We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
I tested the default sidecar auditbeat configuration (auditbeat-linux-default) on Ubuntu 24.10 64-bit ARM (ARMv8/AArch64) desktop image and found that it fails with this error message in the auditbeat log:
Exiting: 1 error: failed to unpack the auditd config: 1 error: failed loading rules: 2 errors: at (audit_rules at auditbeat.yml):25: failed to interpret rule '-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access': failed to add syscall 'open': unknown syscall 'open' for arch aarch64; at (audit_rules at auditbeat.yml):26: failed to interpret rule '-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access': failed to add syscall 'open': unknown syscall 'open' for arch aarch64 accessing 'auditbeat.modules.0' (source:'/var/lib/graylog-sidecar/generated/674f3395440f6d6ae5bcab35/auditbeat.conf')
Looks like this part of the config causing the error:
-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
The text was updated successfully, but these errors were encountered:
No branches or pull requests
I tested the default sidecar auditbeat configuration (auditbeat-linux-default) on Ubuntu 24.10 64-bit ARM (ARMv8/AArch64) desktop image and found that it fails with this error message in the auditbeat log:
Exiting: 1 error: failed to unpack the auditd config: 1 error: failed loading rules: 2 errors: at (audit_rules at auditbeat.yml):25: failed to interpret rule '-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access': failed to add syscall 'open': unknown syscall 'open' for arch aarch64; at (audit_rules at auditbeat.yml):26: failed to interpret rule '-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access': failed to add syscall 'open': unknown syscall 'open' for arch aarch64 accessing 'auditbeat.modules.0' (source:'/var/lib/graylog-sidecar/generated/674f3395440f6d6ae5bcab35/auditbeat.conf')Looks like this part of the config causing the error:
-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=accessYour Environment
The text was updated successfully, but these errors were encountered: