Failed to validate

Hello
I’ve created a auditbeat config see below, the config work fine but sidecar timesout on validation?
i click stop and then start after stopped everything works just fine.


Stop / Start example:


time=“2022-11-07T12:05:27+01:00” level=info msg=“[Auditbeat] Got remote stop command”
time=“2022-11-07T12:05:27+01:00” level=info msg=“[Auditbeat] Stopping”
time=“2022-11-07T12:09:47+01:00” level=info msg=“[Auditbeat] Got remote start command”
time=“2022-11-07T12:09:47+01:00” level=info msg=“[Auditbeat] Starting (exec driver)”


Config Update example: 
time="2022-11-07T11:51:35+01:00" level=info msg="[Auditbeat] Configuration change detected, rewriting configuration file."
time="2022-11-07T11:52:05+01:00" level=error msg="[Auditbeat] Unable to validate configuration, timeout reached."

Auditbeat config:
# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}
output.logstash:
   hosts: ["graylog.xxx.xxx:5044"]
tags: 
    - linux                                                       #added
    - auditbeat                                                     #added
auditbeat.modules:
- module: auditd
- module: file_integrity
  paths:
  - /bin
  - /usr/bin
  - /sbin
  - /usr/sbin
  - /etc
- module: system
  datasets:
    - host      # General host information, e.g. uptime, IPs
    - process   # Started and stopped processes
    - login                                                         #!!linux only 
state.period: 12
user.detect_password_changes: true                                  #added
#processors:                                                        #Commented out
#  - add_host_metadata: ~                                           #Commented out
#  - add_cloud_metadata: ~                                          #Commented out

Hello @asc-clo

Could you describe your setup in more detail like what is the OS, etc…

Oh yes forgot

Ubuntu 22:04
Graylog:4.3.9+e2c6648
Graylog-sidecar 1.2.0
Auditbeat 8.4.3

Have you verified the API key for your sidecar? Does it successfully connect to Graylog?

When you say sidecar is timing out, what exactly do you mean? Can you include the (sanitized) sidecar logs please?

Also, are you running sidecar/auditbeat on Ubuntu 22.04 as well? There have been some issues with GL server on 22.04, and that might extend to the sidecar code as well. Try it on 20.x and see what you get.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.