When using a unicast netlink socket you can have only one userspace process registered to receive data from the kernel audit framework. If two are running only one will receive data and the other will get nothing and no errors.
Auditbeat could be enhanced to make it more user friendly by detecting this condition and warning the user by logging a message and sending an error event to ES.
Detection could be accomplished by:
- Periodically checking if the Auditbeat PID is registered as the recipient of Audit data in the kernel. We can check the audit status and if our PID isn't present warn and try to fix the issue.
- Dump the process table and look for "auditd".
When using a unicast netlink socket you can have only one userspace process registered to receive data from the kernel audit framework. If two are running only one will receive data and the other will get nothing and no errors.
Auditbeat could be enhanced to make it more user friendly by detecting this condition and warning the user by logging a message and sending an error event to ES.
Detection could be accomplished by: