Hi there,
We are getting many Ubuntu assets with the following error:
What is actually wrong?
Thanks in advance
Typically this is because auditd is running, and compatibility mode is not configured.
If you see this documentation InsightIDR - auditd Compatibility Mode for Linux Assets | Insight Agent Documentation
It outlines our configuration for compatibility mode.
Alternatively you can choose to disable auditd, and the Insight Agent will control the netlink socket and audit/consume the necessary events.
David
What are some of the event the agent will report if auditd is disabled
No, the auditd is running and compatibility mode is configured.
Support do not help me, just ignores me.
What is the support case I will take a look
08249045
and a couple more that just died.
Thanks!
I think I need to open a support case as well. This is happening quite frequently for our systems.
no solution yet from my side, still fighting against them to have this solved.
We have the same issue on some of our agents. Any updates?
Hi @nreal this typically requires that you setup the auditd configuration as per our docs here InsightIDR - auditd Compatibility Mode for Linux Assets | Insight Agent Documentation
Have you followed these steps?
David
This do not work for Oracle Linux… still with the problem, cannot monitor anything
Yes we followed the config as per your docs.
We had an issue where the auditd installation where our linux OS that we were running was missing key auditd components that were required for the configuration. Once this was resolved all errors went away.