Hello,
I am using auditbeat to track file changes via the file integrity module. This works for a couple of minutes and logs the changes to files, but then stops working and no changes are detected anymore. Running auditbeat as a systemd service on Centos and monitoring local files. Is this a known bug or am I configuring something wrong? Here is my yaml file:
- module: file_integrity
paths:
- /etc/keepalived/keepalived.conf
include_files:
- '\.conf$'
scan_at_start: true
scan_rate_per_sec: 50 MiB
max_file_size: 100 MiB
hash_types: [sha1]
recursive: false
I have turned on debug logs and looks like there are none when this feature stops working. I use vi to modify the file on Centos. The logs I get after the initial tracking are INFO level logs:
2021-03-09T17:55:15.840Z INFO [monitoring] log/log.go:144 Non-zero metrics in the last 30s {"monitoring": {"metrics": {"beat":{"cgroup":{"cpuacct":{"total":{"ns":1009567247}},"memory":{"mem":{"usage":{"bytes":815104}}}},"cpu":{"system":{"ticks":520,"time":{"ms":135}},"total":{"ticks":3100,"time":{"ms":1010},"value":3100},"user":{"ticks":2580,"time":{"ms":875}}},"handles":{"limit":{"hard":4096,"soft":1024},"open":26},"info":{"ephemeral_id":"fcc6e490-d4d7-46c4-8f64-e647a6b8f388","uptime":{"ms":150161}},"memstats":{"gc_next":11432032,"memory_alloc":7779248,"memory_total":23608752,"rss":86917120},"runtime":{"goroutines":59}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":0}},"pipeline":{"clients":8,"events":{"active":0}}},"system":{"load":{"1":2.76,"15":2.5,"5":2.47,"norm":{"1":0.345,"15":0.3125,"5":0.3088}}}}}}