We're still on v7.17.x of auditbeat on CentOS, but I think this applies across versions. Say we are using the file_integrity module for these paths:
- /apps - /apps/myapp
When the directory /apps/myapp is deleted and re-created, we stop receiving file change events for files within the /apps/myapp directory until the auditbeat service is restarted...at which point change events will begin flowing again.
My expected/desired behavior is that we'd never stop receiving events for files within the watched paths, and the service restart would be unnecessary. Do other folks experience this? If so, are there any operational workarounds?