Auditbeat 7.8 file integrity module

Mohammad_Etemad · October 30, 2020, 1:06pm

Hello,

I am using auditbeat to track file changes via the file integrity module. This works for a couple of minutes and logs the changes to files, but then stops working and no changes are detected anymore. Is this a known bug or am I configuring something wrong? Here is my yaml file:

 - module: file_integrity
  paths:
  - /etc/keepalived/keepalived.conf
  include_files:
  - '\.conf$'
  scan_at_start: true
  scan_rate_per_sec: 50 MiB
  max_file_size: 100 MiB
  hash_types: [sha1]
  recursive: false

jsoriano · November 3, 2020, 12:58pm

Hey @Mohammad_Etemad,

How are you running Auditbeat? Are the monitored files in the same system or they are mounted using some network volume?

Could you try with the latest version of Auditbeat?

Mohammad_Etemad · November 3, 2020, 3:17pm

@jsoriano The service is running as a systemd service. Files are not remote, all local. I can give it a try with the latest auditbeat but I did not see any specific notes in the change logs.

jsoriano · November 3, 2020, 5:15pm

Could you enable debug logging and check if you see anything related?

Topic		Replies	Views
Auditbeat 7.x file integrity module Beats auditbeat	2	501	April 8, 2021
Auditbeat configuring file Beats auditbeat	2	394	March 22, 2019
Help: auditbeat's file_integrity module not sending logs for created/modified/deleted files Beats auditbeat	1	260	September 24, 2023
Auditbeat - Triggering file integrity event.action:updated when hash.sha1 is unchanged Beats auditbeat	1	347	August 14, 2020
Auditbeat file integrity doesn't scans shares Beats auditbeat	2	470	May 28, 2020

Auditbeat 7.8 file integrity module

Related topics