Description

Some users have reported problems with Filebeat after installing wazuh related to SIGABRT.
The error it throws is "filebeat[21584]: SIGABRT: abort"
Until now, the error could only be reproduced on systems that have GLIBC v2.35 installed.

After an analysis it was found that the way to solve it is to add the following to the Filebeat template:

seccomp:
  default_action: allow
  syscalls:
  - action: allow
    names:
    - rseq

Tests were performed on all recommended systems and a few more. The tests consisted of trying to reproduce the error and then applying the changes to the Filebeat template. Then check, if the error could be reproduced, it is not generated anymore; and if it couldn't be reproduced, that these changes don't have any other unwanted impact on Filebeat.

Logs example

filebeat[21584]: runtime/cgo: pthread_create failed: Operation not permitted
filebeat[21584]: SIGABRT: abort
filebeat[21584]: PC=0x7f036b9eaa7c m=7 sigcode=18446744073709551610

Tests

Summary of tests:
wazuh/wazuh-packages#1665 (comment)

System test:
wazuh/wazuh-packages#1665 (comment)
wazuh/wazuh-packages#1665 (comment)
wazuh/wazuh-packages#1665 (comment)
wazuh/wazuh-packages#1665 (comment)
wazuh/wazuh-packages#1665 (comment)