We need a File Integrity Monitoring solution for Windows OS's - on the server we use as file servers . To further explain "file servers" - not to monitor remotely across shares which is not supported - but directly on the server.
Got the auditbeat 7.10 file integrity module running and reporting into the Elastic/kibana - and was then shocked that although changes to files are being reported (yay) - the person who DID the change is NOT reporting (bad).
I saw a post from 2019 reporting the same issue and am posting again in hopes that there has been improvement in this area (to make FIM meaningful to most commercial users trying to move workloads into Elastic and turn down other software).
The APIs that Auditbeat FIM uses to collect this info do not report any user info. You'd have to use the OS'es auditing feature to get that data or use software that has lower level hooks.
Elastic Endpoint Security does report this info in its file events. IIRC it uses a kernel driver to be able to get this low level filesystem data.
Thanks Andrew. I'm testing on a brand new file server, so auditing may not be enabled. Is that to say that when audit features of the OS are enabled that Elastic/auditbeat would collect/report those?
I will test this through - posting the follow up question to help others as much as myself as the topic is not thoroughly covered anywhere I have found (yet)!
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.