Replies: 1 comment 1 reply
-
|
The issue was resolved by manually reinstalling Elastic Agent on the affected systems: /opt/Elastic/Agent/elastic-agent uninstall Then reinstall the Elastic Agent 9.0.8 binary. After reinstalling the agent, events were ingested normally and the Logstash errors stopped. |
Beta Was this translation helpful? Give feedback.
1 reply
-
|
Would you let me know what |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Version
2.4.210
Installation Method
Security Onion ISO image
Description
upgrading
Installation Type
Distributed
Location
on-prem with Internet access
Hardware Specs
Exceeds minimum requirements
CPU
64
RAM
128g
Storage for /
4TB
Storage for /nsm
8TB
Network Traffic Collection
tap
Network Traffic Speeds
1Gbps to 10Gbps
Status
No, one or more services are failed (please provide detail below)
Salt Status
No, there are no failures
Logs
Yes, there are additional clues in /opt/so/log/ (please provide detail below)
Detail
After upgrading to Security Onion 2.4.210 (Elastic 9.0.8), we began seeing continuous Logstash errors on our manager node:
/opt/so/log/logstash/logstash.log
Example error:
field [event.module] only accepts values that are equal to the value defined in the mappings [auditd], but got [auditd_manager]
These indexing failures repeated rapidly and eventually caused so-logstash to crash/restart.
Environment
~50 Linux Elastic Agents
Systems include PBX, web servers, name servers, Zabbix monitoring, and SOC infrastructure
Fleet policy was unchanged during the upgrade
Agents appeared to upgrade successfully via Fleet
Resolution
The issue was resolved by manually reinstalling Elastic Agent on the affected systems:
/opt/Elastic/Agent/elastic-agent uninstall
Then reinstall the Elastic Agent 9.0.8 binary.
After reinstalling the agent, events were ingested normally and the Logstash errors stopped.
Question
Is this a known issue with the Elastic Agent upgrade to 9.0.8 where some Linux agents continue sending events with event.module=auditd_manager, which conflicts with the expected mapping (auditd)?
Guidelines
Beta Was this translation helpful? Give feedback.
All reactions