After a folder is deleted and recreated, file_integrity events are missing until service restart

We're still on v7.17.x of auditbeat on CentOS, but I think this applies across versions. Say we are using the file_integrity module for these paths:

- /apps
- /apps/myapp

When the directory /apps/myapp is deleted and re-created, we stop receiving file change events for files within the /apps/myapp directory until the auditbeat service is which point change events will begin flowing again.

My expected/desired behavior is that we'd never stop receiving events for files within the watched paths, and the service restart would be unnecessary. Do other folks experience this? If so, are there any operational workarounds?


FWIW, given Problems when rewatching removed directories · Issue #279 · fsnotify/fsnotify · GitHub and similar, I'm not under the impression that auditbeat is doing anything wrong. Rather, I'm curious about what options I might have to achieve the desired behavior :slight_smile:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.