Is here a minimum supported OS version for I am ru...
# ebpfa
aby
02/02/2021, 10:18 PMIs here a minimum supported OS version for I am running into issues with
4.4.0-142-genericUbuntu 16.04.7 LTS Copy code
p:/home/superlog# osqueryi --verbose --disable_events=false --enable_bpf_events=true --events_expiry=1
I0202 16:22:35.706341 687 init.cpp:340] osquery initialized [version=4.6.0]
I0202 16:22:35.706419 687 extensions.cpp:453] Could not autoload extensions: Cannot open file for reading: /etc/osquery/extensions.load
I0202 16:22:35.706588 687 dispatcher.cpp:78] Adding new service: ExtensionWatcher (0x564027c14d58) to thread: 139977553381120 (0x564027c151e0) in process 687
I0202 16:22:35.706670 687 dispatcher.cpp:78] Adding new service: ExtensionRunnerCore (0x564027c1bbf8) to thread: 139977544988416 (0x564027c1be40) in process 687
I0202 16:22:35.706717 687 auto_constructed_tables.cpp:97] Removing stale ATC entries
I0202 16:22:35.706832 691 interface.cpp:270] Extension manager service starting: /root/.osquery/shell.em
terminating with uncaught exception of type tob::StringError
Aborted (core dumped)z
zwass
02/02/2021, 10:18 PM
Yeah you need 4.6.0
a
aby
02/02/2021, 10:19 PM Copy code
osqueryd --version
osqueryd version 4.6.0z
zwass
02/02/2021, 10:20 PM
Ah sorry thought you meant osquery 4.4.0
zwass
02/02/2021, 10:20 PM
@alessandrogario wonder if this is familiar to you?
a
alessandrogario
02/02/2021, 10:21 PM
nooo @ the uncaught exception! I have to fix it! thanks for bringing this up!
👍 1
alessandrogario
02/02/2021, 10:21 PM
BPF requires at least kernel 4.18 to work correctly
alessandrogario
02/02/2021, 10:24 PM
We use certain BPF map features that require something around ~4.10 but then we also capture cgroup information which raise the kernel requirements to 4.18
alessandrogario
02/02/2021, 10:25 PM
this should be roughly CentOS 8, and Ubuntu 18.10
a
aby
02/02/2021, 10:32 PM@alessandrogario my kernel version is
4.4.0-142-generic2 Views