Exiting: 1 error: failed to create audit client: failed to get audit status: operation not permitted

alexus · July 13, 2022, 9:04pm

Hello World!

I'm trying to Run Auditbeat on Docker | Auditbeat Reference [7.17] | Elastic, yet running into following issue:

# docker compose logs --tail 1
auditbeat  | Exiting: 1 error: failed to create audit client: failed to get audit status: operation not permitted
#

the capabilities:

# docker inspect --format='{{.HostConfig.CapAdd}}' auditbeat
[AUDIT_CONTROL AUDIT_READ]
# docker inspect --format='{{.HostConfig.CapDrop}}' auditbeat
[]
#

Please advise.
Thank you in advance!

andrewkroh · July 14, 2022, 8:26pm

In the Special Requirements section it mentions needing the host pid namespace. Are you using that?

alexus · July 15, 2022, 3:07am

@andrewkroh thank you, that was it! i missed that part somehow... sowwy ;p

system · August 12, 2022, 5:08am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.