I've noticed auditbeat spamming (sometimes ~10/sec) the log with following messages:
Jul 30 00:04:44 HOSTNAME auditbeat[2327385]: {"log.level":"warn","@timestamp":"2023-07-30T00:04:44.668+0200","log.logger":"process","log.origin":{"file.name":"process/process.go","file.line":289},"message":"failed to get namespaces for /usr/bin/uniq PID 2155706: stat /proc/2155706/ns/mnt: no such file or directory","service.name":"auditbeat","ecs.version":"1.6.0"}
Jul 30 00:04:44 HOSTNAME auditbeat[2327385]: {"log.level":"warn","@timestamp":"2023-07-30T00:04:44.668+0200","log.logger":"process","log.origin":{"file.name":"process/process.go","file.line":289},"message":"failed to get namespaces for /usr/bin/apt-get PID 2155701: stat /proc/2155701/ns/mnt: no such file or directory","service.name":"auditbeat","ecs.version":"1.6.0"}
Jul 30 00:05:01 HOSTNAME auditbeat[2327385]: {"log.level":"warn","@timestamp":"2023-07-30T00:05:01.668+0200","log.logger":"process","log.origin":{"file.name":"process/process.go","file.line":289},"message":"failed to get namespaces for /usr/bin/smbclient PID 2156317: stat /proc/2156317/ns/mnt: no such file or directory","service.name":"auditbeat","ecs.version":"1.6.0"}
My first thought was that this could be a race condition. Auditbeat tries to capture information about a process that no longer exists.
With many short-running processes, however, the log is inevitably cluttered.
(Thinking of chained calls to grep, cut, awk etc calls in scripts, which are indeed shortlived)
I have now set logging.loglevel: error for auditbeat, but think that this can only be a workaround.
How do you deal with this? Is there a way to suppress these warnings?