Cant able to start auditbeat

Question

Hi i am using elk stack of version 7.1.1 with x-pack installed and i'm trying to configure and setup Auditbeat but it's showing the following error on startup :

ERROR   instance/beat.go:916    Exiting: 2 errors: 1 error: failed to create audit client: failed to get audit status: operation not permitted; 1 error: unable to create DNS sniffer: failed creating af_packet sniffer: operation not permitted

Exiting: 2 errors: 1 error: failed to create audit client: failed to get audit status: operation not permitted; 1 error: unable to create DNS sniffer: failed creating af_packet sniffer: operation not permitted

My auditfile conf

auditbeat.modules:

- module: auditd
  audit_rule_files: [ '${path.config}/audit.rules.d/*.conf' ]
  audit_rules: |

- module: file_integrity
  paths:
  - /bin
  - /usr/bin
  - /sbin
  - /usr/sbin
  - /etc

- module: system
  datasets:
    - host
    - login
    - package
    - process
    - socket
    - user

  state.period: 12h
  user.detect_password_changes: true
  login.wtmp_file_pattern: /var/log/wtmp*
  login.btmp_file_pattern: /var/log/btmp*

 setup.template.settings:
      index.number_of_shards: 1
      index.codec: best_compression

 setup.kibana:
     host: "localhost:5601"

  output.elasticsearch: 
      hosts: ["localhost:9200"]
      username: "elastic"
      password: "mypassword"

Please help me solve it.

Answer 1

I would assume you have lauched auditbeat under unprivileged user. Due to auditbeat has to interact with auditd, most of activities should be performed by root. [at least root rights solved the same issue in my case]

PS: if you can't switch to root try this: link