Auditbeat Bug? - Include_files not limiting to just those files

The auditbeat reference documentation and common sense would imply that doing something like

  • module: file_integrity
    • C:/windows/system32
      include_files: [ '(?i).dll$', '(?i).exe$' ]

would monitor ONLY .dll and .exe files in the system32 directory. Yet this config monitors all the files in system32. It is not limiting it to just dll and exe's. Is this how this was designed? Why can't elastic provide some useful, real-world examples in 5 or 6 common examples, such as what I am trying to do, would make their products 100x clearer.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.