Startup error in auditbeat

Hi All,

I'm getting below startup error in auditbeat tar package installation.

2018-10-01T00:00:12.242-0700 ERROR instance/beat.go:743 Exiting: 1 error: 1 error: failed to unpack the auditd config: 1 error: failed loading rules: 1 error: at /u01/auditbeat/auditbeat-6.4.1-linux-x86_64/audit.rules.d/sample-rules-linux-32bit.conf:5: failed to interpret rule '-a always,exit -F arch=b32 -S accept,bind,connect -F key=external-access': failed to add syscall 'accept': unknown syscall 'accept' for arch i386 accessing 'auditbeat.modules.0' (source:'auditbeat.yml')
Exiting: 1 error: 1 error: failed to unpack the auditd config: 1 error: failed loading rules: 1 error: at /u01/auditbeat/auditbeat-6.4.1-linux-x86_64/audit.rules.d/sample-rules-linux-32bit.conf:5: failed to interpret rule '-a always,exit -F arch=b32 -S accept,bind,connect -F key=external-access': failed to add syscall 'accept': unknown syscall 'accept' for arch i386 accessing 'auditbeat.modules.0' (source:'auditbeat.yml')

Please find below version details.

System OS: Centos 6.5
Auditbeat version: 6.4.1
kernel_version: 2.6.32-431.el6.x86_64

Please suggest to debug/fix this.

Thanks in advance!

Hi,

There is an error on the sample rules shipped with Auditbeat 6.4.

You need to edit the audit.rules.d/sample-rules-linux-32bit.conf file and replace accept with accept4 at line 4.

Same change as in here:

Actually, I removed this audit.rules.d/sample-rules-linux-32bit.conf file and started auditbeat.
Now it is working fine

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.