Auditbeat failed to load rules on aarch64/ARM 64 bits

albertchen · August 11, 2023, 5:47am

Hi sir,

When I try to load the following rules on aarch64 platform (ARM 64 bits)

-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access
-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access

I get the following errors and auditbeat doesn't start:

Exiting: 1 error: 1 error: failed to unpack the auditd config: 1 error: failed loading rules: 2 errors: at (audit_rules at auditbeat.yml):23:
failed to interpret rule '-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -k access': failed to add syscall 'open': unknown syscall 'open' for arch aarch64; at (audit_rules at auditbeat.yml):24:
failed to interpret rule '-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -k access':
failed to add syscall 'open': unknown syscall 'open' for arch aarch64 accessing 'auditbeat.modules.0' (source:'auditbeat.yml’)

Use arch=b32 or comment out them for now. How to solve or work around this issue if arch=b64.

Thanks very much

Albert

system · September 8, 2023, 5:48am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Auditbeat failed loading rules Beats auditbeat	3	630	October 23, 2019
Startup error in auditbeat Beats auditbeat	3	1033	October 22, 2018
Auditbeat configuration to use the "Modification of OpenSSH binaries" detection rule Beats auditbeat	2	477	December 22, 2021
Unable to compile auditbeat - failing on librpm-dev:arm64 Beats auditbeat	1	454	August 3, 2020
Auditbeat consuming lot of CPU Beats auditbeat	2	293	October 13, 2020

Auditbeat failed to load rules on aarch64/ARM 64 bits

Related topics