The artifacts page is here: https://github.com/osquery/osquery/actions/runs/1814621224

linux_unsigned_release_rpm

Alternatively: you can disable BPF from your current installation

Unsure where I am to get the rpm?

If they are not visible, you probably have to log into your GitHub account

Same result; Feb 17 15:01:28 so osqueryd: osqueryd started [version=5.2.2-4-g9f7dcb4ee] Feb 17 15:01:30 so osqueryd: terminating with uncaught exception of type std::runtime_error: Failed to create the perf event array: Failed to create the map Feb 17 15:01:32 so osqueryd: W0217 15:01:32.013586 23935 watcher.cpp:601] osqueryd worker respawning too quickly: 1 times Feb 17 15:01:40 so osqueryd: terminating with uncaught exception of type std::runtime_error: Failed to create the perf event array: Failed to create the map Feb 17 15:01:42 so osqueryd: W0217 15:01:42.018976 23935 watcher.cpp:601] osqueryd worker respawning too quickly: 2 times Feb 17 15:01:51 so osqueryd: terminating with uncaught exception of type std::runtime_error: Failed to create the perf event array: Failed to create the map Feb 17 15:01:54 so osqueryd: W0217 15:01:54.022825 23935 watcher.cpp:601] osqueryd worker respawning too quickly: 3 times Feb 17 15:02:08 so osqueryd: terminating with uncaught exception of type std::runtime_error: Failed to create the perf event array: Failed to create the map Feb 17 15:02:10 so osqueryd: W0217 15:02:10.026259 23935 watcher.cpp:601] osqueryd worker respawning too quickly: 4 times Feb 17 15:02:31 so osqueryd: terminating with uncaught exception of type std::runtime_error: Failed to create the perf event array: Failed to create the map Feb 17 15:02:34 so osqueryd: Too many worker restarts Feb 17 15:02:34 so osqueryd: E0217 15:02:34.030128 23935 shutdown.cpp:79] Too many worker restarts

😕

There's also a chance that the memory settings are too high

There's also a small note about VMware Fusion, if that's the hypervisor being used

I am using proxmox here at home.

How many possible CPUs are reported?

cat /sys/devices/system/cpu/possible

And, do they match the number of CPUs that are currently online?

cat /sys/devices/system/cpu/online

i've not made specific references to either bpf_perf_event_array_exp or bpf_buffer_storage_size in the flags file (on any of my hosts).

i.e. these options are not set and i presume defaults when --enable_bpf_events=true is passed

I got the following now: Feb 17 15:43:18 so osqueryd: osqueryd started [version=5.2.2-4-g9f7dcb4ee] Feb 17 15:43:41 so kernel: Could not insert probe at sys_execveat+0: -2 But no shutdown message so far.

I also got these: Feb 17 15:43:43 so osqueryd: I0217 15:43:43.824308 17125 eventfactory.cpp:156] Event publisher not enabled: auditeventpublisher: Publisher disabled via configuration Feb 17 15:43:43 so osqueryd: I0217 15:43:43.827373 17125 eventfactory.cpp:156] Event publisher not enabled: inotify: Publisher disabled via configuration Feb 17 15:43:43 so osqueryd: I0217 15:43:43.827664 17125 eventfactory.cpp:156] Event publisher not enabled: syslog: Publisher disabled via configuration

Yep. I can query the table via fleetdm.

"the table" == bpf_process_events

Thanks for your help! Wonder where I can find out how to have SELinux enabled as well as a functioning osqueryd+ebpf.

it will log the errors in the auditd.log file under /var/log

the SELinux tools can then scan it to create the rules required to fix it

$ cat osqueryd_unconfined_service.te module osqueryd_unconfined_service 1.0; require { type unconfined_service_t; class bpf { map_create map_read map_write prog_load prog_run }; } #============= unconfined_service_t ============== allow unconfined_service_t self:bpf { map_create map_read map_write prog_load prog_run };

appears to be enough 🙂