[libs]: container: cannot attach container_id to new process event for the thread id '415160': can't get table entry: get_entry found no element at given key

[d-afanasiev]

Hello all.

We use falco in kubernetes.
We also use helm chart for deployment.
After updating falco from version 0.40.0 to version 0.41.3, I got the following messages in the logs.
Helm chart: 6.2.5
https://artifacthub.io/packages/helm/falcosecurity/falco/6.2.5

Mon Sep  8 14:27:13 2025: [libs]: container: cannot attach container_id to new process event for the thread id '415160': can't get table entry: get_entry found no element at given key
Mon Sep  8 14:27:13 2025: [libs]: container: cannot attach container_id to new process event for the thread id '415161': can't get table entry: get_entry found no element at given key
Mon Sep  8 14:27:13 2025: [libs]: container: cannot attach container_id to new process event for the thread id '415161': can't get table entry: get_entry found no element at given key
Mon Sep  8 14:27:13 2025: [libs]: container: cannot attach container_id to new process event for the thread id '415162': can't get table entry: get_entry found no element at given key
Mon Sep  8 14:27:13 2025: [libs]: container: cannot attach container_id to new process event for the thread id '415162': can't get table entry: get_entry found no element at given key
Mon Sep  8 14:27:13 2025: [libs]: container: cannot attach container_id to new process event for the thread id '415163': can't get table entry: get_entry found no element at given key
Mon Sep  8 14:27:13 2025: [libs]: container: cannot attach container_id to new process event for the thread id '415163': can't get table entry: get_entry found no element at given key

Messages are generated about 10 - 20 per second.

Below are the variables I use in helm chart:

falcoctl:
  artifact:
    install:
      enabled: true
    follow:
      enabled: true
  config:
    artifact:
      allowedTypes:
        - plugin
        - rulesfile
      install:
        resolveDeps: true
        refs: [falco-rules:4, k8saudit-rules:0.15, json:0.7.3]
      follow:
        refs: [falco-rules:4, k8saudit-rules:0.15, json:0.7.3]

rbac:
  create: true

serviceAccount:
  create: true
  name: "falco"

healthChecks:
  livenessProbe:
    initalDelaySeconds: 60
    timeoutSeconds: 5
    periodSeconds: 15
  readinessProbe:
    initalDelaySeconds: 30
    timeoutSeconds: 5
    periodSeconds: 15

controller:
  kind: daemonset

gvisor:
  enabled: false

driver:
  enabled: true
  kind: modern_ebpf
  loader:
    enabled: true

falco:
  json_output: true
  rules_files:
    - /etc/falco/k8s_audit_rules.yaml
    - /etc/falco/falco_rules.yaml
    - /etc/falco/rules.d
  syscall_event_drops:
    actions:
    - log
    - alert
    rate: .03333
    max_burst: 3
  priority: debug
  syslog_output:
    enabled: true
  webserver:
    enabled: true
    threadiness: 0
    listen_port: 8765
    prometheus_metrics_enabled: true
  program_output:
    enabled: false
  http_output:
    enabled: true
  grpc:
    enabled: true
  grpc_output:
    enabled: true
  file_output:
    enabled: false
  stdout_output:
    enabled: false
  falco_libs:
    thread_table_size: 512
  plugins:
    - name: k8saudit
      library_path: libk8saudit.so
      init_config:
        maxEventSize: 600000
        webhookMaxBatchSize: 12582912
        sslCertificate: /etc/falco/falco.pem
      open_params: "http://:9765/k8s-audit"
    - name: json
      library_path: libjson.so
      init_config: ""
  load_plugins: [k8saudit, json]

Can you help solve this problem?

[leogr]

/kind bug
/milestone 0.43.0

[leogr]

This seems to be a logging issue. cc @ekoops @irozzo-1A