I want to observe the change in the configuration file along with the username and I also want to know what was changed in the config file.
A help would be highly appreciated
Hi @shrikantgulia, the file_integrity module can't tell you who changed a file - the underlying APIs do not support it.
Which operating system do you want to do this on? On Linux, this is possible using the auditd module and an audit rule like -w /home/rdave/Desktop/xyz.cfg.txt -p wa -k file-changed.
There is currently no way in Auditbeat (or any other Beat) to track what changes happened to a file. This is not something operating systems typically expose directly, and so it would require keeping a copy of the file for comparison. There is an open Github issue if you're interested in tracking this: https://github.com/elastic/beats/issues/7860
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.