages from disk
2019-10-08T10:56:02.128+0200    WARN    [cfgwarn]       process/process.go:131  BETA: The system/process dataset is beta
2019-10-08T10:56:02.130+0200    DEBUG   [process]       process/process.go:168  Last state was sent at 2019-10-08 09:25:59.586246016 +0200 CEST. Next state update by 2019-10-08 15:25:59.586246016 +0200 CEST.
2019-10-08T10:56:02.130+0200    WARN    [cfgwarn]       socket/socket_linux.go:81       BETA: The system/socket dataset is beta.
2019-10-08T10:56:02.130+0200    INFO    [socket]        socket/socket_linux.go:197      Setting up system/socket for kernel 3.10.0-1062.1.2.el7.x86_64
2019-10-08T10:56:02.134+0200    DEBUG   [socket]        socket/socket_linux.go:244      IPv6 supported: true
2019-10-08T10:56:02.134+0200    DEBUG   [socket]        socket/socket_linux.go:251      IPv6 enabled: true
2019-10-08T10:56:02.221+0200    DEBUG   [socket]        socket/socket_linux.go:304      Selected kernel function ip_local_out_sk for IP_LOCAL_OUT
2019-10-08T10:56:02.221+0200    DEBUG   [socket]        socket/socket_linux.go:304      Selected kernel function __skb_recv_datagram for RECV_UDP_DATAGRAM
2019-10-08T10:56:02.221+0200    DEBUG   [socket]        socket/socket_linux.go:304      Selected kernel function SyS_execve for SYS_EXECVE
2019-10-08T10:56:02.221+0200    DEBUG   [socket]        socket/socket_linux.go:304      Selected kernel function SyS_gettimeofday for SYS_GETTIMEOFDAY
2019-10-08T10:56:02.221+0200    DEBUG   [socket]        socket/socket_linux.go:304      Selected kernel function SyS_newuname for SYS_UNAME
2019-10-08T10:56:02.224+0200    INFO    [socket]        guess/guess.go:258      Running 16 guesses ...
2019-10-08T10:56:02.315+0200    DEBUG   [socket]        guess/guess.go:287      Guess guess_struct_socket_sk completed: {"SOCKET_SOCK":32}
2019-10-08T10:56:02.376+0200    DEBUG   [socket]        guess/guess.go:287      Guess tcp_sendmsg_guess completed: {"TCP_SENDMSG_LEN":"%cx"}
2019-10-08T10:56:02.426+0200    DEBUG   [socket]        guess/guess.go:287      Guess guess_struct_creds completed: {"STRUCT_CRED_EGID":24,"STRUCT_CRED_EUID":20,"STRUCT_CRED_GID":8,"STRUCT_CRED_UID":4}
2019-10-08T10:56:17.482+0200    WARN    [cfgwarn]       user/user.go:205        BETA: The system/user dataset is beta
2019-10-08T10:56:17.484+0200    DEBUG   [user]  user/user.go:245        Last state was sent at 2019-10-08 09:25:27.893422968 +0200 CEST. Next state update by 2019-10-08 15:25:27.893422968 +0200 CEST.
2019-10-08T10:56:17.485+0200    DEBUG   [user]  user/user.go:255        Restored 23 users from disk
2019-10-08T10:56:17.486+0200    INFO    instance/beat.go:385    auditbeat stopped.
2019-10-08T10:56:17.486+0200    ERROR   instance/beat.go:878    Exiting: 1 error: 1 error: system/socket dataset setup failed: unable to guess one or more required parameters: guess_sockaddr_in6 failed: timeout while waiting for trigger to complete
Exiting: 1 error: 1 error: system/socket dataset setup failed: unable to guess one or more required parameters: guess_sockaddr_in6 failed: timeout while waiting for trigger to complete

auditbeat.yml:

auditbeat.modules:
- module: system
  datasets:
    - host    # General host information, e.g. uptime, IPs
    - login   # User logins, logouts, and system boots.
    - package # Installed, updated, and removed packages
    - process # Started and stopped processes
    - socket  # Opened and closed sockets
    - user    # User information
  
  # How often datasets send state updates with the
  # current state of the system (e.g. all currently
  # running processes, all open sockets).
  state.period: 6h

  # Enabled by default. Auditbeat will read password fields in
  # /etc/passwd and /etc/shadow and store a hash locally to
  # detect any changes.
  user.detect_password_changes: true

  # File patterns of the login record files.
  login.wtmp_file_pattern: /var/log/wtmp*
  login.btmp_file_pattern: /var/log/btmp*

output.elasticsearch:
  hosts: ["OMITTED", "OMITTED"]
  protocol: "https"
  username: "auditbeat_writer"
  password: "OMITTED"
  ssl.certificate_authorities: ["/etc/auditbeat/ssl/ca.crt"]

processors:
  - add_host_metadata: ~

monitoring.enabled: true
logging.metrics.enabled: false

Workaround: Adding the following option in auditbeat.yml:

- module: system
  socket.enable_ipv6: false

@adriansr
Copy link
Contributor Author

adriansr commented Oct 8, 2019

Thanks for the detailed information. I think I've addresses all the problems in #13966.

Just built a snapshot on top of 7.4.0, can you try it and report the outcome here? It shouldn't need socket.enable_ipv6: false.

https://ela.st/auditbeat740-ipv6-fix

@AntonAttano
Copy link

Hi adriansr,
this did not fix it for me.
In #13966 you wrote that your patch fixes problems when ipv6 is disabled. I do not have ipv6 disabled. IPv6 ist enabled and working fine.

stephan@root~ 0 > sudo dpkg -i auditbeat-7.4.0-SNAPSHOT-amd64.deb
(Reading database ... 102912 files and directories currently installed.)
Preparing to unpack auditbeat-7.4.0-SNAPSHOT-amd64.deb ...
Unpacking auditbeat (7.4.0) over (7.4.0) ...
Setting up auditbeat (7.4.0) ...
Processing triggers for systemd (237-3ubuntu10.29) ...
Processing triggers for ureadahead (0.100.0-21) ...

stephan@root~ 0 > sudo auditbeat run -e -d '*'
INFO	instance/beat.go:607	Home path: [/usr/share/auditbeat] Config path: [/etc/auditbeat] Data path: [/var/lib/auditbeat] Logs path: [/var/log/auditbeat]
DEBUG	[beat]	instance/beat.go:659	Beat metadata path: /var/lib/auditbeat/meta.json
INFO	instance/beat.go:615	Beat ID: afa2df26-38eb-4571-82da-9e4758f51031
DEBUG	[filters]	add_cloud_metadata/providers.go:126	add_cloud_metadata: starting to fetch metadata, timeout=3s
DEBUG	[filters]	add_cloud_metadata/providers.go:162	add_cloud_metadata: received disposition for az after 7.390705ms. result=[provider:az, error=failed with http status code 404, metadata={}]
DEBUG	[filters]	add_cloud_metadata/providers.go:162	add_cloud_metadata: received disposition for gcp after 7.806732ms. result=[provider:gcp, error=failed with http status code 404, metadata={}]
DEBUG	[filters]	add_cloud_metadata/providers.go:162	add_cloud_metadata: received disposition for openstack after 8.021241ms. result=[provider:openstack, error=failed with http status code 404, metadata={}]
DEBUG	[filters]	add_cloud_metadata/providers.go:162	add_cloud_metadata: received disposition for aws after 8.094352ms. result=[provider:aws, error=failed with http status code 404, metadata={}]
DEBUG	[filters]	add_cloud_metadata/providers.go:162	add_cloud_metadata: received disposition for digitalocean after 31.029801ms. result=[provider:digitalocean, error=<nil>, metadata={"instance":{"id":"137391861"},"provider":"digitalocean","region":"fra1"}]
DEBUG	[filters]	add_cloud_metadata/providers.go:129	add_cloud_metadata: fetchMetadata ran for 31.146688ms
INFO	add_cloud_metadata/add_cloud_metadata.go:91	add_cloud_metadata: hosting provider type detected as digitalocean, metadata={"instance":{"id":"137391861"},"provider":"digitalocean","region":"fra1"}
DEBUG	[processors]	processors/processor.go:101	Generated new processors: add_host_metadata=[netinfo.enabled=[false], cache.ttl=[5m0s]], add_cloud_metadata={"instance":{"id":"137391861"},"provider":"digitalocean","region":"fra1"}
DEBUG	[seccomp]	seccomp/seccomp.go:117	Loading syscall filter	{"seccomp_filter": {"no_new_privs":true,"flag":"tsync","policy":{"default_action":"errno","syscalls":[{"names":["accept","accept4","access","arch_prctl","bind","brk","clock_gettime","clone","close","connect","dup","dup2","epoll_create","epoll_create1","epoll_ctl","epoll_pwait","epoll_wait","exit","exit_group","fchdir","fchmod","fchown","fcntl","fdatasync","flock","fstat","fstatfs","fsync","ftruncate","futex","getcwd","getdents","getdents64","geteuid","getgid","getpeername","getpid","getppid","getrandom","getrlimit","getrusage","getsockname","getsockopt","gettid","gettimeofday","getuid","inotify_add_watch","inotify_init1","inotify_rm_watch","ioctl","kill","listen","lseek","lstat","madvise","mincore","mkdirat","mmap","mprotect","munmap","nanosleep","newfstatat","open","openat","pipe","pipe2","poll","ppoll","pread64","pselect6","pwrite64","read","readlink","readlinkat","recvfrom","recvmmsg","recvmsg","rename","renameat","rt_sigaction","rt_sigprocmask","rt_sigreturn","sched_getaffinity","sched_yield","sendfile","sendmmsg","sendmsg","sendto","set_robust_list","setitimer","setsockopt","shutdown","sigaltstack","socket","splice","stat","statfs","sysinfo","tgkill","time","tkill","uname","unlink","unlinkat","wait4","waitid","write","writev","umask","mremap","perf_event_open","eventfd2","mount","umount2"],"action":"allow"}]}}}
INFO	[seccomp]	seccomp/seccomp.go:124	Syscall filter successfully installed
INFO	[beat]	instance/beat.go:903	Beat info	{"system_info": {"beat": {"path": {"config": "/etc/auditbeat", "data": "/var/lib/auditbeat", "home": "/usr/share/auditbeat", "logs": "/var/log/auditbeat"}, "type": "auditbeat", "uuid": "afa2df26-38eb-4571-82da-9e4758f51031"}}}
INFO	[beat]	instance/beat.go:912	Build info	{"system_info": {"build": {"commit": "fe2f4f53d95f7a0137767f2d8e6d23a909829412", "libbeat": "7.4.0", "time": "2019-10-08T16:08:43.000Z", "version": "7.4.0"}}}
INFO	[beat]	instance/beat.go:915	Go runtime info	{"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":1,"version":"go1.12.9"}}}
INFO	[beat]	instance/beat.go:919	Host info	{"system_info": {"host": {"architecture":"x86_64","boot_time":"2019-10-01T19:14:26+02:00","containerized":false,"name":"root","ip":["127.0.0.1/8","fd12:3456::1111/128","::1/128","157.230.121.52/20","10.19.0.6/16","2a03:b0c0:3:e0::54:d001/64","fe80::4e8:54ff:fe4d:9427/64","10.10.10.1/24"],"kernel_version":"4.15.0-65-generic","mac":["06:e8:54:4d:94:27"],"os":{"family":"debian","platform":"ubuntu","name":"Ubuntu","version":"18.04.3 LTS (Bionic Beaver)","major":18,"minor":4,"patch":3,"codename":"bionic"},"timezone":"CEST","timezone_offset_sec":7200,"id":"434477ac15fa492da53d0a1effd2ba74"}}}
INFO	[beat]	instance/beat.go:948	Process info	{"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"ambient":null}, "cwd": "/home/stephan", "exe": "/usr/share/auditbeat/bin/auditbeat", "name": "auditbeat", "pid": 18710, "ppid": 18709, "seccomp": {"mode":"filter","no_new_privs":true}, "start_time": "2019-10-09T09:49:12.840+0200"}}}
INFO	instance/beat.go:292	Setup Beat: auditbeat; Version: 7.4.0
DEBUG	[beat]	instance/beat.go:318	Initializing output plugins
INFO	[index-management]	idxmgmt/std.go:178	Set output.elasticsearch.index to 'auditbeat-7.4.0' as ILM is enabled.
INFO	elasticsearch/client.go:170	Elasticsearch url: https://elasticsearch.sherbers.de:443
DEBUG	[publisher]	pipeline/consumer.go:137	start pipeline event consumer
INFO	[publisher]	pipeline/module.go:97	Beat name: root
DEBUG	[modules]	beater/metricbeat.go:121	Available modules and metricsets: Register [ModuleFactory:[system], MetricSetFactory:[auditd/auditd, file_integrity/file, system/host, system/login, system/package, system/process, system/socket, system/user]]
INFO	[auditd]	auditd/audit_linux.go:106	auditd module is running as euid=0 on kernel=4.15.0-65-generic
INFO	[auditd]	auditd/audit_linux.go:133	socket_type=unicast will be used.
DEBUG	[file_integrity]	file_integrity/metricset.go:97	Initialized the file event reader. Running as euid=0
WARN	[cfgwarn]	host/host.go:167	BETA: The system/host dataset is beta
DEBUG	[system]	host/host.go:448	Restored last host information from disk.
WARN	[cfgwarn]	login/login.go:95	BETA: The system/login dataset is beta
DEBUG	[login]	login/utmp.go:539	Restored 4 UTMP file records from disk
DEBUG	[login]	login/utmp.go:571	Restored 1 open login sessions from disk
WARN	[cfgwarn]	package/package.go:170	BETA: The system/package dataset is beta
DEBUG	[package]	package/package.go:201	Last state was sent at 2019-10-08 23:26:40.760038424 +0200 CEST. Next state update by 2019-10-09 11:26:40.760038424 +0200 CEST.
DEBUG	[package]	package/package.go:211	Restored 652 packages from disk
WARN	[cfgwarn]	user/user.go:205	BETA: The system/user dataset is beta
DEBUG	[user]	user/user.go:245	Last state was sent at 2019-10-08 23:25:31.50370576 +0200 CEST. Next state update by 2019-10-09 11:25:31.50370576 +0200 CEST.
DEBUG	[user]	user/user.go:255	Restored 45 users from disk
WARN	[cfgwarn]	process/process.go:131	BETA: The system/process dataset is beta
DEBUG	[process]	process/process.go:168	Last state was sent at 2019-10-08 23:07:54.307304306 +0200 CEST. Next state update by 2019-10-09 11:07:54.307304306 +0200 CEST.
WARN	[cfgwarn]	socket/socket_linux.go:81	BETA: The system/socket dataset is beta.
INFO	[socket]	socket/socket_linux.go:197	Setting up system/socket for kernel 4.15.0-65-generic
DEBUG	[socket]	socket/socket_linux.go:245	IPv6 supported: true
DEBUG	[socket]	socket/socket_linux.go:252	IPv6 enabled: true
DEBUG	[socket]	socket/socket_linux.go:305	Selected kernel function ip_local_out for IP_LOCAL_OUT
DEBUG	[socket]	socket/socket_linux.go:305	Selected kernel function __skb_recv_udp for RECV_UDP_DATAGRAM
DEBUG	[socket]	socket/socket_linux.go:305	Selected kernel function SyS_execve for SYS_EXECVE
DEBUG	[socket]	socket/socket_linux.go:305	Selected kernel function SyS_gettimeofday for SYS_GETTIMEOFDAY
DEBUG	[socket]	socket/socket_linux.go:305	Selected kernel function SyS_newuname for SYS_UNAME
INFO	[socket]	guess/guess.go:258	Running 16 guesses ...
DEBUG	[socket]	guess/guess.go:112	 --- result of guess_inet_sock run #1: {"INET_SOCK_LADDR":[4,84,720,856],"INET_SOCK_LPORT":[728,866],"INET_SOCK_RADDR":[0,68,860],"INET_SOCK_RPORT":[12,864]}
DEBUG	[socket]	guess/guess.go:112	 --- result of guess_inet_sock run #2: {"INET_SOCK_LADDR":[4,84,720,856],"INET_SOCK_LPORT":[728,866],"INET_SOCK_RADDR":[0,68,860],"INET_SOCK_RPORT":[12,864]}
DEBUG	[socket]	guess/guess.go:112	 --- result of guess_inet_sock run #3: {"INET_SOCK_LADDR":[4,84,720,856],"INET_SOCK_LPORT":[728,866],"INET_SOCK_RADDR":[0,68,860],"INET_SOCK_RPORT":[12,864]}
DEBUG	[socket]	guess/guess.go:112	 --- result of guess_inet_sock run #4: {"INET_SOCK_LADDR":[4,84,720,856],"INET_SOCK_LPORT":[728,866],"INET_SOCK_RADDR":[0,68,860],"INET_SOCK_RPORT":[12,864]}
DEBUG	[socket]	guess/guess.go:287	Guess guess_inet_sock completed: {"INET_SOCK_LADDR":4,"INET_SOCK_LADDR_LIST":[4,84,720,856],"INET_SOCK_LPORT":728,"INET_SOCK_LPORT_LIST":[728,866],"INET_SOCK_RADDR":0,"INET_SOCK_RADDR_LIST":[0,68,860],"INET_SOCK_RPORT":12,"INET_SOCK_RPORT_LIST":[12,864]}
DEBUG	[socket]	guess/guess.go:287	Guess guess_sockaddr_in completed: {"SOCKADDR_IN_ADDR":4,"SOCKADDR_IN_AF":0,"SOCKADDR_IN_PORT":2}
DEBUG	[socket]	guess/guess.go:112	 --- result of guess_sk_buff_proto run #1: {"SK_BUFF_PROTO":[192]}
DEBUG	[socket]	guess/guess.go:112	 --- result of guess_sk_buff_proto run #2: {"SK_BUFF_PROTO":[192,544,640]}
DEBUG	[socket]	guess/guess.go:112	 --- result of guess_sk_buff_proto run #3: {"SK_BUFF_PROTO":[192]}
DEBUG	[socket]	guess/guess.go:112	 --- result of guess_sk_buff_proto run #4: {"SK_BUFF_PROTO":[192,544,640]}
DEBUG	[socket]	guess/guess.go:112	 --- result of guess_sk_buff_proto run #5: {"SK_BUFF_PROTO":[192]}
DEBUG	[socket]	guess/guess.go:112	 --- result of guess_sk_buff_proto run #6: {"SK_BUFF_PROTO":[192,544,640]}
DEBUG	[socket]	guess/guess.go:112	 --- result of guess_sk_buff_proto run #7: {"SK_BUFF_PROTO":[192]}
DEBUG	[socket]	guess/guess.go:112	 --- result of guess_sk_buff_proto run #8: {"SK_BUFF_PROTO":[192,544,640]}
DEBUG	[socket]	guess/guess.go:287	Guess guess_sk_buff_proto completed: {"SK_BUFF_PROTO":192}
DEBUG	[socket]	guess/guess.go:287	Guess guess_syscall_args completed: {"SYS_P1":"%di","SYS_P2":"%si","SYS_P3":"%dx","SYS_P4":"%cx","SYS_P5":"%r8","SYS_P6":"%r9"}
DEBUG	[socket]	guess/guess.go:287	Guess guess_udp_sendmsg completed: {"UDP_SENDMSG_LEN":"%dx","UDP_SENDMSG_MSG":"%si","UDP_SENDMSG_SOCK":"%di"}
DEBUG	[socket]	guess/guess.go:287	Guess guess_inet6_csk_xmit completed: {"INET6_CSK_XMIT_SKBUFF":"%si","INET6_CSK_XMIT_SOCK":"%di"}
DEBUG	[socket]	guess/guess.go:121	 --- guess_sk_buff_data_ptr run #0
DEBUG	[socket]	guess/guess.go:121	 --- guess_sk_buff_data_ptr run #1
DEBUG	[socket]	guess/guess.go:287	Guess guess_sk_buff_data_ptr completed: {"SK_BUFF_HAS_POINTERS":false,"SK_BUFF_HEAD":208,"SK_BUFF_MAC":198,"SK_BUFF_NETWORK":196,"SK_BUFF_TRANSPORT":194}
INFO	instance/beat.go:385	auditbeat stopped.
ERROR	instance/beat.go:878	Exiting: 1 error: 1 error: system/socket dataset setup failed: unable to guess one or more required parameters: guess_sockaddr_in6 failed: timeout while waiting for trigger to complete
Exiting: 1 error: 1 error: system/socket dataset setup failed: unable to guess one or more required parameters: guess_sockaddr_in6 failed: timeout while waiting for trigger to complete

@adriansr
Copy link
Contributor Author

adriansr commented Oct 9, 2019

Thanks @stephan13360, I will investigate this problem.

Does it work for you when setting socket. enable_ipv6: true ?

@AntonAttano
Copy link

No, I get the exact same error.

INFO	instance/beat.go:607	Home path: [/usr/share/auditbeat] Config path: [/etc/auditbeat] Data path: [/var/lib/auditbeat] Logs path: [/var/log/auditbeat]
DEBUG	[beat]	instance/beat.go:659	Beat metadata path: /var/lib/auditbeat/meta.json
INFO	instance/beat.go:615	Beat ID: afa2df26-38eb-4571-82da-9e4758f51031
DEBUG	[filters]	add_cloud_metadata/providers.go:126	add_cloud_metadata: starting to fetch metadata, timeout=3s
DEBUG	[filters]	add_cloud_metadata/providers.go:162	add_cloud_metadata: received disposition for gcp after 8.662612ms. result=[provider:gcp, error=failed with http status code 404, metadata={}]
DEBUG	[filters]	add_cloud_metadata/providers.go:162	add_cloud_metadata: received disposition for az after 8.820512ms. result=[provider:az, error=failed with http status code 404, metadata={}]
DEBUG	[filters]	add_cloud_metadata/providers.go:162	add_cloud_metadata: received disposition for aws after 8.90406ms. result=[provider:aws, error=failed with http status code 404, metadata={}]
DEBUG	[filters]	add_cloud_metadata/providers.go:162	add_cloud_metadata: received disposition for openstack after 9.70986ms. result=[provider:openstack, error=failed with http status code 404, metadata={}]
DEBUG	[filters]	add_cloud_metadata/providers.go:162	add_cloud_metadata: received disposition for digitalocean after 33.8957ms. result=[provider:digitalocean, error=, metadata={"instance":{"id":"137391861"},"provider":"digitalocean","region":"fra1"}]
DEBUG	[filters]	add_cloud_metadata/providers.go:129	add_cloud_metadata: fetchMetadata ran for 34.001184ms
INFO	add_cloud_metadata/add_cloud_metadata.go:91	add_cloud_metadata: hosting provider type detected as digitalocean, metadata={"instance":{"id":"137391861"},"provider":"digitalocean","region":"fra1"}
DEBUG	[processors]	processors/processor.go:101	Generated new processors: add_host_metadata=[netinfo.enabled=[false], cache.ttl=[5m0s]], add_cloud_metadata={"instance":{"id":"137391861"},"provider":"digitalocean","region":"fra1"}
DEBUG	[seccomp]	seccomp/seccomp.go:117	Loading syscall filter	{"seccomp_filter": {"no_new_privs":true,"flag":"tsync","policy":{"default_action":"errno","syscalls":[{"names":["accept","accept4","access","arch_prctl","bind","brk","clock_gettime","clone","close","connect","dup","dup2","epoll_create","epoll_create1","epoll_ctl","epoll_pwait","epoll_wait","exit","exit_group","fchdir","fchmod","fchown","fcntl","fdatasync","flock","fstat","fstatfs","fsync","ftruncate","futex","getcwd","getdents","getdents64","geteuid","getgid","getpeername","getpid","getppid","getrandom","getrlimit","getrusage","getsockname","getsockopt","gettid","gettimeofday","getuid","inotify_add_watch","inotify_init1","inotify_rm_watch","ioctl","kill","listen","lseek","lstat","madvise","mincore","mkdirat","mmap","mprotect","munmap","nanosleep","newfstatat","open","openat","pipe","pipe2","poll","ppoll","pread64","pselect6","pwrite64","read","readlink","readlinkat","recvfrom","recvmmsg","recvmsg","rename","renameat","rt_sigaction","rt_sigprocmask","rt_sigreturn","sched_getaffinity","sched_yield","sendfile","sendmmsg","sendmsg","sendto","set_robust_list","setitimer","setsockopt","shutdown","sigaltstack","socket","splice","stat","statfs","sysinfo","tgkill","time","tkill","uname","unlink","unlinkat","wait4","waitid","write","writev","umask","mremap","perf_event_open","eventfd2","mount","umount2"],"action":"allow"}]}}}
INFO	[seccomp]	seccomp/seccomp.go:124	Syscall filter successfully installed
INFO	[beat]	instance/beat.go:903	Beat info	{"system_info": {"beat": {"path": {"config": "/etc/auditbeat", "data": "/var/lib/auditbeat", "home": "/usr/share/auditbeat", "logs": "/var/log/auditbeat"}, "type": "auditbeat", "uuid": "afa2df26-38eb-4571-82da-9e4758f51031"}}}
INFO	[beat]	instance/beat.go:912	Build info	{"system_info": {"build": {"commit": "fe2f4f53d95f7a0137767f2d8e6d23a909829412", "libbeat": "7.4.0", "time": "2019-10-08T16:08:43.000Z", "version": "7.4.0"}}}
INFO	[beat]	instance/beat.go:915	Go runtime info	{"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":1,"version":"go1.12.9"}}}
INFO	[beat]	instance/beat.go:919	Host info	{"system_info": {"host": {"architecture":"x86_64","boot_time":"2019-10-01T19:14:26+02:00","containerized":false,"name":"root","ip":["127.0.0.1/8","fd12:3456::1111/128","::1/128","157.230.121.52/20","10.19.0.6/16","2a03:b0c0:3:e0::54:d001/64","fe80::4e8:54ff:fe4d:9427/64","10.10.10.1/24"],"kernel_version":"4.15.0-65-generic","mac":["06:e8:54:4d:94:27"],"os":{"family":"debian","platform":"ubuntu","name":"Ubuntu","version":"18.04.3 LTS (Bionic Beaver)","major":18,"minor":4,"patch":3,"codename":"bionic"},"timezone":"CEST","timezone_offset_sec":7200,"id":"434477ac15fa492da53d0a1effd2ba74"}}}
INFO	[beat]	instance/beat.go:948	Process info	{"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"ambient":null}, "cwd": "/home/stephan", "exe": "/usr/share/auditbeat/bin/auditbeat", "name": "auditbeat", "pid": 20281, "ppid": 20280, "seccomp": {"mode":"filter","no_new_privs":true}, "start_time": "2019-10-09T10:41:17.770+0200"}}}
INFO	instance/beat.go:292	Setup Beat: auditbeat; Version: 7.4.0
DEBUG	[beat]	instance/beat.go:318	Initializing output plugins
INFO	[index-management]	idxmgmt/std.go:178	Set output.elasticsearch.index to 'auditbeat-7.4.0' as ILM is enabled.
INFO	elasticsearch/client.go:170	Elasticsearch url: https://elasticsearch.sherbers.de:443
DEBUG	[publisher]	pipeline/consumer.go:137	start pipeline event consumer
INFO	[publisher]	pipeline/module.go:97	Beat name: root
DEBUG	[modules]	beater/metricbeat.go:121	Available modules and metricsets: Register [ModuleFactory:[system], MetricSetFactory:[auditd/auditd, file_integrity/file, system/host, system/login, system/package, system/process, system/socket, system/user]]
INFO	[auditd]	auditd/audit_linux.go:106	auditd module is running as euid=0 on kernel=4.15.0-65-generic
INFO	[auditd]	auditd/audit_linux.go:133	socket_type=unicast will be used.
DEBUG	[file_integrity]	file_integrity/metricset.go:97	Initialized the file event reader. Running as euid=0
WARN	[cfgwarn]	host/host.go:167	BETA: The system/host dataset is beta
DEBUG	[system]	host/host.go:448	Restored last host information from disk.
WARN	[cfgwarn]	login/login.go:95	BETA: The system/login dataset is beta
DEBUG	[login]	login/utmp.go:539	Restored 4 UTMP file records from disk
DEBUG	[login]	login/utmp.go:571	Restored 2 open login sessions from disk
WARN	[cfgwarn]	package/package.go:170	BETA: The system/package dataset is beta
DEBUG	[package]	package/package.go:201	Last state was sent at 2019-10-08 23:26:40.760038424 +0200 CEST. Next state update by 2019-10-09 11:26:40.760038424 +0200 CEST.
DEBUG	[package]	package/package.go:211	Restored 652 packages from disk
WARN	[cfgwarn]	user/user.go:205	BETA: The system/user dataset is beta
DEBUG	[user]	user/user.go:245	Last state was sent at 2019-10-08 23:25:31.50370576 +0200 CEST. Next state update by 2019-10-09 11:25:31.50370576 +0200 CEST.
DEBUG	[user]	user/user.go:255	Restored 45 users from disk
WARN	[cfgwarn]	process/process.go:131	BETA: The system/process dataset is beta
DEBUG	[process]	process/process.go:168	Last state was sent at 2019-10-08 23:07:54.307304306 +0200 CEST. Next state update by 2019-10-09 11:07:54.307304306 +0200 CEST.
WARN	[cfgwarn]	socket/socket_linux.go:81	BETA: The system/socket dataset is beta.
INFO	[socket]	socket/socket_linux.go:197	Setting up system/socket for kernel 4.15.0-65-generic
DEBUG	[socket]	socket/socket_linux.go:245	IPv6 supported: true
DEBUG	[socket]	socket/socket_linux.go:252	IPv6 enabled: true
DEBUG	[socket]	socket/socket_linux.go:305	Selected kernel function ip_local_out for IP_LOCAL_OUT
DEBUG	[socket]	socket/socket_linux.go:305	Selected kernel function __skb_recv_udp for RECV_UDP_DATAGRAM
DEBUG	[socket]	socket/socket_linux.go:305	Selected kernel function SyS_execve for SYS_EXECVE
DEBUG	[socket]	socket/socket_linux.go:305	Selected kernel function SyS_gettimeofday for SYS_GETTIMEOFDAY
DEBUG	[socket]	socket/socket_linux.go:305	Selected kernel function SyS_newuname for SYS_UNAME
INFO	[socket]	guess/guess.go:258	Running 16 guesses ...
DEBUG	[socket]	guess/guess.go:287	Guess guess_struct_socket_sk completed: {"SOCKET_SOCK":32}
DEBUG	[socket]	guess/guess.go:287	Guess guess_syscall_args completed: {"SYS_P1":"%di","SYS_P2":"%si","SYS_P3":"%dx","SYS_P4":"%cx","SYS_P5":"%r8","SYS_P6":"%r9"}
DEBUG	[socket]	guess/guess.go:287	Guess guess_sockaddr_in completed: {"SOCKADDR_IN_ADDR":4,"SOCKADDR_IN_AF":0,"SOCKADDR_IN_PORT":2}
DEBUG	[socket]	guess/guess.go:287	Guess tcp_sendmsg_guess completed: {"TCP_SENDMSG_LEN":"%dx"}
DEBUG	[socket]	guess/guess.go:112	 --- result of guess_inet_sock run #1: {"INET_SOCK_LADDR":[4,84,720,856],"INET_SOCK_LPORT":[728,866],"INET_SOCK_RADDR":[0,68,860],"INET_SOCK_RPORT":[12,864]}
DEBUG	[socket]	guess/guess.go:112	 --- result of guess_inet_sock run #2: {"INET_SOCK_LADDR":[4,84,720,856],"INET_SOCK_LPORT":[728,866],"INET_SOCK_RADDR":[0,68,860],"INET_SOCK_RPORT":[12,864]}
DEBUG	[socket]	guess/guess.go:112	 --- result of guess_inet_sock run #3: {"INET_SOCK_LADDR":[4,84,720,856],"INET_SOCK_LPORT":[728,866],"INET_SOCK_RADDR":[0,68,860],"INET_SOCK_RPORT":[12,864]}
DEBUG	[socket]	guess/guess.go:112	 --- result of guess_inet_sock run #4: {"INET_SOCK_LADDR":[4,84,720,856],"INET_SOCK_LPORT":[728,866],"INET_SOCK_RADDR":[0,68,860],"INET_SOCK_RPORT":[12,864]}
DEBUG	[socket]	guess/guess.go:287	Guess guess_inet_sock completed: {"INET_SOCK_LADDR":4,"INET_SOCK_LADDR_LIST":[4,84,720,856],"INET_SOCK_LPORT":728,"INET_SOCK_LPORT_LIST":[728,866],"INET_SOCK_RADDR":0,"INET_SOCK_RADDR_LIST":[0,68,860],"INET_SOCK_RPORT":12,"INET_SOCK_RPORT_LIST":[12,864]}
DEBUG	[socket]	guess/guess.go:112	 --- result of guess_sk_buff_proto run #1: {"SK_BUFF_PROTO":[192]}
DEBUG	[socket]	guess/guess.go:112	 --- result of guess_sk_buff_proto run #2: {"SK_BUFF_PROTO":[192]}
DEBUG	[socket]	guess/guess.go:112	 --- result of guess_sk_buff_proto run #3: {"SK_BUFF_PROTO":[192]}
DEBUG	[socket]	guess/guess.go:112	 --- result of guess_sk_buff_proto run #4: {"SK_BUFF_PROTO":[192]}
DEBUG	[socket]	guess/guess.go:112	 --- result of guess_sk_buff_proto run #5: {"SK_BUFF_PROTO":[192]}
DEBUG	[socket]	guess/guess.go:112	 --- result of guess_sk_buff_proto run #6: {"SK_BUFF_PROTO":[192]}
DEBUG	[socket]	guess/guess.go:112	 --- result of guess_sk_buff_proto run #7: {"SK_BUFF_PROTO":[192]}
DEBUG	[socket]	guess/guess.go:112	 --- result of guess_sk_buff_proto run #8: {"SK_BUFF_PROTO":[192]}
DEBUG	[socket]	guess/guess.go:287	Guess guess_sk_buff_proto completed: {"SK_BUFF_PROTO":192}
INFO	instance/beat.go:385	auditbeat stopped.
ERROR	instance/beat.go:878	Exiting: 1 error: 1 error: system/socket dataset setup failed: unable to guess one or more required parameters: guess_sockaddr_in6 failed: timeout while waiting for trigger to complete
Exiting: 1 error: 1 error: system/socket dataset setup failed: unable to guess one or more required parameters: guess_sockaddr_in6 failed: timeout while waiting for trigger to complete

@adriansr
Copy link
Contributor Author

adriansr commented Oct 9, 2019

Sorry I mean socket.enable_ipv6: false.

@AntonAttano
Copy link

Setting it to false works, as stated in my original discuss post.
Same behavior now with your patched version.

@adriansr
Copy link
Contributor Author

adriansr commented Oct 9, 2019

I will keep trying to reproduce. Same distro / kernel works fine for me so there must be some difference in configuration.

@AntonAttano
Copy link

The weird thing is, I have two server, one Intel NUC and one Digitalocean VM. Both are configured throught ansible, so there shoud be no configuration difference (except the different software running on them). On my NUC audirbeat working fine.

I would be ok with giving you access to my VM if this is something that would help you debug this. There is nothing private on it.

@dancs85
Copy link

dancs85 commented Oct 9, 2019

The weird thing is, I have two server, one Intel NUC and one Digitalocean VM. Both are configured throught ansible, so there shoud be no configuration difference (except the different software running on them). On my NUC audirbeat working fine.

I would be ok with giving you access to my VM if this is something that would help you debug this. There is nothing private on it.

Are they both the same OS/Image/Kernel?

@AntonAttano
Copy link

The weird thing is, I have two server, one Intel NUC and one Digitalocean VM. Both are configured throught ansible, so there shoud be no configuration difference (except the different software running on them). On my NUC audirbeat working fine.
I would be ok with giving you access to my VM if this is something that would help you debug this. There is nothing private on it.

Are they both the same OS/Image/Kernel?

Yes, both are running Ubuntu 18.04 with default kernel

Linux root 4.15.0-65-generic #74-Ubuntu SMP Tue Sep 17 17:06:04 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

@adriansr
Copy link
Contributor Author

adriansr commented Oct 9, 2019

I would be ok with giving you access to my VM if this is something that would help you debug this. There is nothing private on it.

@stephan13360 that would be great, because I'm running out of ideas. Can you send me the access credentials to adrian at elastic dot co?

@adriansr
Copy link
Contributor Author

adriansr commented Oct 9, 2019

The packages in https://ela.st/auditbeat740-ipv6-fix have been updated.

@AntonAttano
Copy link

Can confirm. This fixes it for me.

@adriansr adriansr added review and removed help wanted Indicates that a maintainer wants help on an issue or pull request review labels Oct 9, 2019
@mvaldes14
Copy link

Maybe not your target distro but can confirm this works in Arch Linux.

adriansr added a commit that referenced this issue Oct 14, 2019
…13966)

This patch fixes a few problems with the new system/socket dataset when
IPv6 has been disabled by booting the kernel with `ipv6.disable=1`.

- Detection of IPv6 can fail in an unexpected way causing a startup failure
  instead of disabling IPv6 support.
- One offset guess depended on the ability to create AF_INET6 sockets.
- A couple of offset guessing tasks depended on a connect() to a magic
  address in the range 127/8 or fd00::/8, which can cause a timeout error
  due to connect() blocking on some systems.

Fixes #13953
adriansr added a commit to adriansr/beats that referenced this issue Oct 14, 2019
…lastic#13966)

This patch fixes a few problems with the new system/socket dataset when
IPv6 has been disabled by booting the kernel with `ipv6.disable=1`.

- Detection of IPv6 can fail in an unexpected way causing a startup failure
  instead of disabling IPv6 support.
- One offset guess depended on the ability to create AF_INET6 sockets.
- A couple of offset guessing tasks depended on a connect() to a magic
  address in the range 127/8 or fd00::/8, which can cause a timeout error
  due to connect() blocking on some systems.

Fixes elastic#13953

(cherry picked from commit 51abcaf)
adriansr added a commit that referenced this issue Oct 15, 2019
…13966) (#14041)

This patch fixes a few problems with the new system/socket dataset when
IPv6 has been disabled by booting the kernel with `ipv6.disable=1`.

- Detection of IPv6 can fail in an unexpected way causing a startup failure
  instead of disabling IPv6 support.
- One offset guess depended on the ability to create AF_INET6 sockets.
- A couple of offset guessing tasks depended on a connect() to a magic
  address in the range 127/8 or fd00::/8, which can cause a timeout error
  due to connect() blocking on some systems.

Fixes #13953

(cherry picked from commit 51abcaf)
@inits
Copy link

inits commented Feb 28, 2021

service:guacamole com.docker.compose.version:1.27.4 execID:0f27f30e31c418cc540aaca040114ad928fefaf8110c0b90231e283878527e41 exitCode:0 image:jumpserver/guacamole:v2.7.1 name:jms_guacamole]} local 1614488222 1614488222300889116}
2021-02-28T04:57:03.082Z WARN [cfgwarn] user/user.go:232 BETA: The system/user dataset is beta
2021-02-28T04:57:03.083Z DEBUG [user] user/user.go:272 Last state was sent at 2021-02-28 04:18:55.190692216 +0000 UTC. Next state update by 2021-02-28 16:18:55.190692216 +0000 UTC.
2021-02-28T04:57:03.084Z DEBUG [user] user/user.go:282 Restored 27 users from disk
2021-02-28T04:57:03.084Z DEBUG [add_docker_metadata] docker/watcher.go:308 Watcher stopped
2021-02-28T04:57:03.084Z INFO instance/beat.go:437 auditbeat stopped.
2021-02-28T04:57:03.084Z ERROR instance/beat.go:971 Exiting: 1 error: system/socket dataset setup failed: unable to guess one or more required parameters: guess_inet_sock failed: timeout while waiting for event
Exiting: 1 error: system/socket dataset setup failed: unable to guess one or more required parameters: guess_inet_sock failed: timeout while waiting for event
[root@en-us-public-mgr auditbeat]#
[root@en-us-public-mgr auditbeat]#

leweafan pushed a commit to leweafan/beats that referenced this issue Apr 28, 2023
…lastic#13966) (elastic#14041)

This patch fixes a few problems with the new system/socket dataset when
IPv6 has been disabled by booting the kernel with `ipv6.disable=1`.

- Detection of IPv6 can fail in an unexpected way causing a startup failure
  instead of disabling IPv6 support.
- One offset guess depended on the ability to create AF_INET6 sockets.
- A couple of offset guessing tasks depended on a connect() to a magic
  address in the range 127/8 or fd00::/8, which can cause a timeout error
  due to connect() blocking on some systems.

Fixes elastic#13953

(cherry picked from commit 284faf4)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

7 participants