Exiting: 1 error: failed to create audit client: failed to get audit status: operation not permitted

alexus · July 13, 2022, 9:04pm

Hello World!

I'm trying to Run Auditbeat on Docker | Auditbeat Reference [7.17] | Elastic, yet running into following issue:

# docker compose logs --tail 1
auditbeat  | Exiting: 1 error: failed to create audit client: failed to get audit status: operation not permitted
#

the capabilities:

# docker inspect --format='{{.HostConfig.CapAdd}}' auditbeat
[AUDIT_CONTROL AUDIT_READ]
# docker inspect --format='{{.HostConfig.CapDrop}}' auditbeat
[]
#

Please advise.
Thank you in advance!

andrewkroh · July 14, 2022, 8:26pm

In the Special Requirements section it mentions needing the host pid namespace. Are you using that?

alexus · July 15, 2022, 3:07am

@andrewkroh thank you, that was it! i missed that part somehow... sowwy ;p

system · August 12, 2022, 5:08am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Auditbeat failed to create audit client & failed to get audit status: operation not permitted Beats auditbeat	5	2652	May 28, 2020
Unable to start auditbeat daemon process Beats auditbeat	3	732	November 4, 2022
Unable to start Auditbeat on Proxmox Container Beats auditbeat	2	435	June 19, 2023
Unable to monitor the host machine via Auditbeat Docker Beats docker , auditbeat	1	405	November 28, 2019
Unable to start auditbeat on docker Beats auditbeat	10	3593	November 4, 2022

Exiting: 1 error: failed to create audit client: failed to get audit status: operation not permitted

Related topics