Beats: [Auditbeat] Default distribution fails to start on aarch64

Created on 4 Jan 2021  路  14Comments  路  Source: elastic/beats

For confirmed bugs, please report:

  • Version: 7.11.0 BC1
  • Operating System: Ubuntu aarch64
  • Steps to Reproduce:
    Install auditbeat and try to start, observe error 
2021-01-03T21:25:57.910Z    INFO    instance/beat.go:437    auditbeat stopped.
2021-01-03T21:25:57.913Z    ERROR   instance/beat.go:971    Exiting: 1 error: metricset 'system/socket' not found

Same thing happens on 7.10.1 so not a regression. The oss distribution works.

Auditbeat Agent Integrations Security-External Integrations bug
Source
picture liza-mae

Most helpful comment

We should update the config template to only include the modules that work for arm64. Then the config file will work out of the box.

https://github.com/elastic/beats/blob/518e8b366818c50e4859b7fa945171308dc30156/x-pack/auditbeat/module/system/_meta/config.yml.tmpl#L23-L24

picture andrewkroh on 5 Jan 2021
👍2

All 14 comments

Pinging @elastic/integrations (Team:Integrations)

elasticmachine picture elasticmachine on 4 Jan 2021

You need to disable the socket dataset in the system module. It only works on x86 architectures.

adriansr picture adriansr on 5 Jan 2021

Thanks let me try, is it documented or do we need to document this?

liza-mae picture liza-mae on 5 Jan 2021

This is the document I found: https://www.elastic.co/guide/en/beats/auditbeat/7.11/auditbeat-module-system.html - does it make sense to add something about it there?

liza-mae picture liza-mae on 5 Jan 2021

We should update the config template to only include the modules that work for arm64. Then the config file will work out of the box.

https://github.com/elastic/beats/blob/518e8b366818c50e4859b7fa945171308dc30156/x-pack/auditbeat/module/system/_meta/config.yml.tmpl#L23-L24

andrewkroh picture andrewkroh on 5 Jan 2021
👍2

Sounds good @andrewkroh

liza-mae picture liza-mae on 5 Jan 2021

This should be an easy fix, I'll see if I can knock it out

fearful-symmetry picture fearful-symmetry on 5 Jan 2021
🎉1

Thank you @fearful-symmetry - it would be nice if we can get it into 7.11.0 and 7.10.2 upcoming releases.

I already tested removing the system module and auditbeat comes up, having it do so out of the box would be best.

liza-mae picture liza-mae on 5 Jan 2021

@adriansr do we know what parts of the system module do work on aarch64?

fearful-symmetry picture fearful-symmetry on 5 Jan 2021

It may make sense to also update the documentation to say something about Linux aarch64 system module. Thoughts? 

The module is fully implemented for Linux. Some datasets are also available for macOS (Darwin) and Windows.
liza-mae picture liza-mae on 5 Jan 2021

Yah, with the coming age of M1 macs, we might want to be more explicit with ARM support

fearful-symmetry picture fearful-symmetry on 5 Jan 2021
👍1

Fix here: https://github.com/elastic/beats/pull/23381

Apologies for the delay, my country is struggling with democracy and the news is a tad distracting.

fearful-symmetry picture fearful-symmetry on 7 Jan 2021

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

elasticmachine picture elasticmachine on 8 Jan 2021

Pinging @elastic/agent (Team:Agent)

elasticmachine picture elasticmachine on 8 Jan 2021
Was this page helpful?
0 / 5 - 0 ratings

Related issues

ptrlv picture ptrlv  路  3Comments
TomaszKlosinski picture TomaszKlosinski  路  3Comments
geekpete picture geekpete  路  3Comments
tsg picture tsg  路  4Comments
exekias picture exekias  路  3Comments