After a folder is deleted and recreated, file_integrity events are missing until service restart

James_Nelson1 · May 31, 2023, 7:51pm

We're still on v7.17.x of auditbeat on CentOS, but I think this applies across versions. Say we are using the file_integrity module for these paths:

- /apps
- /apps/myapp

When the directory /apps/myapp is deleted and re-created, we stop receiving file change events for files within the /apps/myapp directory until the auditbeat service is restarted...at which point change events will begin flowing again.

My expected/desired behavior is that we'd never stop receiving events for files within the watched paths, and the service restart would be unnecessary. Do other folks experience this? If so, are there any operational workarounds?

Thanks!

James_Nelson1 · May 31, 2023, 9:30pm

FWIW, given Problems when rewatching removed directories · Issue #279 · fsnotify/fsnotify · GitHub and similar, I'm not under the impression that auditbeat is doing anything wrong. Rather, I'm curious about what options I might have to achieve the desired behavior

system · June 28, 2023, 11:30pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Missing log events for deleted files within a folder using Auditbeat 8.6 for Windows file integrity Beats auditbeat	2	414	February 24, 2023
Help: auditbeat's file_integrity module not sending logs for created/modified/deleted files Beats auditbeat	1	238	September 24, 2023
Auditbeat 7.x file integrity module Beats auditbeat	2	457	April 8, 2021
Auditbeat 7.8 file integrity module Beats auditbeat	4	352	December 1, 2020
Auditbeat - Triggering file integrity event.action:updated when hash.sha1 is unchanged Beats auditbeat	1	306	August 14, 2020

After a folder is deleted and recreated, file_integrity events are missing until service restart

Related topics