Skip to content

auditbeat: docs incorrectly state that socket_type will be reverted to unicast if multicast is not available #37174

New issue
Jump to bottom
New issue
Jump to bottom
Closed
#37175
Closed
auditbeat: docs incorrectly state that socket_type will be reverted to unicast if multicast is not available#37174
#37175
Labels
8.11-candidate8.12-candidatebackport-v8.11.0Automated backport with mergifybugdocsneeds_integration_syncChanges in this PR need synced to elastic/integrations.
@efd6

Description

@efd6
efd6
opened on Nov 21, 2023

From here:

multicast can be used in kernel versions 3.16 and newer. By using multicast Auditbeat will receive an audit event broadcast that is not exclusive to a a single process. This is ideal for situations where auditd is running and managing the rules. If multicast is specified, but the kernel version is less than 3.16 Auditbeat will automatically revert to unicast.

Similar wording is in the auditd_manager integration here:

If it is set to true, but the kernel version is less than 3.16 it will be automatically disabled.

Remove this incorrect advice.

Metadata

Assignees

No one assigned

    Labels

    8.11-candidate8.12-candidatebackport-v8.11.0Automated backport with mergifybugdocsneeds_integration_syncChanges in this PR need synced to elastic/integrations.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions