You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Since merging #6023 I've been seeing the following error intermittently on startup.
"failed to set audit PID (current audit PID 0): unexpected sequence number for reply (expected 2 but got 0)"
Logs:
{"level":"warn","timestamp":"2018-01-17T04:27:08.521Z","logger":"cfgwarn","caller":"auditd/audit_linux.go:59","message":"BETA: The auditd module is a beta feature"}
{"level":"info","timestamp":"2018-01-17T04:27:08.529Z","logger":"auditd","caller":"auditd/audit_linux.go:68","message":"auditd module is running as euid=0 on kernel=4.11.8-300.fc26.x86_64\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000\u0000"}
{"level":"info","timestamp":"2018-01-17T04:27:08.532Z","logger":"auditd","caller":"auditd/audit_linux.go:91","message":"socket_type=unicast will be used."}
{"level":"info","timestamp":"2018-01-17T04:27:11.851Z","logger":"auditd","caller":"auditd/audit_linux.go:161","message":"Deleted 8 pre-existing audit rules."}
{"level":"info","timestamp":"2018-01-17T04:27:11.851Z","logger":"auditd","caller":"auditd/audit_linux.go:174","message":"Successfully added 8 of 8 audit rules."}
{"level":"info","timestamp":"2018-01-17T04:27:11.904Z","logger":"auditd","caller":"auditd/audit_linux.go:195","message":"audit status from kernel at start","audit_status":{"Mask":0,"Enabled":1,"Failure":0,"PID":0,"RateLimit":0,"BacklogLimit":8192,"Lost":0,"Backlog":0,"FeatureBitmap":63,"BacklogWaitTime":60000}}
{"level":"error","timestamp":"2018-01-17T04:27:11.911Z","logger":"auditd","caller":"auditd/audit_linux.go:113","message":"Failure receiving audit events","error":"failed to set audit PID (current audit PID 0): unexpected sequence number for reply (expected 2 but got 0)","errorVerbose":"unexpected sequence number for reply (expected 2 but got 0)\ngithub.com/elastic/beats/vendor/github.com/elastic/go-libaudit.(*AuditClient).getReply\n\t/home/vagrant/go/src/github.com/elastic/beats/vendor/github.com/elastic/go-libaudit/audit.go:427\ngithub.com/elastic/beats/vendor/github.com/elastic/go-libaudit.(*AuditClient).set\n\t/home/vagrant/go/src/github.com/elastic/beats/vendor/github.com/elastic/go-libaudit/audit.go:452\ngithub.com/elastic/beats/vendor/github.com/elastic/go-libaudit.(*AuditClient).SetPID\n\t/home/vagrant/go/src/github.com/elastic/beats/vendor/github.com/elastic/go-libaudit/audit.go:295\ngithub.com/elastic/beats/auditbeat/module/auditd.(*MetricSet).initClient\n\t/home/vagrant/go/src/github.com/elastic/beats/auditbeat/module/auditd/audit_linux.go:227\ngithub.com/elastic/beats/auditbeat/module/auditd.(*MetricSet).receiveEvents\n\t/home/vagrant/go/src/github.com/elastic/beats/auditbeat/module/auditd/audit_linux.go:237\ngithub.com/elastic/beats/auditbeat/module/auditd.(*MetricSet).Run\n\t/home/vagrant/go/src/github.com/elastic/beats/auditbeat/module/auditd/audit_linux.go:110\ngithub.com/elastic/beats/metricbeat/mb/module.(*metricSetWrapper).run\n\t/home/vagrant/go/src/github.com/elastic/beats/metricbeat/mb/module/wrapper.go:168\ngithub.com/elastic/beats/metricbeat/mb/module.(*Wrapper).Start.func1\n\t/home/vagrant/go/src/github.com/elastic/beats/metricbeat/mb/module/wrapper.go:112\nruntime.goexit\n\t/home/vagrant/.gvm/versions/go1.9.2.linux.amd64/src/runtime/asm_amd64.s:2337\nfailed to set audit PID (current audit PID 0)\ngithub.com/elastic/beats/auditbeat/module/auditd.(*MetricSet).initClient\n\t/home/vagrant/go/src/github.com/elastic/beats/auditbeat/module/auditd/audit_linux.go:231\ngithub.com/elastic/beats/auditbeat/module/auditd.(*MetricSet).receiveEvents\n\t/home/vagrant/go/src/github.com/elastic/beats/auditbeat/module/auditd/audit_linux.go:237\ngithub.com/elastic/beats/auditbeat/module/auditd.(*MetricSet).Run\n\t/home/vagrant/go/src/github.com/elastic/beats/auditbeat/module/auditd/audit_linux.go:110\ngithub.com/elastic/beats/metricbeat/mb/module.(*metricSetWrapper).run\n\t/home/vagrant/go/src/github.com/elastic/beats/metricbeat/mb/module/wrapper.go:168\ngithub.com/elastic/beats/metricbeat/mb/module.(*Wrapper).Start.func1\n\t/home/vagrant/go/src/github.com/elastic/beats/metricbeat/mb/module/wrapper.go:112\nruntime.goexit\n\t/home/vagrant/.gvm/versions/go1.9.2.linux.amd64/src/runtime/asm_amd64.s:2337"}
Config:
auditbeat.modules:
- module: auditd
resolve_ids: false
include_raw_message: true
include_warnings: true
audit_rules: |
-a always,exit -F arch=b32 -S all -F key=32bit-abi
-a always,exit -F arch=b64 -S execve,execveat -k exec
## External access (warning: these can be expensive to audit).
-a always,exit -F arch=b64 -S recvfrom,accept,bind,connect -F key=external-access
## Identity changes.
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
## Unauthorized access attempts.
-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access
Since merging #6023 I've been seeing the following error intermittently on startup.
Logs:
Config: