This documentation contains work-in-progress information for future Elastic Stack and Cloud releases. Use the version selector to view supported release docs. It also contains some Elastic Cloud serverless information. Check out our serverless docs for more details.
Auditbeat fails to watch folders because too many files are open
editAuditbeat fails to watch folders because too many files are open
editBecause of the way file monitoring is implemented on macOS, you may see a warning similar to the following:
eventreader_fsnotify.go:42: WARN [audit.file] Failed to watch /usr/bin: too many open files (check the max number of open files allowed with 'ulimit -a')
To resolve this issue, run Auditbeat with the ulimit set to a larger
value, for example:
sudo sh -c 'ulimit -n 8192 && ./Auditbeat -e
Or:
sudo su ulimit -n 8192 ./auditbeat -e