Auditbeat 7.x file integrity module


I am using auditbeat to track file changes via the file integrity module. This works for a couple of minutes and logs the changes to files, but then stops working and no changes are detected anymore. Running auditbeat as a systemd service on Centos and monitoring local files. Is this a known bug or am I configuring something wrong? Here is my yaml file:

- module: file_integrity
  - /etc/keepalived/keepalived.conf
  - '\.conf$'
  scan_at_start: true
  scan_rate_per_sec: 50 MiB
  max_file_size: 100 MiB
  hash_types: [sha1]
  recursive: false

I have turned on debug logs and looks like there are none when this feature stops working. I use vi to modify the file on Centos. The logs I get after the initial tracking are INFO level logs:

2021-03-09T17:55:15.840Z        INFO    [monitoring]    log/log.go:144  Non-zero metrics in the last 30s        {"monitoring": {"metrics": {"beat":{"cgroup":{"cpuacct":{"total":{"ns":1009567247}},"memory":{"mem":{"usage":{"bytes":815104}}}},"cpu":{"system":{"ticks":520,"time":{"ms":135}},"total":{"ticks":3100,"time":{"ms":1010},"value":3100},"user":{"ticks":2580,"time":{"ms":875}}},"handles":{"limit":{"hard":4096,"soft":1024},"open":26},"info":{"ephemeral_id":"fcc6e490-d4d7-46c4-8f64-e647a6b8f388","uptime":{"ms":150161}},"memstats":{"gc_next":11432032,"memory_alloc":7779248,"memory_total":23608752,"rss":86917120},"runtime":{"goroutines":59}},"libbeat":{"config":{"module":{"running":0}},"output":{"events":{"active":0}},"pipeline":{"clients":8,"events":{"active":0}}},"system":{"load":{"1":2.76,"15":2.5,"5":2.47,"norm":{"1":0.345,"15":0.3125,"5":0.3088}}}}}}

I also tried with the inotifywait which filebeat uses, and I see the same behavior. Am I missing something in the setup? I used:

inotifywait -m /etc/keepalived/keepalived.conf

Running this on a CentOS 7 VM.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.