Beats: Auditbeat doesn't start due to corrupt meta.json

Created on 3 Oct 2018  路  6Comments  路  Source: elastic/beats

@xeraa reports a fresh install of Auditbeat 6.4.2 on a fresh VM fails to start due to a corrupted meta.json.

2018-10-03T08:06:22.814Z        INFO    instance/beat.go:544    Home path: [/usr/share/auditbeat] Config path: [/etc/auditbeat] Data path: [/var/lib/auditbeat] Logs path: [/var/log/auditbeat]
2018-10-03T08:06:22.815Z        INFO    instance/beat.go:315    auditbeat stopped.
2018-10-03T08:06:22.824Z        ERROR   instance/beat.go:743    Exiting: Beat meta file reading error: EOF

meta.json is empty:

-rw------- 1 root root     0 Oct  2 23:46 meta.json

Auditbeat started fine after the file is removed.

  • [ ] investigate what could've caused the empty file in the first place.
  • [ ] (discuss) consider not failing startup when loading meta.json files.

For confirmed bugs, please report:

  • Version: 6.4.2
  • Operating System: Ubuntu 16.04
  • Discuss Forum URL: n/a
  • Steps to Reproduce:
bug discuss libbeat
Source
picture adriansr

Most helpful comment

Some day I'll learn to read :innocent:, thanks

picture exekias on 4 Oct 2018
😄2

All 6 comments

Auditbeat 6.4.2 on Ubuntu 18.04. Installed by downloading the DEB (checksum matched) and then dpkg -i.

xeraa picture xeraa on 3 Oct 2018

Do we have the contents of the broken meta file?

Note about starting without it: some subsystems (like monitoring or management) use the UUID to identify themselves, starting without it or regenerating it, could cause issues there.

exekias picture exekias on 3 Oct 2018

The file was just empty:

-rw------- 1 root root     0 Oct  2 23:46 meta.json
xeraa picture xeraa on 3 Oct 2018

Some day I'll learn to read :innocent:, thanks

exekias picture exekias on 4 Oct 2018
😄2

@xeraa is it something you can reproduce. have you performed any configuration changes, configuring output...
also, do you run it using systemd or by hand?
trying to reproduce on Ubuntu 18 and 16 with a fresh install of auditbeat 6.4 but was not able to repro

michalpristas picture michalpristas on 6 Mar 2019

I had the same issue last week with 6.6.0 (or 6.6.1, not sure any more). It's fully automated: https://github.com/xeraa/auditbeat-in-action/blob/master/configure.yml. If I skip the stopping of Auditd, Auditbeat doesn't start up correctly any more.

Auditbeat config in https://github.com/xeraa/auditbeat-in-action/blob/master/templates/auditbeat.yml

xeraa picture xeraa on 6 Mar 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

EndlessTundra picture EndlessTundra  路  3Comments
andrewkroh picture andrewkroh  路  3Comments
exekias picture exekias  路  3Comments
kemra102 picture kemra102  路  3Comments
geekpete picture geekpete  路  3Comments