Sidecar auditbeat default config fails on ARM (Ubuntu 24.10)

[AntonEbel]

I tested the default sidecar auditbeat configuration (auditbeat-linux-default) on Ubuntu 24.10 64-bit ARM (ARMv8/AArch64) desktop image and found that it fails with this error message in the auditbeat log:

Exiting: 1 error: failed to unpack the auditd config: 1 error: failed loading rules: 2 errors: at (audit_rules at auditbeat.yml):25: failed to interpret rule '-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access': failed to add syscall 'open': unknown syscall 'open' for arch aarch64; at (audit_rules at auditbeat.yml):26: failed to interpret rule '-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access': failed to add syscall 'open': unknown syscall 'open' for arch aarch64 accessing 'auditbeat.modules.0' (source:'/var/lib/graylog-sidecar/generated/674f3395440f6d6ae5bcab35/auditbeat.conf')

Looks like this part of the config causing the error:

-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access

Your Environment

• Graylog Version: Graylog 6.2.0-SNAPSHOT

[miwent]

I think we should reconsider applying the Auditbeat configuration using the default tag. There could be multiple issues related to this.

• Syscalls change across kernel versions and architectures (the problem you're describing here)
• Some systems may run AuditD by default (Redhat, maybe others)