Auditbeat 6.8.10 / Windows / File intergrity / kafka output / changing file attrubutes info

MaGu · July 7, 2020, 1:14pm

Hi guys

I have auditbeat (v6.8.10) installed and configured on a windows host to send data to kafka (kafka output). I noticed that changing file attributes triggers an event which is sent to kafka but I do not see any specific information on what has been changed (added "Read-Only" flag to a file).

Example event after changing file attribute (action: updated)

{"@timestamp":"2020-07-07T12:57:46.722Z","@metadata":{"beat":"auditbeat","type":"doc","version":"6.8.10","topic":"topic-name-json"},"tags":["auditbeat"],"fields":{"type":"auditbeat","env":"dev"},"beat":{"name":"AuditBeat","hostname":"hostname","version":"6.8.10"},"host":{"name":"AuditBeat"},"hash":{"sha256":"asd"},"file":{"path":"C:\\Program Files\\AuditBeat_6810\\D1\\F1.txt","inode":"15762598696055111","mtime":"2020-06-26T12:44:04.005Z","ctime":"2020-06-26T12:44:04.005Z","size":0,"type":"file","uid":"S-1-5-21-631068067-1468795310-178543940-699263","owner":"user"},"event":{"action":["updated"],"module":"file_integrity","dataset":"file"}}

Similar event from a local auditbeat logfile (debug turned on, please note file "mode"):

2020-07-07T15:07:04.985+0200	DEBUG	[file_integrity]	file_integrity/metricset.go:224	File changed since it was last seen	{"file_path": "C:\\Program Files\AuditBeat_6810\\D1\F1.txt", "took": 0, "event": {"old": {"timestamp":"2020-07-07T13:06:55.0034521Z","path":"C:\\Program Files\\AuditBeat_6810\\D1\\F1.txt","info":{"inode":15762598696055111,"uid":0,"gid":0,"sid":"S-1-5-21-631068067-1468795310-178543940-699263","owner":"","group":"","size":0,"mtime":"2020-06-26T12:44:04.0052507Z","ctime":"2020-06-26T12:44:04.0052507Z","type":"file","mode":438,"setuid":false,"setgid":false,"origin":null},"source":"scan","action":"none","hash":{"sha256":"asd"}}, "new": {"timestamp":"2020-07-07T13:07:04.9850248Z","path":"C:\\Program Files\\AuditBeat_6810\\D1\\F1.txt","info":{"inode":15762598696055111,"uid":0,"gid":0,"sid":"S-1-5-21-631068067-1468795310-178543940-699263","owner":"user","group":"","size":0,"mtime":"2020-06-26T12:44:04.0052507Z","ctime":"2020-06-26T12:44:04.0052507Z","type":"file","mode":292,"setuid":false,"setgid":false,"origin":null},"source":"fsnotify","action":"updated","hash":{"sha256":"asd"}}}}

Is this expected or do i have to add something to my configuration file ?

CONFIG FILE:

auditbeat.modules:
- module: file_integrity
  enabled: true
  paths:
  - C:/Program Files/AuditBeat/D1

  scan_at_start: true
  scan_rate_per_sec: 50 MiB
  max_file_size: 1000 MiB
  hash_types: [sha256]
  recursive: true

name: AuditBeat
tags: ["auditbeat"]
fields:
  type: auditbeat
  env: dev


#================= Kafka output =====================
output.kafka:
  #initial brokers for reading cluster metadata
  hosts:
    ["host1:9092", "host2:9092",  "host3:9092",  "host4:9092"]

  # message topic selection + partitioning
  topic: topic-name-json
  partition.round_robin:
    reachable_only: true

  required_acks: 1
  compression: gzip
  max_message_bytes: 10000000

logging.level: debug
logging.selectors: ["*"]

Murango · July 20, 2020, 10:53am

Hello,

Have you some information about this problem?

system · August 17, 2020, 12:53pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.