Auditbeat 8.11 does not provide container id without privilege mode when cgroup v2 is enabled

Auditbeat 8.11 throughs error when installed as k8 daemonset with cgroup v2 .

DEBUG    [gosigar_cid_provider]    add_process_metadata/gosigar_cid_provider.go:63    failed to get cgroups for pid=1395: failed to read cgroups for pid=1395: error fetching cgroupV2 controllers.

It works only when `priveledged : true` is set . we have tried several other options such as running as root but still no go . Does auditbeat need to run in privileged mode to get container id information ?

          runAsUser: 0
          # If using Red Hat OpenShift uncomment this:
          #privileged: true
              # Capabilities needed for auditd module
              # - 'AUDIT_READ'
              # - 'AUDIT_WRITE'
              # - 'AUDIT_CONTROL'
              - 'ALL'

Please find the process config 

- add_process_metadata:
      match_pids: ['']
      include_fields: ['']
    #  cgroup_regex: '^.+cri-containerd.([0-9a-f]{64}).*'
    #  cgroup_cache_expire_time: "0"
  - add_kubernetes_metadata:
      host: ${NODE_NAME}
      default_indexers.enabled: false
      default_matchers.enabled: false
        - container:
      #  - pod_name:
        - fields.lookup_fields: ['']

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.