Hi,
Could you help me to solve an issue I faced, when turning on the recursive mode (to true), the auditbeat does not report any event.
after further investigation i released the the issue is related to the auditbeat permmision, even is executed as service( or from powershell) with admin priv
Version: auditbeat 6.2.3
OS: win10 32bit
Here the config:
auditbeat.modules:
- module: file_integrity
paths:
- C:/windows
- C:/windows/system32
- C:/Program Files
- C:/Users
recursive: true
hash_types: [sha256]
PS C:\Program Files\auditbeat> .\auditbeat.exe -e -d "*"
2018-04-12T12:09:12.430+0100 INFO instance/beat.go:468 Home path: [C:\Program Files\auditbeat] Config path: [C:\Program Files\auditbeat] Data path: [C:\Program Files\auditbeat\data] Logs path: [C:\Program Files\auditbeat\logs]
2018-04-12T12:09:12.433+0100 DEBUG [beat] instance/beat.go:495 Beat metadata path: C:\Program Files\auditbeat\data\meta.json
2018-04-12T12:09:12.434+0100 INFO instance/beat.go:475 Beat UUID: 1fc5b087-4325-4fd2-af4f-03225bf4923d
2018-04-12T12:09:12.434+0100 INFO instance/beat.go:213 Setup Beat: auditbeat; Version: 6.2.3
2018-04-12T12:09:12.435+0100 DEBUG [beat] instance/beat.go:230 Initializing output plugins
2018-04-12T12:09:12.436+0100 DEBUG [processors] processors/processor.go:49 Processors:
2018-04-12T12:09:12.436+0100 INFO pipeline/module.go:76 Beat name: DESKTOP-LI0T05G
2018-04-12T12:09:12.437+0100 DEBUG [modules] beater/metricbeat.go:80 Register [ModuleFactory:[], MetricSetFactory:[auditd/auditd, file_integrity/file]]
2018-04-12T12:09:12.437+0100 DEBUG [processors] processors/processor.go:49 Processors:
2018-04-12T12:09:12.438+0100 DEBUG [file_integrity] file_integrity/metricset.go:86 Initialized the file event reader. Running as euid=-1
2018-04-12T12:09:12.439+0100 INFO instance/beat.go:301 auditbeat start running.
2018-04-12T12:09:12.439+0100 DEBUG [module] module/wrapper.go:100 Starting Wrapper[name=file_integrity, len(metricSetWrappers)=1]
2018-04-12T12:09:12.441+0100 INFO [monitoring] log/log.go:97 Starting metrics logging every 30s
2018-04-12T12:09:12.441+0100 DEBUG [service] service/service_windows.go:51 Windows is interactive: true
2018-04-12T12:09:12.443+0100 DEBUG [module] module/wrapper.go:146 file_integrity/file will start after 8.878325314s
2018-04-12T12:09:21.327+0100 DEBUG [module] module/wrapper.go:154 Starting metricSetWrapper[module=file_integrity, name=file, host=]
2018-04-12T12:09:25.986+0100 WARN [file_integrity] file_integrity/eventreader_fsnotify.go:46 Failed to add watch {"file_path": "C:\\Program Files", "error": "34 errors: recursion into dir 'C:\\Program Files\\WindowsApps\\Deleted\\Microsoft.Office.OneNote_17.9126.20561.0_neutral_fr-fr_8wekyb3d8bbwe4b3f31a9-6463-4122-b0ed-4bd52b8a85ac\\AppxMetadata' failed: GetFileAttributes: Access is denied. \\Microsoft.Office.OneNote_17.9126.20561.0_neutral_fr-fr_8wekyb3d8bbwe4b3f31a9-6463-4122-b0ed-4bd52b8a85ac\\fr-fr\\styles' failed: GetFileAttributes: Access is denied.; recursion into dir 'C:\\Program Files\\WindowsApps\\Deleted\\Microsoft.Office.OneNote_17.9126.20561.0_neutral_fr-fr_8wekyb3d8bbwe4b3f31a9-6463-4122-b0ed-4bd52b8a85ac\\microsoft.system.package.metadata' failed: GetFileAttributes: Access is denied.; recursion into dir 'C:\\Program Files\\WindowsApps\\Deleted\\Microsoft.Office.OneNote_17.9126.20561.0_x86__8wekyb3d8bbwe30f3915b-2eef-4078-b309-2f984847ecdc\\AppxMetadata' failed: GetFileAttributes: Access is denied.; recursion into dir 'C:\\Program Files\\WindowsApps\\Deleted\\Microsoft.Office.OneNote_17.9126.20561.0_x86__8wekyb3d8bbwe30f3915b-2eef-4078-b309-2f984847ecdc\\Microsoft.UI.Xaml\\Assets' failed: GetFileAttributes: Access is denied.; recursion into dir 'C:\\Program Files\\WindowsApps\\Deleted\\Microsoft.Office.OneNote_17.9126.20561.0_x86__8wekyb3d8bbwe30f3915b-2eef-4078-b309-2f984847ecdc\\animations' failed: GetFileAttributes: Access is denied.; recursion into dir 'C:\\Program Files\\WindowsApps\\Deleted\\Microsoft.Office.OneNote_17.9126.20561.0_x86__8wekyb3d8bbwe30f3915b-2eef-4078-b309-2f984847ecdc\\en-gb\\jsaddins' failed: GetFileAttributes: Access is denied.; recursion into dir 'C:\\Program Files\\WindowsApps\\Deleted\\Microsoft.Office.OneNote_17.9126.20561.0_x86__8wekyb3d8bbwe30f3915b-2eef-4078-b309-2f984847ecdc\\en-gb\\locimages' failed: GetFileAttributes: Access is denied.; recursion into dir 'C:\\Program Files\\WindowsApps\\Deleted\\Microsoft.Office.OneNote_17.9126.20561.0_x86__8wekyb3d8bbwe30f3915b-2eef-4078-b309-2f984847ecdc\\en-us\\jsaddins' failed: GetFileAttributes: Access is denied.; recursion into dir 'C:\\Program Files\\WindowsApps\\Deleted\\Microsoft.Office.OneNote_17.9126.20561.0_x86__8wekyb3d8bbwe30f3915b-2eef-4078-b309-2f984847ecdc\\en-us\\jscripts' failed: GetFileAttributes: Access is denied.; recursion into dir 'C:\\Program Files\\WindowsApps\\Deleted\\Microsoft.Office.OneNote_17.9126.20561.0_x86__8wekyb3d8bbwe30f3915b-2eef-4078-b309-2f984847ecdc\\en-us\\pages' failed: GetFileAttributes: Access is denied.; recursion into dir 'C:\\Program Files\\WindowsApps\\Deleted\\Microsoft.Office.OneNote_17.9126.20561.0_x86__8wekyb3d8bbwe30f3915b-2eef-4078-b309-2f984847ecdc\\en-us\\styles' failed: GetFileAttributes: Access is denied.; recursion into dir 'C:\\Program Files\\WindowsApps\\Deleted\\Microsoft.Office.OneNote_17.9126.20561.0_x86__8wekyb3d8bbwe30f3915b-2eef-4078-b309-2f984847ecdc\\font' failed: GetFileAttributes: Access is denied.; recursion into dir 'C:\\Program Files\\WindowsApps\\Deleted\\Microsoft.Office.OneNote_17.9126.20561.0_x86__8wekyb3d8bbwe30f3915b-2eef-4078-b309-2f984847ecdc\\fonts' failed: GetFileAttributes: Access is denied.; recursion into dir 'C:\\Program Files\\WindowsApps\\Deleted\\Microsoft.Office.OneNote_2015.9126.20561.0_neutral_~_8wekyb3d8bbwebfa40729-b4ed-482e-9dfd-b9d49db5c358\\AppxMetadata' failed: GetFileAttributes: Access is denied.; recursion into dir 'C:\\Program Files\\WindowsApps\\Deleted\\Microsoft.Office.OneNote_2015.9126.20561.0_neutral_~_8wekyb3d8bbwebfa40729-b4ed-482e-9dfd-b9d49db5c358\\microsoft.system.package.metadata' failed: GetFileAttributes: Access is denied."}