After a folder is deleted and recreated, file_integrity events are missing until service restart

James_Nelson1 · May 31, 2023, 7:51pm

We're still on v7.17.x of auditbeat on CentOS, but I think this applies across versions. Say we are using the file_integrity module for these paths:

- /apps
- /apps/myapp

When the directory /apps/myapp is deleted and re-created, we stop receiving file change events for files within the /apps/myapp directory until the auditbeat service is restarted...at which point change events will begin flowing again.

My expected/desired behavior is that we'd never stop receiving events for files within the watched paths, and the service restart would be unnecessary. Do other folks experience this? If so, are there any operational workarounds?

Thanks!

James_Nelson1 · May 31, 2023, 9:30pm

FWIW, given Problems when rewatching removed directories · Issue #279 · fsnotify/fsnotify · GitHub and similar, I'm not under the impression that auditbeat is doing anything wrong. Rather, I'm curious about what options I might have to achieve the desired behavior

system · June 28, 2023, 11:30pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.