Update auditbeat docs for systemd to add LimitNOFILE to systemd service

[msimos]

The current docs only talk about macOS when getting "too many open files":

https://www.elastic.co/guide/en/beats/auditbeat/master/ulimit.html

However this can also be an issue with systemd as it only applies the default 1024. In production this can be too low as well as seen here for example:

https://discuss.elastic.co/t/auditbeat-filebeat-error-system-socket-dataset-setup-failed-unable-to-monitor-probe-p-inet6-create-inet6-create-proto-p3-perf-event-open-too-many-open-files/251210

The documentation either known issues above or in the URL:

https://www.elastic.co/guide/en/beats/auditbeat/master/running-with-systemd.html

Add this to /lib/systemd/system/auditbeat.service or use /etc/systemd/system/auditbeat.service.d/override.conf with something like:

[Service] LimitNOFILE=1048576

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[elasticmachine]

Pinging @elastic/obs-docs (Team:Docs)

[flakrat]

I just installed Auditbeat 7.14 via RPM (from elastic.co) on a RHEL 7 system and encountered the same issue. Auditbeat worked running it interactively but not via Systemd:

/usr/share/auditbeat/bin/auditbeat -c /etc/auditbeat/auditbeat.yml \
  --path.home /usr/share/auditbeat \
  --path.config /etc/auditbeat \
  --path.data /var/lib/auditbeat \
  --path.logs /var/log/auditbeat \
  -e -d "*"

Copying /usr/lib/systemd/system/auditbeat.service to /etc/systemd/system/ and then adding LimitNOFILE=65536 to the [Service] section got it running via Systemd.

[botelastic[bot]]

Hi! We just realized that we haven't looked into this issue in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1. Thank you for your contribution!