IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
« Common problems Auditbeat uses too much bandwidth »
Elastic Docs Auditbeat Reference [8.15] Troubleshoot Common problems

Auditbeat fails to watch folders because too many files are open

edit

Auditbeat fails to watch folders because too many files are open

edit

Because of the way file monitoring is implemented on macOS, you may see a warning similar to the following:

eventreader_fsnotify.go:42: WARN [audit.file] Failed to watch /usr/bin: too many
open files (check the max number of open files allowed with 'ulimit -a')

To resolve this issue, run Auditbeat with the ulimit set to a larger value, for example:

sudo sh -c 'ulimit -n 8192 && ./Auditbeat -e

Or:

sudo su
ulimit -n 8192
./auditbeat -e
« Common problems Auditbeat uses too much bandwidth »