-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Auditbeat system/socket fails to start due to IPv6 #13953
Comments
Pinging @elastic/siem (Team:SIEM) |
Version: 7.4.0 Error:
|
System: Ubuntu 18.04
"ip -6 a add fd12:3456::1111 dev lo" does not output anything but finishes successful and adding the ip to my loopback interface. |
System: CentOS 7.7.1908
The system already has an IPv6 address. Adding the unique local address to interface 'lo' also works.
Running auditbeat shows the following error:
auditbeat.yml:
Workaround: Adding the following option in auditbeat.yml:
|
Thanks for the detailed information. I think I've addresses all the problems in #13966. Just built a snapshot on top of 7.4.0, can you try it and report the outcome here? It shouldn't need |
Hi adriansr,
|
Thanks @stephan13360, I will investigate this problem. Does it work for you when setting |
No, I get the exact same error.
|
Sorry I mean |
Setting it to false works, as stated in my original discuss post. |
I will keep trying to reproduce. Same distro / kernel works fine for me so there must be some difference in configuration. |
The weird thing is, I have two server, one Intel NUC and one Digitalocean VM. Both are configured throught ansible, so there shoud be no configuration difference (except the different software running on them). On my NUC audirbeat working fine. I would be ok with giving you access to my VM if this is something that would help you debug this. There is nothing private on it. |
Are they both the same OS/Image/Kernel? |
Yes, both are running Ubuntu 18.04 with default kernel
|
@stephan13360 that would be great, because I'm running out of ideas. Can you send me the access credentials to adrian at elastic dot co? |
The packages in https://ela.st/auditbeat740-ipv6-fix have been updated. |
Can confirm. This fixes it for me. |
Maybe not your target distro but can confirm this works in Arch Linux. |
…13966) This patch fixes a few problems with the new system/socket dataset when IPv6 has been disabled by booting the kernel with `ipv6.disable=1`. - Detection of IPv6 can fail in an unexpected way causing a startup failure instead of disabling IPv6 support. - One offset guess depended on the ability to create AF_INET6 sockets. - A couple of offset guessing tasks depended on a connect() to a magic address in the range 127/8 or fd00::/8, which can cause a timeout error due to connect() blocking on some systems. Fixes #13953
…lastic#13966) This patch fixes a few problems with the new system/socket dataset when IPv6 has been disabled by booting the kernel with `ipv6.disable=1`. - Detection of IPv6 can fail in an unexpected way causing a startup failure instead of disabling IPv6 support. - One offset guess depended on the ability to create AF_INET6 sockets. - A couple of offset guessing tasks depended on a connect() to a magic address in the range 127/8 or fd00::/8, which can cause a timeout error due to connect() blocking on some systems. Fixes elastic#13953 (cherry picked from commit 51abcaf)
…13966) (#14041) This patch fixes a few problems with the new system/socket dataset when IPv6 has been disabled by booting the kernel with `ipv6.disable=1`. - Detection of IPv6 can fail in an unexpected way causing a startup failure instead of disabling IPv6 support. - One offset guess depended on the ability to create AF_INET6 sockets. - A couple of offset guessing tasks depended on a connect() to a magic address in the range 127/8 or fd00::/8, which can cause a timeout error due to connect() blocking on some systems. Fixes #13953 (cherry picked from commit 51abcaf)
service:guacamole com.docker.compose.version:1.27.4 execID:0f27f30e31c418cc540aaca040114ad928fefaf8110c0b90231e283878527e41 exitCode:0 image:jumpserver/guacamole:v2.7.1 name:jms_guacamole]} local 1614488222 1614488222300889116} |
…lastic#13966) (elastic#14041) This patch fixes a few problems with the new system/socket dataset when IPv6 has been disabled by booting the kernel with `ipv6.disable=1`. - Detection of IPv6 can fail in an unexpected way causing a startup failure instead of disabling IPv6 support. - One offset guess depended on the ability to create AF_INET6 sockets. - A couple of offset guessing tasks depended on a connect() to a magic address in the range 127/8 or fd00::/8, which can cause a timeout error due to connect() blocking on some systems. Fixes elastic#13953 (cherry picked from commit 284faf4)
Please include configurations and logs if available.
For confirmed bugs, please report:
The text was updated successfully, but these errors were encountered: