Close event handler (?)

kubectl logs -n falco -l app.kubernetes.io/name=falco --tail=50 produces a lot of :

`Thu Jan 29 20:57:23 2026: [libs]: edera: [ERROR] not an enter event or has no FD! ZoneKernelSyscallEvent { zone_id: "777b709a-987b-4f68-b8a6-d4fe3b131fbe", timestamp: 1769720243426154940, thread_id: 1614, event_length: 46, event_name: "close", event_category: "EC_SYSCALL", event_flags: 0, event_type: 5, cpuid: 1, event_params: [ZoneKernelEventParam { name: "res", param_type: 11, param_data: [0, 0, 0, 0, 0, 0, 0, 0], param_pretty: "0", param_type_pretty: "PT_ERRNO" }, ZoneKernelEventParam { name: "fd", param_type: 14, param_data: [112, 1, 0, 0, 0, 0, 0, 0], param_pretty: "368", param_type_pretty: "PT_FD" }] }
Thu Jan 29 20:57:23 2026: [libs]: edera: [WARN] no fd found for enter event: ZoneKernelSyscallEvent { zone_id: "777b709a-987b-4f68-b8a6-d4fe3b131fbe", timestamp: 1769720243426154940, thread_id: 1614, event_length: 46, event_name: "close", event_category: "EC_SYSCALL", event_flags: 0, event_type: 5, cpuid: 1, event_params: [ZoneKernelEventParam { name: "res", param_type: 11, param_data: [0, 0, 0, 0, 0, 0, 0, 0], param_pretty: "0", param_type_pretty: "PT_ERRNO" }, ZoneKernelEventParam { name: "fd", param_type: 14, param_data: [112, 1, 0, 0, 0, 0, 0, 0], param_pretty: "368", param_type_pretty: "PT_FD" }] }
Thu Jan 29 20:57:24 2026: [libs]: edera: [ERROR] not an enter event or has no FD! ZoneKernelSyscallEvent { zone_id: "777b709a-987b-4f68-b8a6-d4fe3b131fbe", timestamp: 1769720244427304618, thread_id: 1608, event_length: 46, event_name: "close", event_category: "EC_SYSCALL", event_flags: 0, event_type: 5, cpuid: 0, event_params: [ZoneKernelEventParam { name: "res", param_type: 11, param_data: [0, 0, 0, 0, 0, 0, 0, 0], param_pretty: "0", param_type_pretty: "PT_ERRNO" }, ZoneKernelEventParam { name: "fd", param_type: 14, param_data: [112, 1, 0, 0, 0, 0, 0, 0], param_pretty: "368", param_type_pretty: "PT_FD" }] }
Thu Jan 29 20:57:24 2026: [libs]: edera: [WARN] no fd found for enter event: ZoneKernelSyscallEvent { zone_id: "777b709a-987b-4f68-b8a6-d4fe3b131fbe", timestamp: 1769720244427304618, thread_id: 1608, event_length: 46, event_name: "close", event_category: "EC_SYSCALL", event_flags: 0, event_type: 5, cpuid: 0, event_params: [ZoneKernelEventParam { name: "res", param_type: 11, param_data: [0, 0, 0, 0, 0, 0, 0, 0], param_pretty: "0", param_type_pretty: "PT_ERRNO" }, ZoneKernelEventParam { name: "fd", param_type: 14, param_data: [112, 1, 0, 0, 0, 0, 0, 0], param_pretty: "368", param_type_pretty: "PT_FD" }] }`

every close syscall seems to produce [ERROR] not an enter event or has no FD! and [WARN] no fd found for enter event, flooding the logs.  Not sure if this a plugin bug or not

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Close event handler (?) #49

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Close event handler (?) #49

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions