Failed to get audit status before adding rules

martin.ellis · June 29, 2020, 5:42am

When I start auditbeat I get this error message

2020-06-29T14:49:06.560+1000    ERROR   [auditd]        auditd/audit_linux.go:148       Failure adding audit rules      {"error": "failed to get audit status before adding rules: operation not permitted", "errorVerbose": "operation not permitted\nfailed to get audit status before adding rules\ngithub.com/elastic/beats/v7/auditbeat/module/auditd.(*MetricSet).addRules\n\t/go/src/github.com/elastic/beats/auditbeat/module/auditd/audit_linux.go:230\ngithub.com/elastic/beats/v7/auditbeat/module/auditd.(*MetricSet).Run\n\t/go/src/github.com/elastic/beats/auditbeat/module/auditd/audit_linux.go:146\ngithub.com/elastic/beats/v7/metricbeat/mb/module.(*metricSetWrapper).run\n\t/go/src/github.com/elastic/beats/metricbeat/mb/module/wrapper.go:203\ngithub.com/elastic/beats/v7/metricbeat/mb/module.(*Wrapper).Start.func1\n\t/go/src/github.com/elastic/beats/metricbeat/mb/module/wrapper.go:147\nruntime.goexit\n\t/usr/local/go/src/runtime/asm_amd64.s:1357"}

I am unsure what it means or if my rules have loaded properly. I can see much in the Kibana dashboards.

I am running auditbeat 7.8.0 on Ububu 18.04

What other information should I supply?

martin.ellis · June 29, 2020, 7:37am

Oh the host this is running on is an LXC container

system · July 27, 2020, 9:37am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Auditbeat permission Error Beats auditbeat	4	1021	January 27, 2020
Auditbeat failed to create audit client & failed to get audit status: operation not permitted Beats auditbeat	5	2652	May 28, 2020
Unable to start Auditbeat on LXC container Beats auditbeat	9	3951	November 4, 2022
Auditbeat getsockopt: connection refused Beats auditbeat	5	653	June 26, 2019
I am unable to Start Auditbeat service Beats auditbeat	20	762	January 6, 2021

Failed to get audit status before adding rules

Related topics