Hi guys
I have auditbeat (v6.8.10) installed and configured on a windows host to send data to kafka (kafka output). I noticed that changing file attributes triggers an event which is sent to kafka but I do not see any specific information on what has been changed (added "Read-Only" flag to a file).
Example event after changing file attribute (action: updated)
{"@timestamp":"2020-07-07T12:57:46.722Z","@metadata":{"beat":"auditbeat","type":"doc","version":"6.8.10","topic":"topic-name-json"},"tags":["auditbeat"],"fields":{"type":"auditbeat","env":"dev"},"beat":{"name":"AuditBeat","hostname":"hostname","version":"6.8.10"},"host":{"name":"AuditBeat"},"hash":{"sha256":"asd"},"file":{"path":"C:\\Program Files\\AuditBeat_6810\\D1\\F1.txt","inode":"15762598696055111","mtime":"2020-06-26T12:44:04.005Z","ctime":"2020-06-26T12:44:04.005Z","size":0,"type":"file","uid":"S-1-5-21-631068067-1468795310-178543940-699263","owner":"user"},"event":{"action":["updated"],"module":"file_integrity","dataset":"file"}}
Similar event from a local auditbeat logfile (debug turned on, please note file "mode"):
2020-07-07T15:07:04.985+0200 DEBUG [file_integrity] file_integrity/metricset.go:224 File changed since it was last seen {"file_path": "C:\\Program Files\AuditBeat_6810\\D1\F1.txt", "took": 0, "event": {"old": {"timestamp":"2020-07-07T13:06:55.0034521Z","path":"C:\\Program Files\\AuditBeat_6810\\D1\\F1.txt","info":{"inode":15762598696055111,"uid":0,"gid":0,"sid":"S-1-5-21-631068067-1468795310-178543940-699263","owner":"","group":"","size":0,"mtime":"2020-06-26T12:44:04.0052507Z","ctime":"2020-06-26T12:44:04.0052507Z","type":"file","mode":438,"setuid":false,"setgid":false,"origin":null},"source":"scan","action":"none","hash":{"sha256":"asd"}}, "new": {"timestamp":"2020-07-07T13:07:04.9850248Z","path":"C:\\Program Files\\AuditBeat_6810\\D1\\F1.txt","info":{"inode":15762598696055111,"uid":0,"gid":0,"sid":"S-1-5-21-631068067-1468795310-178543940-699263","owner":"user","group":"","size":0,"mtime":"2020-06-26T12:44:04.0052507Z","ctime":"2020-06-26T12:44:04.0052507Z","type":"file","mode":292,"setuid":false,"setgid":false,"origin":null},"source":"fsnotify","action":"updated","hash":{"sha256":"asd"}}}}
Is this expected or do i have to add something to my configuration file ?
CONFIG FILE:
auditbeat.modules:
- module: file_integrity
enabled: true
paths:
- C:/Program Files/AuditBeat/D1
scan_at_start: true
scan_rate_per_sec: 50 MiB
max_file_size: 1000 MiB
hash_types: [sha256]
recursive: true
name: AuditBeat
tags: ["auditbeat"]
fields:
type: auditbeat
env: dev
#================= Kafka output =====================
output.kafka:
#initial brokers for reading cluster metadata
hosts:
["host1:9092", "host2:9092", "host3:9092", "host4:9092"]
# message topic selection + partitioning
topic: topic-name-json
partition.round_robin:
reachable_only: true
required_acks: 1
compression: gzip
max_message_bytes: 10000000
logging.level: debug
logging.selectors: ["*"]