Unable to start Auditbeat on Proxmox Container

tli · May 19, 2023, 7:37pm

Hi,

I tried to install auditbeat on Proxmox Container (Ubuntu)
It failed with following msg written to the log


2023-05-19T15:03:04.117-0400    INFO    instance/beat.go:309    Setup Beat: auditbeat; Version: 7.15.0
2023-05-19T15:03:04.117-0400    INFO    [publisher]     pipeline/module.go:113  Beat name: <xxxxx>
2023-05-19T15:03:04.119-0400    INFO    [auditd]        auditd/audit_linux.go:107       auditd module is running as euid=0 on kernel=5.4.203-1-pve
2023-05-19T15:03:04.119-0400    INFO    instance/beat.go:442    auditbeat stopped.
2023-05-19T15:03:04.120-0400    ERROR   instance/beat.go:989    Exiting: 1 error: failed to create audit client: failed to get audit status: operation not permitted

Any suggestions would be appreciated.

Thanks

andrewkroh · May 22, 2023, 4:36pm

If you are running within a container then you likely need to give the container some additional capabilities that are normally restricted if you are using Docker and the like.