sysmon.service Failed with result

[P4T12ICK]

Hi guys,
with the latest release we get the following error:

root@ip-10-0-1-21:~# sysmon -accepteula -i /tmp/SysMonLinux-CatchAll.xml

Sysmon v1.1.0 - Monitors system events
Sysinternals - www.sysinternals.com
By Mark Russinovich, Thomas Garnier and Kevin Sheldrake
Copyright (C) 2014-2023 Microsoft Corporation
Using libxml2. libxml2 is Copyright (C) 1998-2012 Daniel Veillard. All Rights Reserved.

Loading configuration file with schema version 4.70
Sysmon schema version: 4.81
Configuration file validated.
Created symlink /etc/systemd/system/multi-user.target.wants/sysmon.service → /etc/systemd/system/sysmon.service.
Job for sysmon.service failed because the control process exited with error code.
See "systemctl status sysmon.service" and "journalctl -xe" for details.
root@ip-10-0-1-21:~# systemctl status sysmon.service
● sysmon.service - Sysmon event logger
   Loaded: loaded (/etc/systemd/system/sysmon.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Tue 2023-03-14 11:53:59 UTC; 7s ago
  Process: 8817 ExecStart=/opt/sysmon/sysmon -i /opt/sysmon/config.xml -service (code=exited, status=12)

Mar 14 11:53:57 ip-10-0-1-21 sysmon[8817]: 369: (bf) r0 = r9
Mar 14 11:53:57 ip-10-0-1-21 sysmon[8817]: ; size = (size - dlen2) & (PATH_MAX - 1);  // ditto above message a
Mar 14 11:53:57 ip-10-0-1-21 sysmon[8817]: 370: (57) r7 &= 4095
Mar 14 11:53:57 ip-10-0-1-21 sysmon[8817]: ; newdentry = BPF_CORE_READ((struct mount *)mnt, mnt_mountpoint);
Mar 14 11:53:57 ip-10-0-1-21 sysmon[8817]: 371: (79) r9 = *(u64 *)(r10 -24)
Mar 14 11:53:57 ip-10-0-1-21 sysmon[8817]: ; mnt = container_of(vfsmount, struct mount, mnt);
Mar 14 11:53:57 ip-10-0-1-21 sysmon[8817]: 372: (7b) *(u64 *)(r10 -72) = r8
Mar 14 11:53:59 ip-10-0-1-21 systemd[1]: sysmon.service: Control process exited, code=exited status=12
Mar 14 11:53:59 ip-10-0-1-21 systemd[1]: sysmon.service: Failed with result 'exit-code'.
Mar 14 11:53:59 ip-10-0-1-21 systemd[1]: Failed to start Sysmon event logger.

Before it was working fine for our project Attack Range:
https://github.com/splunk/attack_range

The installation is automated through Ansible and the server is AWS EC2 ubuntu 18.04 amd64:
https://github.com/splunk/attack_range/blob/develop/packer/ansible/roles/sysmon_linux/tasks/install_sysmon_linux.yml

Thank you for your help.

[MarioHewardt]

Can you add the -t switch and paste a more complete log from ''journalctl -xe"?

Also, is this file present on the system? /sys/kernel/btf/vmlinux

[YspelderDo01]

We have the same issue on a OL8 with kernel : 5.4.17-2136.316.7.el8uek.x86_64

Mar 16 14:52:48 xxx sysmon[224471]: last_idx 664 first_idx 691
Mar 16 14:52:48 xxx sysmon[224471]: regs=2 stack=0 before 663: (bf) r2 = r3
Mar 16 14:52:48 xxx sysmon[224471]: regs=2 stack=0 before 662: (79) r3 = *(u64 *)(r10 -80)
Mar 16 14:52:48 xxx sysmon[224471]: regs=2 stack=0 before 661: (57) r1 &= 4095
Mar 16 14:52:48 xxx sysmon[224471]: regs=2 stack=0 before 660: (bf) r1 = r5
Mar 16 14:52:48 xxx sysmon[224471]: regs=20 stack=0 before 659: (57) r5 &= 4095
Mar 16 14:52:48 xxx sysmon[224471]: regs=20 stack=0 before 658: (1f) r5 -= r4
Mar 16 14:52:48 xxx systemd[1]: sysmon.service: Control process exited, code=exited status=12
Mar 16 14:52:49 xxx systemd[1]: sysmon.service: Failed with result 'exit-code'.
Mar 16 14:52:49 xxx systemd[1]: Failed to start Sysmon event logger.

vmlinux is present

[root@xxx]# ll /sys/kernel/btf/vmlinux
-r--r--r--. 1 root root 4207148 Mar 15 15:41 /sys/kernel/btf/vmlinux

when running manually I see this error

-- END PROG LOAD LOG --
libbpf: prog 'ProcCreateRawExit': failed to load: -22
libbpf: failed to load object './/sysmonEBPFkern5.3-5.5_core.o'
ERROR: failed to load prog: 'Invalid argument'
Telemetry failed to start: eBPF object could not be loaded

[MarioHewardt]

@YspelderDo01 - I reproduced the issue and a fix will be pushed shortly.
@P4T12ICK - Can you paste a longer log please?

[MarioHewardt]

@YspelderDo01 @P4T12ICK - Fix has now been merged. Please try it out and let me know. Thanks.

[YspelderDo01]

@MarioHewardt Thank you very much.
The sysmon service is running now.
Tried also the sysmonUnitTests, but that gives still an failure

[ RUN      ] Process.ProcessInfo
/root/SysmonForLinux/test/linuxRules.cpp:327: Failure
Value of: processKeys[i] != processKeys[j]
  Actual: false
Expected: true
/root/SysmonForLinux/test/linuxRules.cpp:327: Failure
Value of: processKeys[i] != processKeys[j]
  Actual: false
Expected: true
/root/SysmonForLinux/test/linuxRules.cpp:327: Failure
Value of: processKeys[i] != processKeys[j]
  Actual: false
Expected: true
/root/SysmonForLinux/test/linuxRules.cpp:327: Failure
Value of: processKeys[i] != processKeys[j]
  Actual: false
Expected: true
/root/SysmonForLinux/test/linuxRules.cpp:327: Failure
Value of: processKeys[i] != processKeys[j]
  Actual: false
Expected: true
/root/SysmonForLinux/test/linuxRules.cpp:327: Failure
Value of: processKeys[i] != processKeys[j]
  Actual: false
Expected: true
/root/SysmonForLinux/test/linuxRules.cpp:327: Failure
Value of: processKeys[i] != processKeys[j]
  Actual: false
Expected: true
/root/SysmonForLinux/test/linuxRules.cpp:327: Failure
Value of: processKeys[i] != processKeys[j]
  Actual: false
Expected: true
/root/SysmonForLinux/test/linuxRules.cpp:327: Failure
Value of: processKeys[i] != processKeys[j]
  Actual: false
Expected: true
/root/SysmonForLinux/test/linuxRules.cpp:327: Failure
Value of: processKeys[i] != processKeys[j]
  Actual: false
Expected: true
/root/SysmonForLinux/test/linuxRules.cpp:327: Failure
Value of: processKeys[i] != processKeys[j]
  Actual: false
Expected: true
/root/SysmonForLinux/test/linuxRules.cpp:327: Failure
Value of: processKeys[i] != processKeys[j]
  Actual: false
Expected: true
/root/SysmonForLinux/test/linuxRules.cpp:327: Failure
Value of: processKeys[i] != processKeys[j]
  Actual: false
Expected: true
/root/SysmonForLinux/test/linuxRules.cpp:327: Failure
Value of: processKeys[i] != processKeys[j]
  Actual: false
Expected: true
/root/SysmonForLinux/test/linuxRules.cpp:327: Failure
Value of: processKeys[i] != processKeys[j]
  Actual: false
Expected: true
/root/SysmonForLinux/test/linuxRules.cpp:327: Failure
Value of: processKeys[i] != processKeys[j]
  Actual: false
Expected: true
/root/SysmonForLinux/test/linuxRules.cpp:327: Failure
Value of: processKeys[i] != processKeys[j]
  Actual: false
Expected: true
/root/SysmonForLinux/test/linuxRules.cpp:327: Failure
Value of: processKeys[i] != processKeys[j]
  Actual: false
Expected: true
/root/SysmonForLinux/test/linuxRules.cpp:327: Failure
Value of: processKeys[i] != processKeys[j]
  Actual: false
Expected: true
/root/SysmonForLinux/test/linuxRules.cpp:327: Failure
Value of: processKeys[i] != processKeys[j]
  Actual: false
Expected: true
/root/SysmonForLinux/test/linuxRules.cpp:327: Failure
Value of: processKeys[i] != processKeys[j]
  Actual: false
Expected: true
/root/SysmonForLinux/test/linuxRules.cpp:327: Failure
Value of: processKeys[i] != processKeys[j]
  Actual: false
Expected: true
/root/SysmonForLinux/test/linuxRules.cpp:327: Failure
Value of: processKeys[i] != processKeys[j]
  Actual: false
Expected: true
/root/SysmonForLinux/test/linuxRules.cpp:327: Failure
Value of: processKeys[i] != processKeys[j]
  Actual: false
Expected: true
/root/SysmonForLinux/test/linuxRules.cpp:327: Failure
Value of: processKeys[i] != processKeys[j]
  Actual: false
Expected: true
/root/SysmonForLinux/test/linuxRules.cpp:327: Failure
Value of: processKeys[i] != processKeys[j]
  Actual: false
Expected: true
/root/SysmonForLinux/test/linuxRules.cpp:327: Failure
Value of: processKeys[i] != processKeys[j]
  Actual: false
Expected: true
/root/SysmonForLinux/test/linuxRules.cpp:327: Failure
Value of: processKeys[i] != processKeys[j]
  Actual: false
Expected: true
/root/SysmonForLinux/test/linuxRules.cpp:327: Failure
Value of: processKeys[i] != processKeys[j]
  Actual: false
Expected: true
/root/SysmonForLinux/test/linuxRules.cpp:327: Failure
Value of: processKeys[i] != processKeys[j]
  Actual: false
Expected: true
/root/SysmonForLinux/test/linuxRules.cpp:327: Failure
Value of: processKeys[i] != processKeys[j]
  Actual: false
Expected: true
/root/SysmonForLinux/test/linuxRules.cpp:327: Failure
Value of: processKeys[i] != processKeys[j]
  Actual: false
Expected: true
/root/SysmonForLinux/test/linuxRules.cpp:327: Failure
Value of: processKeys[i] != processKeys[j]
  Actual: false
Expected: true
/root/SysmonForLinux/test/linuxRules.cpp:327: Failure
Value of: processKeys[i] != processKeys[j]
  Actual: false
Expected: true
/root/SysmonForLinux/test/linuxRules.cpp:327: Failure
Value of: processKeys[i] != processKeys[j]
  Actual: false
Expected: true
/root/SysmonForLinux/test/linuxRules.cpp:327: Failure
Value of: processKeys[i] != processKeys[j]
  Actual: false
Expected: true
/root/SysmonForLinux/test/linuxRules.cpp:327: Failure
Value of: processKeys[i] != processKeys[j]
  Actual: false
Expected: true
/root/SysmonForLinux/test/linuxRules.cpp:327: Failure
Value of: processKeys[i] != processKeys[j]
  Actual: false
Expected: true
/root/SysmonForLinux/test/linuxRules.cpp:327: Failure
Value of: processKeys[i] != processKeys[j]
  Actual: false
Expected: true
/root/SysmonForLinux/test/linuxRules.cpp:327: Failure
Value of: processKeys[i] != processKeys[j]
  Actual: false
Expected: true
/root/SysmonForLinux/test/linuxRules.cpp:327: Failure
Value of: processKeys[i] != processKeys[j]
  Actual: false
Expected: true
/root/SysmonForLinux/test/linuxRules.cpp:327: Failure
Value of: processKeys[i] != processKeys[j]
  Actual: false
Expected: true
/root/SysmonForLinux/test/linuxRules.cpp:327: Failure
Value of: processKeys[i] != processKeys[j]
  Actual: false
Expected: true
/root/SysmonForLinux/test/linuxRules.cpp:327: Failure
Value of: processKeys[i] != processKeys[j]
  Actual: false
Expected: true
/root/SysmonForLinux/test/linuxRules.cpp:327: Failure
Value of: processKeys[i] != processKeys[j]
  Actual: false
Expected: true
[  FAILED  ] Process.ProcessInfo (108 ms)
[ RUN      ] Process.GetProcess
/root/SysmonForLinux/test/linuxRules.cpp:429: Failure
Value of: processKeys[i] != processKeys[j]
  Actual: false
Expected: true
/root/SysmonForLinux/test/linuxRules.cpp:429: Failure
Value of: processKeys[i] != processKeys[j]
  Actual: false
Expected: true
/root/SysmonForLinux/test/linuxRules.cpp:429: Failure
Value of: processKeys[i] != processKeys[j]
  Actual: false
Expected: true
[  FAILED  ] Process.GetProcess (43 ms)

[MarioHewardt]

Great, glad that worked. In re: to the UT failure, please file a separate issue.

[P4T12ICK]

@MarioHewardt /sys/kernel/btf/vmlinux exists. Here can be found thr output of
journalctl -xe
root@ip-10-0-1-21:~# journalctl -xe

Mar 20 07:34:38 ip-10-0-1-21 sysmon[7937]: 444: (07) r6 += -1
Mar 20 07:34:38 ip-10-0-1-21 sysmon[7937]: 445: (67) r6 <<= 32
Mar 20 07:34:38 ip-10-0-1-21 sysmon[7937]: 446: (77) r6 >>= 32
Mar 20 07:34:38 ip-10-0-1-21 sysmon[7937]: 447: (25) if r6 > 0xffe goto pc+41
Mar 20 07:34:38 ip-10-0-1-21 sysmon[7937]:  R0_w=inv(id=0,umax_value=4095,var_off=(0x0; 0xfff)) R6_w=invP(id=0
Mar 20 07:34:38 ip-10-0-1-21 sysmon[7937]: 448: (bf) r1 = r0
Mar 20 07:34:39 ip-10-0-1-21 systemd-journald[422]: Forwarding to syslog missed 7 messages.
-- Subject: One or more messages could not be forwarded to syslog
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- One or more messages could not be forwarded to the syslog service
-- running side-by-side with journald. This usually indicates that the
-- syslog implementation has not been able to keep up with the speed of
-- messages queued.
Mar 20 07:34:39 ip-10-0-1-21 systemd[1]: sysmon.service: Control process exited, code=exited status=12
Mar 20 07:34:39 ip-10-0-1-21 systemd[1]: sysmon.service: Failed with result 'exit-code'.
Mar 20 07:34:39 ip-10-0-1-21 audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 msg='unit=sysm
Mar 20 07:34:39 ip-10-0-1-21 systemd[1]: Failed to start Sysmon event logger.
-- Subject: Unit sysmon.service has failed
-- Defined-By: systemd
-- Support: http://www.ubuntu.com/support
--
-- Unit sysmon.service has failed.
--
-- The result is RESULT.
Mar 20 07:34:41 ip-10-0-1-21 audit[8031]: SYSCALL arch=c000003e syscall=59 success=yes exit=0 a0=5579a2e53ac0
Mar 20 07:34:41 ip-10-0-1-21 audit: EXECVE argc=2 a0="journalctl" a1="-xe"
Mar 20 07:34:41 ip-10-0-1-21 audit: CWD cwd="/root"
Mar 20 07:34:41 ip-10-0-1-21 audit: PATH item=0 name="/bin/journalctl" inode=94 dev=103:01 mode=0100755 ouid=0
Mar 20 07:34:41 ip-10-0-1-21 audit: PATH item=1 name="/lib64/ld-linux-x86-64.so.2" inode=2238 dev=103:01 mode=
Mar 20 07:34:41 ip-10-0-1-21 audit: PROCTITLE proctitle=6A6F75726E616C63746C002D7865

Where do I need to add the -t switch?
Than you for your help.

[MarioHewardt]

@P4T12ICK Please run journalctl -n 200 and paste that log (I can't tell from the abbreviated output). Also add -t switch to however you are starting Sysmon (e.g., sudo sysmon -t -i .

Also, can you post the sysmon schema you are using?

[P4T12ICK]

This is our sysmon config:
https://github.com/splunk/attack_range/blob/develop/configs/SysMonLinux-CatchAll.xml

here is the output:

root@ip-10-0-1-21:~# sysmon -accepteula -t -i /tmp/SysMonLinux-CatchAll.xml

Sysmon v1.1.0 - Monitors system events
Sysinternals - www.sysinternals.com
By Mark Russinovich, Thomas Garnier and Kevin Sheldrake
Copyright (C) 2014-2023 Microsoft Corporation
Using libxml2. libxml2 is Copyright (C) 1998-2012 Daniel Veillard. All Rights Reserved.

Loading configuration file with schema version 4.70
Sysmon schema version: 4.81
Configuration file validated.
Job for sysmon.service failed because the control process exited with error code.
See "systemctl status sysmon.service" and "journalctl -xe" for details.
root@ip-10-0-1-21:~#
root@ip-10-0-1-21:~# journalctl -n 200
-- Logs begin at Fri 2023-03-24 15:53:03 UTC, end at Fri 2023-03-24 16:14:20 UTC. --
Mar 24 16:14:11 ip-10-0-1-21 sysmon[7694]: 449: (67) r1 <<= 32
Mar 24 16:14:11 ip-10-0-1-21 sysmon[7694]: 450: (c7) r1 s>>= 32
Mar 24 16:14:11 ip-10-0-1-21 sysmon[7694]: 451: (b7) r2 = 1
Mar 24 16:14:11 ip-10-0-1-21 sysmon[7694]: 452: (6d) if r2 s> r1 goto pc+36
Mar 24 16:14:11 ip-10-0-1-21 sysmon[7694]:  R0_w=inv(id=0,umax_value=4095,var_off=(0x0; 0xfff)) R1_w=inv(id=0,
Mar 24 16:14:11 ip-10-0-1-21 sysmon[7694]: 453: (b7) r7 = 0
Mar 24 16:14:11 ip-10-0-1-21 sysmon[7694]: 454: (79) r3 = *(u64 *)(r10 -64)
Mar 24 16:14:11 ip-10-0-1-21 sysmon[7694]: ; if (size > 0)
Mar 24 16:14:11 ip-10-0-1-21 sysmon[7694]: 455: (bf) r1 = r3
Mar 24 16:14:11 ip-10-0-1-21 sysmon[7694]: 456: (67) r1 <<= 32
Mar 24 16:14:11 ip-10-0-1-21 sysmon[7694]: 457: (77) r1 >>= 32
Mar 24 16:14:11 ip-10-0-1-21 sysmon[7694]: ; if (size > 0)
Mar 24 16:14:11 ip-10-0-1-21 sysmon[7694]: 458: (15) if r1 == 0x0 goto pc-118
Mar 24 16:14:11 ip-10-0-1-21 sysmon[7694]: ; size = (size + dlen2) & (PATH_MAX - 1);  // by restricting size t
Mar 24 16:14:11 ip-10-0-1-21 sysmon[7694]: 341: (bf) r6 = r7
Mar 24 16:14:11 ip-10-0-1-21 sysmon[7694]: 342: (0f) r6 += r0
Mar 24 16:14:11 ip-10-0-1-21 sysmon[7694]: ; size = (size + dlen2) & (PATH_MAX - 1);  // by restricting size t
Mar 24 16:14:11 ip-10-0-1-21 sysmon[7694]: 343: (bf) r4 = r6
Mar 24 16:14:11 ip-10-0-1-21 sysmon[7694]: 344: (57) r4 &= 4095
Mar 24 16:14:11 ip-10-0-1-21 sysmon[7694]: ; if (!newdentry || dentry == newdentry) {
Mar 24 16:14:11 ip-10-0-1-21 sysmon[7694]: 345: (15) if r9 == 0x0 goto pc+3
Mar 24 16:14:11 ip-10-0-1-21 sysmon[7694]:  R0_w=inv(id=0,umax_value=4095,var_off=(0x0; 0xfff)) R1_w=invP0 R2_
Mar 24 16:14:11 ip-10-0-1-21 sysmon[7694]: ; size = (size + dlen2) & (PATH_MAX - 1);  // by restricting size t
Mar 24 16:14:11 ip-10-0-1-21 sysmon[7694]: 346: (bf) r5 = r4
Mar 24 16:14:11 ip-10-0-1-21 sysmon[7694]: ; if (!newdentry || dentry == newdentry) {
Mar 24 16:14:11 ip-10-0-1-21 sysmon[7694]: 347: (79) r1 = *(u64 *)(r10 -56)
Mar 24 16:14:11 ip-10-0-1-21 sysmon[7694]: 348: (5d) if r1 != r9 goto pc+27
Mar 24 16:14:11 ip-10-0-1-21 sysmon[7694]:  R0_w=inv(id=0,umax_value=4095,var_off=(0x0; 0xfff)) R1_w=inv(id=0)
Mar 24 16:14:11 ip-10-0-1-21 sysmon[7694]: 349: (79) r3 = *(u64 *)(r10 -72)
Mar 24 16:14:11 ip-10-0-1-21 sysmon[7694]: 350: (7b) *(u64 *)(r10 -72) = r3
Mar 24 16:14:11 ip-10-0-1-21 sysmon[7694]: 351: (b7) r1 = 16

[MarioHewardt]

Thanks. That still doesn't seem to large enough. After running sysmon, scroll up the log until you see:

Mar 24 09:27:29 m-Virtual-Machine sysmon[169907]: Sysmon v0.0.0 - Monitors system events
Mar 24 09:27:29 m-Virtual-Machine sysmon[169907]: Sysinternals - www.sysinternals.com
Mar 24 09:27:29 m-Virtual-Machine sysmon[169907]: By Mark Russinovich, Thomas Garnier and Kevin Sheldrake
Mar 24 09:27:29 m-Virtual-Machine sysmon[169907]: Copyright (C) 2014-2023 Microsoft Corporation
Mar 24 09:27:29 m-Virtual-Machine sysmon[169907]: Licensed under MIT/GPLv2
Mar 24 09:27:29 m-Virtual-Machine sysmon[169907]: Using libxml2. libxml2 is Copyright (C) 1998-2012 Daniel Veillard. All Rights Reserved.
Mar 24 09:27:29 m-Virtual-Machine sysmon[169907]: Loading configuration file with schema version 4.81
Mar 24 09:27:29 m-Virtual-Machine sysmon[169907]: Configuration file validated.

Where the timestamps correspond to the start of sysmon and paste the log from that point forward.

[P4T12ICK]

Thank you for your patience. here is the new log file:

Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: Sysmon v1.1.0 - Monitors system events
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: Sysinternals - www.sysinternals.com
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: By Mark Russinovich, Thomas Garnier and Kevin Sheldrake
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: Copyright (C) 2014-2023 Microsoft Corporation
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: Using libxml2. libxml2 is Copyright (C) 1998-2012 Daniel Veillard. All Rights Reserved.
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: Loading configuration file with schema version 4.70
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: Sysmon schema version: 4.81
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: Configuration file validated.
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: Loading configuration file with schema version 4.70
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: Sysmon schema version: 4.81
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: Configuration file validated.
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: Found Kernel version: 5.4
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: Using EBPF object: .//sysmonEBPFkern5.3-5.5_core.o
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: loading .//sysmonEBPFkern5.3-5.5_core.o
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: elf: section(3) raw_tracepoint/sys_enter, size 936, link 0, flags 6, type=1
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec 'raw_tracepoint/sys_enter': found program 'genericRawEnter' at insn offset 0 (0 bytes), code size 117 insns (936 bytes)
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: elf: section(4) .relraw_tracepoint/sys_enter, size 48, link 32, flags 0, type=9
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: elf: section(5) raw_tracepoint/sys_exit, size 45448, link 0, flags 6, type=1
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec 'raw_tracepoint/sys_exit': found program 'CloseFDRawExit' at insn offset 5620 (44960 bytes), code size 61 insns (488 bytes)
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec 'raw_tracepoint/sys_exit': found program 'FileCreateRawExit' at insn offset 901 (7208 bytes), code size 736 insns (5888 bytes)
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec 'raw_tracepoint/sys_exit': found program 'FileDeleteAtCwdRawExit' at insn offset 3965 (31720 bytes), code size 724 insns (5792 bytes)
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec 'raw_tracepoint/sys_exit': found program 'FileDeleteAtRawExit' at insn offset 3182 (25456 bytes), code size 783 insns (6264 bytes)
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec 'raw_tracepoint/sys_exit': found program 'FileDeleteRawExit' at insn offset 2465 (19720 bytes), code size 717 insns (5736 bytes)
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec 'raw_tracepoint/sys_exit': found program 'FileOpenRawExit' at insn offset 1637 (13096 bytes), code size 828 insns (6624 bytes)
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec 'raw_tracepoint/sys_exit': found program 'ProcAccessedRawExit' at insn offset 4916 (39328 bytes), code size 435 insns (3480 bytes)
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec 'raw_tracepoint/sys_exit': found program 'ProcCreateRawExit' at insn offset 0 (0 bytes), code size 901 insns (7208 bytes)
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec 'raw_tracepoint/sys_exit': found program 'TCPacceptRawExit' at insn offset 4689 (37512 bytes), code size 227 insns (1816 bytes)
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec 'raw_tracepoint/sys_exit': found program 'UDPrecvRawExit' at insn offset 5351 (42808 bytes), code size 269 insns (2152 bytes)
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: elf: section(6) .relraw_tracepoint/sys_exit, size 1456, link 32, flags 0, type=9
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: elf: section(7) tracepoint/sched/sched_process_exit, size 1024, link 0, flags 6, type=1
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec 'tracepoint/sched/sched_process_exit': found program 'ProcTerminated' at insn offset 0 (0 bytes), code size 128 insns (1024 bytes)
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: elf: section(8) .reltracepoint/sched/sched_process_exit, size 96, link 32, flags 0, type=9
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: elf: section(9) tracepoint/sock/inet_sock_set_state, size 1544, link 0, flags 6, type=1
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec 'tracepoint/sock/inet_sock_set_state': found program 'TCPconnection' at insn offset 0 (0 bytes), code size 193 insns (1544 bytes)
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: elf: section(10) .reltracepoint/sock/inet_sock_set_state, size 96, link 32, flags 0, type=9
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: elf: section(11) tracepoint/skb/consume_skb, size 4776, link 0, flags 6, type=1
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec 'tracepoint/skb/consume_skb': found program 'UDPsend' at insn offset 0 (0 bytes), code size 597 insns (4776 bytes)
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: elf: section(12) .reltracepoint/skb/consume_skb, size 144, link 32, flags 0, type=9
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: elf: section(13) .maps, size 320, link 0, flags 3, type=1
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: elf: section(14) license, size 4, link 0, flags 3, type=1
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: license of .//sysmonEBPFkern5.3-5.5_core.o is GPL
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: elf: section(23) .BTF, size 66905, link 0, flags 0, type=1
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: elf: section(25) .BTF.ext, size 46396, link 0, flags 0, type=1
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: elf: section(32) .symtab, size 325992, link 1, flags 0, type=2
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: looking for externs among 13583 symbols...
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: collected 0 externs total
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: map 'configMap': at sec_idx 13, offset 0.
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: map 'configMap': found type = 2.
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: map 'configMap': found key [7], sz = 4.
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: map 'configMap': found value [11], sz = 1232.
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: map 'configMap': found max_entries = 1.
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: map 'argsStorageMap': at sec_idx 13, offset 32.
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: map 'argsStorageMap': found type = 2.
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: map 'argsStorageMap': found key [7], sz = 4.
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: map 'argsStorageMap': found value [26], sz = 80.
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: map 'argsStorageMap': found max_entries = 512.
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: map 'argsHash': at sec_idx 13, offset 64.
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: map 'argsHash': found type = 1.
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: map 'argsHash': found key [15], sz = 8.
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: map 'argsHash': found value [26], sz = 80.
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: map 'argsHash': found max_entries = 10240.
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: map 'packetStorageMap': at sec_idx 13, offset 96.
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: map 'packetStorageMap': found type = 2.
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: map 'packetStorageMap': found key_size = 4.
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: map 'packetStorageMap': found value_size = 128.
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: map 'packetStorageMap': found max_entries = 512.
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: map 'UDPsendAge': at sec_idx 13, offset 128.
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: map 'UDPsendAge': found type = 1.
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: map 'UDPsendAge': found key [15], sz = 8.
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: map 'UDPsendAge': found value [15], sz = 8.
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: map 'UDPsendAge': found max_entries = 131072.
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: map 'eventMap': at sec_idx 13, offset 160.
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: map 'eventMap': found type = 4.
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: map 'eventMap': found key_size = 4.
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: map 'eventMap': found value_size = 4.
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: map 'eventMap': found max_entries = 512.
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: map 'temppathArray': at sec_idx 13, offset 192.
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: map 'temppathArray': found type = 2.
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: map 'temppathArray': found key_size = 4.
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: map 'temppathArray': found value_size = 8192.
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: map 'temppathArray': found max_entries = 512.
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: map 'perfErrorsMap': at sec_idx 13, offset 224.
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: map 'perfErrorsMap': found type = 2.
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: map 'perfErrorsMap': found key [7], sz = 4.
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: map 'perfErrorsMap': found value [56], sz = 16.
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: map 'perfErrorsMap': found max_entries = 1026.
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: map 'eventStorageMap': at sec_idx 13, offset 256.
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: map 'eventStorageMap': found type = 2.
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: map 'eventStorageMap': found key_size = 4.
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: map 'eventStorageMap': found value_size = 65512.
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: map 'eventStorageMap': found max_entries = 512.
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: map 'UDPrecvAge': at sec_idx 13, offset 288.
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: map 'UDPrecvAge': found type = 1.
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: map 'UDPrecvAge': found key [15], sz = 8.
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: map 'UDPrecvAge': found value [15], sz = 8.
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: map 'UDPrecvAge': found max_entries = 131072.
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec '.relraw_tracepoint/sys_enter': collecting relocation for section(3) 'raw_tracepoint/sys_enter'
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec '.relraw_tracepoint/sys_enter': relo #0: insn #10 against 'configMap'
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: prog 'genericRawEnter': found map 0 (configMap, sec 13, off 0) for insn #10
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec '.relraw_tracepoint/sys_enter': relo #1: insn #25 against 'argsStorageMap'
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: prog 'genericRawEnter': found map 1 (argsStorageMap, sec 13, off 32) for insn #25
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec '.relraw_tracepoint/sys_enter': relo #2: insn #111 against 'argsHash'
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: prog 'genericRawEnter': found map 2 (argsHash, sec 13, off 64) for insn #111
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec '.relraw_tracepoint/sys_exit': collecting relocation for section(5) 'raw_tracepoint/sys_exit'
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec '.relraw_tracepoint/sys_exit': relo #0: insn #15 against 'configMap'
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: prog 'ProcCreateRawExit': found map 0 (configMap, sec 13, off 0) for insn #15
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec '.relraw_tracepoint/sys_exit': relo #1: insn #29 against 'argsHash'
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: prog 'ProcCreateRawExit': found map 2 (argsHash, sec 13, off 64) for insn #29
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec '.relraw_tracepoint/sys_exit': relo #2: insn #47 against 'eventStorageMap'
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: prog 'ProcCreateRawExit': found map 8 (eventStorageMap, sec 13, off 256) for insn #47
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec '.relraw_tracepoint/sys_exit': relo #3: insn #322 against 'temppathArray'
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: prog 'ProcCreateRawExit': found map 6 (temppathArray, sec 13, off 192) for insn #322
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec '.relraw_tracepoint/sys_exit': relo #4: insn #593 against 'temppathArray'
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: prog 'ProcCreateRawExit': found map 6 (temppathArray, sec 13, off 192) for insn #593
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec '.relraw_tracepoint/sys_exit': relo #5: insn #782 against 'eventMap'
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: prog 'ProcCreateRawExit': found map 5 (eventMap, sec 13, off 160) for insn #782
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec '.relraw_tracepoint/sys_exit': relo #6: insn #795 against 'perfErrorsMap'
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: prog 'ProcCreateRawExit': found map 7 (perfErrorsMap, sec 13, off 224) for insn #795
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec '.relraw_tracepoint/sys_exit': relo #7: insn #807 against 'perfErrorsMap'
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: prog 'ProcCreateRawExit': found map 7 (perfErrorsMap, sec 13, off 224) for insn #807
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec '.relraw_tracepoint/sys_exit': relo #8: insn #820 against 'perfErrorsMap'
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: prog 'ProcCreateRawExit': found map 7 (perfErrorsMap, sec 13, off 224) for insn #820
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec '.relraw_tracepoint/sys_exit': relo #9: insn #832 against 'argsHash'
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: prog 'ProcCreateRawExit': found map 2 (argsHash, sec 13, off 64) for insn #832
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec '.relraw_tracepoint/sys_exit': relo #10: insn #916 against 'configMap'
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: prog 'FileCreateRawExit': found map 0 (configMap, sec 13, off 0) for insn #15
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec '.relraw_tracepoint/sys_exit': relo #11: insn #929 against 'argsHash'
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: prog 'FileCreateRawExit': found map 2 (argsHash, sec 13, off 64) for insn #28
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec '.relraw_tracepoint/sys_exit': relo #12: insn #947 against 'eventStorageMap'
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: prog 'FileCreateRawExit': found map 8 (eventStorageMap, sec 13, off 256) for insn #46
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec '.relraw_tracepoint/sys_exit': relo #13: insn #1059 against 'temppathArray'
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: prog 'FileCreateRawExit': found map 6 (temppathArray, sec 13, off 192) for insn #158
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec '.relraw_tracepoint/sys_exit': relo #14: insn #1332 against 'temppathArray'
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: prog 'FileCreateRawExit': found map 6 (temppathArray, sec 13, off 192) for insn #431
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec '.relraw_tracepoint/sys_exit': relo #15: insn #1584 against 'eventMap'
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: prog 'FileCreateRawExit': found map 5 (eventMap, sec 13, off 160) for insn #683
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec '.relraw_tracepoint/sys_exit': relo #16: insn #1596 against 'perfErrorsMap'
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: prog 'FileCreateRawExit': found map 7 (perfErrorsMap, sec 13, off 224) for insn #695
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec '.relraw_tracepoint/sys_exit': relo #17: insn #1608 against 'perfErrorsMap'
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: prog 'FileCreateRawExit': found map 7 (perfErrorsMap, sec 13, off 224) for insn #707
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec '.relraw_tracepoint/sys_exit': relo #18: insn #1621 against 'perfErrorsMap'
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: prog 'FileCreateRawExit': found map 7 (perfErrorsMap, sec 13, off 224) for insn #720
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec '.relraw_tracepoint/sys_exit': relo #19: insn #1633 against 'argsHash'
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: prog 'FileCreateRawExit': found map 2 (argsHash, sec 13, off 64) for insn #732
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec '.relraw_tracepoint/sys_exit': relo #20: insn #1652 against 'configMap'
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: prog 'FileOpenRawExit': found map 0 (configMap, sec 13, off 0) for insn #15
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec '.relraw_tracepoint/sys_exit': relo #21: insn #1664 against 'argsHash'
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: prog 'FileOpenRawExit': found map 2 (argsHash, sec 13, off 64) for insn #27
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec '.relraw_tracepoint/sys_exit': relo #22: insn #1683 against 'eventStorageMap'
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: prog 'FileOpenRawExit': found map 8 (eventStorageMap, sec 13, off 256) for insn #46
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec '.relraw_tracepoint/sys_exit': relo #23: insn #1801 against 'temppathArray'
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: prog 'FileOpenRawExit': found map 6 (temppathArray, sec 13, off 192) for insn #164
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec '.relraw_tracepoint/sys_exit': relo #24: insn #2189 against 'temppathArray'
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: prog 'FileOpenRawExit': found map 6 (temppathArray, sec 13, off 192) for insn #552
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec '.relraw_tracepoint/sys_exit': relo #25: insn #2374 against 'eventMap'
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: prog 'FileOpenRawExit': found map 5 (eventMap, sec 13, off 160) for insn #737
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec '.relraw_tracepoint/sys_exit': relo #26: insn #2386 against 'perfErrorsMap'
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: prog 'FileOpenRawExit': found map 7 (perfErrorsMap, sec 13, off 224) for insn #749
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec '.relraw_tracepoint/sys_exit': relo #27: insn #2398 against 'perfErrorsMap'
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: prog 'FileOpenRawExit': found map 7 (perfErrorsMap, sec 13, off 224) for insn #761
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec '.relraw_tracepoint/sys_exit': relo #28: insn #2411 against 'perfErrorsMap'
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: prog 'FileOpenRawExit': found map 7 (perfErrorsMap, sec 13, off 224) for insn #774
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec '.relraw_tracepoint/sys_exit': relo #29: insn #2423 against 'argsHash'
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: prog 'FileOpenRawExit': found map 2 (argsHash, sec 13, off 64) for insn #786
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec '.relraw_tracepoint/sys_exit': relo #30: insn #2480 against 'configMap'
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: prog 'FileDeleteRawExit': found map 0 (configMap, sec 13, off 0) for insn #15
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec '.relraw_tracepoint/sys_exit': relo #31: insn #2493 against 'argsHash'
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: prog 'FileDeleteRawExit': found map 2 (argsHash, sec 13, off 64) for insn #28
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec '.relraw_tracepoint/sys_exit': relo #32: insn #2512 against 'eventStorageMap'
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: prog 'FileDeleteRawExit': found map 8 (eventStorageMap, sec 13, off 256) for insn #47
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec '.relraw_tracepoint/sys_exit': relo #33: insn #2622 against 'temppathArray'
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: prog 'FileDeleteRawExit': found map 6 (temppathArray, sec 13, off 192) for insn #157
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec '.relraw_tracepoint/sys_exit': relo #34: insn #2838 against 'temppathArray'
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: prog 'FileDeleteRawExit': found map 6 (temppathArray, sec 13, off 192) for insn #373
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec '.relraw_tracepoint/sys_exit': relo #35: insn #3006 against 'argsHash'
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: prog 'FileDeleteRawExit': found map 2 (argsHash, sec 13, off 64) for insn #541
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec '.relraw_tracepoint/sys_exit': relo #36: insn #3134 against 'eventMap'
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: prog 'FileDeleteRawExit': found map 5 (eventMap, sec 13, off 160) for insn #669
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec '.relraw_tracepoint/sys_exit': relo #37: insn #3146 against 'perfErrorsMap'
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: prog 'FileDeleteRawExit': found map 7 (perfErrorsMap, sec 13, off 224) for insn #681
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec '.relraw_tracepoint/sys_exit': relo #38: insn #3158 against 'perfErrorsMap'
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: prog 'FileDeleteRawExit': found map 7 (perfErrorsMap, sec 13, off 224) for insn #693
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec '.relraw_tracepoint/sys_exit': relo #39: insn #3171 against 'perfErrorsMap'
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: prog 'FileDeleteRawExit': found map 7 (perfErrorsMap, sec 13, off 224) for insn #706
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec '.relraw_tracepoint/sys_exit': relo #40: insn #3197 against 'configMap'
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: prog 'FileDeleteAtRawExit': found map 0 (configMap, sec 13, off 0) for insn #15
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec '.relraw_tracepoint/sys_exit': relo #41: insn #3210 against 'argsHash'
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: prog 'FileDeleteAtRawExit': found map 2 (argsHash, sec 13, off 64) for insn #28
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec '.relraw_tracepoint/sys_exit': relo #42: insn #3233 against 'eventStorageMap'
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: prog 'FileDeleteAtRawExit': found map 8 (eventStorageMap, sec 13, off 256) for insn #51
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec '.relraw_tracepoint/sys_exit': relo #43: insn #3408 against 'temppathArray'
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: prog 'FileDeleteAtRawExit': found map 6 (temppathArray, sec 13, off 192) for insn #226
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec '.relraw_tracepoint/sys_exit': relo #44: insn #3493 against 'temppathArray'
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: prog 'FileDeleteAtRawExit': found map 6 (temppathArray, sec 13, off 192) for insn #311
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec '.relraw_tracepoint/sys_exit': relo #45: insn #3876 against 'eventMap'
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: prog 'FileDeleteAtRawExit': found map 5 (eventMap, sec 13, off 160) for insn #694
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec '.relraw_tracepoint/sys_exit': relo #46: insn #3888 against 'perfErrorsMap'
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: prog 'FileDeleteAtRawExit': found map 7 (perfErrorsMap, sec 13, off 224) for insn #706
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec '.relraw_tracepoint/sys_exit': relo #47: insn #3900 against 'perfErrorsMap'
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: prog 'FileDeleteAtRawExit': found map 7 (perfErrorsMap, sec 13, off 224) for insn #718
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec '.relraw_tracepoint/sys_exit': relo #48: insn #3913 against 'perfErrorsMap'
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: prog 'FileDeleteAtRawExit': found map 7 (perfErrorsMap, sec 13, off 224) for insn #731
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec '.relraw_tracepoint/sys_exit': relo #49: insn #3925 against 'argsHash'
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: prog 'FileDeleteAtRawExit': found map 2 (argsHash, sec 13, off 64) for insn #743
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec '.relraw_tracepoint/sys_exit': relo #50: insn #3980 against 'configMap'
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: prog 'FileDeleteAtCwdRawExit': found map 0 (configMap, sec 13, off 0) for insn #15
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec '.relraw_tracepoint/sys_exit': relo #51: insn #3993 against 'argsHash'
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: prog 'FileDeleteAtCwdRawExit': found map 2 (argsHash, sec 13, off 64) for insn #28
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec '.relraw_tracepoint/sys_exit': relo #52: insn #4016 against 'eventStorageMap'
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: prog 'FileDeleteAtCwdRawExit': found map 8 (eventStorageMap, sec 13, off 256) for insn #51
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec '.relraw_tracepoint/sys_exit': relo #53: insn #4130 against 'temppathArray'
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: prog 'FileDeleteAtCwdRawExit': found map 6 (temppathArray, sec 13, off 192) for insn #165
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec '.relraw_tracepoint/sys_exit': relo #54: insn #4347 against 'temppathArray'
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: prog 'FileDeleteAtCwdRawExit': found map 6 (temppathArray, sec 13, off 192) for insn #382
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec '.relraw_tracepoint/sys_exit': relo #55: insn #4513 against 'argsHash'
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: prog 'FileDeleteAtCwdRawExit': found map 2 (argsHash, sec 13, off 64) for insn #548
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec '.relraw_tracepoint/sys_exit': relo #56: insn #4642 against 'eventMap'
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: prog 'FileDeleteAtCwdRawExit': found map 5 (eventMap, sec 13, off 160) for insn #677
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec '.relraw_tracepoint/sys_exit': relo #57: insn #4653 against 'perfErrorsMap'
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: prog 'FileDeleteAtCwdRawExit': found map 7 (perfErrorsMap, sec 13, off 224) for insn #688
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: sec '.relraw_tracepoint/sys_exit': relo #58: insn #4665 against 'perfErrorsMap'
Mar 27 10:40:54 ip-10-0-1-21 sysmon[7767]: libbpf: prog 'FileDeleteAtCwdRawExit': found map 7 (perfErrorsMap, sec 13, off 224) for insn #700

[P4T12ICK]

any updates on this @MarioHewardt ´? thank you for your help.

[MarioHewardt]

This has been fixed with 1.1.1 (released yesterday). I tried it on an AWS EC2 Ubuntu 18.04 VM. Having said that, this latest release also removes support for 18.04 since it's going EOL in April. You can still install the new packages by pointing directly to the 20.04 repos.

wget -q https://packages.microsoft.com/config/ubuntu/20.04/packages-microsoft-prod.deb -O packages-microsoft-prod.deb

[P4T12ICK]

Thank you very much. It works now.