Auditbeat file integrity doesn't scans shares

ormaman · April 23, 2020, 10:53am

auditbeat file integrity doesn't scans shares nor mount points

I tried to mount windows share to a windows machine with a auditbeat on it mapped to Z:
The auditbeat does not recognizing changes there

moreover i tried mounting the same share to a linux machine and the beat doesn't recognizing changes as well
but when i restart the auditbeat on linux it detected the changes

any ideas about windows and linux ?

andrewkroh · May 7, 2020, 3:00pm

From the file_integrity docs https://www.elastic.co/guide/en/beats/auditbeat/7.x/auditbeat-module-file_integrity.html:

The file integrity module should not be used to monitor paths on network file systems.

To expand on that more, the reason is that OS features used to monitor changes in real-time don't work on network filesystems. Generally they can only observe changes when writer is running locally.

system · May 28, 2020, 3:00pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Auditbeat file integrity doesn't scans shares nor mount points Beats	1	277	May 20, 2020
Auditbeat File Integrity (Windows OS) Doesn't Capture WHO Changed Files? Beats auditbeat	4	829	March 26, 2021
Auditbeat on windows for FIM Beats auditbeat	4	1029	November 19, 2018
Auditbeat 7.8 file integrity module Beats auditbeat	4	352	December 1, 2020
Can Auditbeat file integrity module detect unmount and mount of CIFS filesystem Beats auditbeat	1	281	July 1, 2022

Auditbeat file integrity doesn't scans shares

Related topics