Auditbeat file integrity monitoring does not show user who made changes to file

How can i see the user who made changes, created or deleted a file. The user who

Hi @EMMANUEL_CHIBUOGWU - unfortunately, the underlying technology that we use to receive notifications about file changes don't usually tell us who changed the file. Which operating system are you trying to do this for?

On a windows server 2016 and hoping to try it out on ubuntu. Is there any work in progress on including that feature. Thanks

I think on Linux you might be able to achieve that by using the auditd module in Auditbeat and watching the directories that you are interested in. I'm not aware of a solution for windows yet, perhaps using Sysmon?

thanks @tudor really appreciate the reply. sorry it's coming late

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.