Running Filebeat 7.10.2 on Ubuntu 22.04 can lead to a crash with the following error:

runtime/cgo: pthread_create failed: Operation not permitted
SIGABRT: abort
PC=0x7f123c7cc9fc m=3 sigcode=18446744073709551610

This article explains the root cause and provides two working fixes.

Environment

• OS: Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-83-generic x86_64)
• Filebeat version: 7.10.2

Problem Reproduction

After downloading Filebeat 7.10.2 and configuring it with a minimal input/output setup:

filebeat.inputs:
- type: stdin

output.console:
  pretty: true

Running ./filebeat -e --strict.perms=false (needed for root user) triggers the crash shown above.

Root Cause Analysis

The crash occurs because Filebeat uses Seccomp (secure computnig mode) by default on Linux ≥ 3.17, limiting available system calls. Starting with glibc 2.35, the rseq syscall is required, but Filebeat 7.10.2 does not include it in its default Seccomp policy. Ubuntu 22.04 ships glibc 2.35, causing the failure.

The error stack trace points to a blocking read syscall:

goroutine 44 [syscall]:
syscall.Syscall(0x0, 0x0, 0xc00070c000, 0x4000, ...)

The issue was fixed in Filebeat 7.17.2; for older versions, manual configuration is required.

Solutions

Option 1: Disable Seccomp (Not Recomemnded)

Turning off Seccomp removes the system call restriction entirely but increases security risk.

filebeat.inputs:
- type: stdin

output.console:
  pretty: true

seccomp:
  enabled: false

Option 2: Allow the rseq Syscall (Recommended)

Add a custom Seccomp policy that permits rseq while keeping default restrictions:

filebeat.inputs:
- type: stdin

output.console:
  pretty: true

seccomp:
  default_action: allow
  syscalls:
  - action: allow
    names:
    - rseq

After adding the configuration, Filebeat starts successfully without errors.

Verification

Both methods resolve the crash. Use Option 2 in production to maintain the principle of least privilege.