Auditbeat 7.8 file integrity module

Mohammad_Etemad · October 30, 2020, 1:06pm

Hello,

I am using auditbeat to track file changes via the file integrity module. This works for a couple of minutes and logs the changes to files, but then stops working and no changes are detected anymore. Is this a known bug or am I configuring something wrong? Here is my yaml file:

 - module: file_integrity
  paths:
  - /etc/keepalived/keepalived.conf
  include_files:
  - '\.conf$'
  scan_at_start: true
  scan_rate_per_sec: 50 MiB
  max_file_size: 100 MiB
  hash_types: [sha1]
  recursive: false

jsoriano · November 3, 2020, 12:58pm

Hey @Mohammad_Etemad,

How are you running Auditbeat? Are the monitored files in the same system or they are mounted using some network volume?

Could you try with the latest version of Auditbeat?

Mohammad_Etemad · November 3, 2020, 3:17pm

@jsoriano The service is running as a systemd service. Files are not remote, all local. I can give it a try with the latest auditbeat but I did not see any specific notes in the change logs.

jsoriano · November 3, 2020, 5:15pm

Could you enable debug logging and check if you see anything related?

system · December 1, 2020, 7:15pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.