Auditbeat // File intergrity // Windows / GetFileAttributes: Access is denied

0xFFFFFF · April 12, 2018, 11:33am

Hi,
Could you help me to solve an issue I faced, when turning on the recursive mode (to true), the auditbeat does not report any event.

after further investigation i released the the issue is related to the auditbeat permmision, even is executed as service( or from powershell) with admin priv

Version: auditbeat 6.2.3
OS: win10 32bit

Here the config:
auditbeat.modules:

- module: file_integrity
  paths:
  - C:/windows
  - C:/windows/system32
  - C:/Program Files
  - C:/Users
  recursive: true
  hash_types: [sha256]

PS C:\Program Files\auditbeat> .\auditbeat.exe -e -d "*"
2018-04-12T12:09:12.430+0100    INFO    instance/beat.go:468    Home path: [C:\Program Files\auditbeat] Config path: [C:\Program Files\auditbeat] Data path: [C:\Program Files\auditbeat\data] Logs path: [C:\Program Files\auditbeat\logs]
2018-04-12T12:09:12.433+0100    DEBUG   [beat]  instance/beat.go:495    Beat metadata path: C:\Program Files\auditbeat\data\meta.json
2018-04-12T12:09:12.434+0100    INFO    instance/beat.go:475    Beat UUID: 1fc5b087-4325-4fd2-af4f-03225bf4923d
2018-04-12T12:09:12.434+0100    INFO    instance/beat.go:213    Setup Beat: auditbeat; Version: 6.2.3
2018-04-12T12:09:12.435+0100    DEBUG   [beat]  instance/beat.go:230    Initializing output plugins
2018-04-12T12:09:12.436+0100    DEBUG   [processors]    processors/processor.go:49      Processors:
2018-04-12T12:09:12.436+0100    INFO    pipeline/module.go:76   Beat name: DESKTOP-LI0T05G
2018-04-12T12:09:12.437+0100    DEBUG   [modules]       beater/metricbeat.go:80 Register [ModuleFactory:[], MetricSetFactory:[auditd/auditd, file_integrity/file]]
2018-04-12T12:09:12.437+0100    DEBUG   [processors]    processors/processor.go:49      Processors:
2018-04-12T12:09:12.438+0100    DEBUG   [file_integrity]        file_integrity/metricset.go:86  Initialized the file event reader. Running as euid=-1
2018-04-12T12:09:12.439+0100    INFO    instance/beat.go:301    auditbeat start running.
2018-04-12T12:09:12.439+0100    DEBUG   [module]        module/wrapper.go:100   Starting Wrapper[name=file_integrity, len(metricSetWrappers)=1]
2018-04-12T12:09:12.441+0100    INFO    [monitoring]    log/log.go:97   Starting metrics logging every 30s
2018-04-12T12:09:12.441+0100    DEBUG   [service]       service/service_windows.go:51   Windows is interactive: true
2018-04-12T12:09:12.443+0100    DEBUG   [module]        module/wrapper.go:146   file_integrity/file will start after 8.878325314s
2018-04-12T12:09:21.327+0100    DEBUG   [module]        module/wrapper.go:154   Starting metricSetWrapper[module=file_integrity, name=file, host=]
2018-04-12T12:09:25.986+0100    WARN    [file_integrity]        file_integrity/eventreader_fsnotify.go:46       Failed to add watch     {"file_path": "C:\\Program Files", "error": "34 errors: recursion into dir 'C:\\Program Files\\WindowsApps\\Deleted\\Microsoft.Office.OneNote_17.9126.20561.0_neutral_fr-fr_8wekyb3d8bbwe4b3f31a9-6463-4122-b0ed-4bd52b8a85ac\\AppxMetadata' failed: GetFileAttributes: Access is denied. \\Microsoft.Office.OneNote_17.9126.20561.0_neutral_fr-fr_8wekyb3d8bbwe4b3f31a9-6463-4122-b0ed-4bd52b8a85ac\\fr-fr\\styles' failed: GetFileAttributes: Access is denied.; recursion into dir 'C:\\Program Files\\WindowsApps\\Deleted\\Microsoft.Office.OneNote_17.9126.20561.0_neutral_fr-fr_8wekyb3d8bbwe4b3f31a9-6463-4122-b0ed-4bd52b8a85ac\\microsoft.system.package.metadata' failed: GetFileAttributes: Access is denied.; recursion into dir 'C:\\Program Files\\WindowsApps\\Deleted\\Microsoft.Office.OneNote_17.9126.20561.0_x86__8wekyb3d8bbwe30f3915b-2eef-4078-b309-2f984847ecdc\\AppxMetadata' failed: GetFileAttributes: Access is denied.; recursion into dir 'C:\\Program Files\\WindowsApps\\Deleted\\Microsoft.Office.OneNote_17.9126.20561.0_x86__8wekyb3d8bbwe30f3915b-2eef-4078-b309-2f984847ecdc\\Microsoft.UI.Xaml\\Assets' failed: GetFileAttributes: Access is denied.; recursion into dir 'C:\\Program Files\\WindowsApps\\Deleted\\Microsoft.Office.OneNote_17.9126.20561.0_x86__8wekyb3d8bbwe30f3915b-2eef-4078-b309-2f984847ecdc\\animations' failed: GetFileAttributes: Access is denied.; recursion into dir 'C:\\Program Files\\WindowsApps\\Deleted\\Microsoft.Office.OneNote_17.9126.20561.0_x86__8wekyb3d8bbwe30f3915b-2eef-4078-b309-2f984847ecdc\\en-gb\\jsaddins' failed: GetFileAttributes: Access is denied.; recursion into dir 'C:\\Program Files\\WindowsApps\\Deleted\\Microsoft.Office.OneNote_17.9126.20561.0_x86__8wekyb3d8bbwe30f3915b-2eef-4078-b309-2f984847ecdc\\en-gb\\locimages' failed: GetFileAttributes: Access is denied.; recursion into dir 'C:\\Program Files\\WindowsApps\\Deleted\\Microsoft.Office.OneNote_17.9126.20561.0_x86__8wekyb3d8bbwe30f3915b-2eef-4078-b309-2f984847ecdc\\en-us\\jsaddins' failed: GetFileAttributes: Access is denied.; recursion into dir 'C:\\Program Files\\WindowsApps\\Deleted\\Microsoft.Office.OneNote_17.9126.20561.0_x86__8wekyb3d8bbwe30f3915b-2eef-4078-b309-2f984847ecdc\\en-us\\jscripts' failed: GetFileAttributes: Access is denied.; recursion into dir 'C:\\Program Files\\WindowsApps\\Deleted\\Microsoft.Office.OneNote_17.9126.20561.0_x86__8wekyb3d8bbwe30f3915b-2eef-4078-b309-2f984847ecdc\\en-us\\pages' failed: GetFileAttributes: Access is denied.; recursion into dir 'C:\\Program Files\\WindowsApps\\Deleted\\Microsoft.Office.OneNote_17.9126.20561.0_x86__8wekyb3d8bbwe30f3915b-2eef-4078-b309-2f984847ecdc\\en-us\\styles' failed: GetFileAttributes: Access is denied.; recursion into dir 'C:\\Program Files\\WindowsApps\\Deleted\\Microsoft.Office.OneNote_17.9126.20561.0_x86__8wekyb3d8bbwe30f3915b-2eef-4078-b309-2f984847ecdc\\font' failed: GetFileAttributes: Access is denied.; recursion into dir 'C:\\Program Files\\WindowsApps\\Deleted\\Microsoft.Office.OneNote_17.9126.20561.0_x86__8wekyb3d8bbwe30f3915b-2eef-4078-b309-2f984847ecdc\\fonts' failed: GetFileAttributes: Access is denied.; recursion into dir 'C:\\Program Files\\WindowsApps\\Deleted\\Microsoft.Office.OneNote_2015.9126.20561.0_neutral_~_8wekyb3d8bbwebfa40729-b4ed-482e-9dfd-b9d49db5c358\\AppxMetadata' failed: GetFileAttributes: Access is denied.; recursion into dir 'C:\\Program Files\\WindowsApps\\Deleted\\Microsoft.Office.OneNote_2015.9126.20561.0_neutral_~_8wekyb3d8bbwebfa40729-b4ed-482e-9dfd-b9d49db5c358\\microsoft.system.package.metadata' failed: GetFileAttributes: Access is denied."}

adrisr · April 12, 2018, 12:24pm

Hi,

After the issue you opened yesterday I identified a problem with the recursive functionality under Windows. I have a fix but haven't submitted it yet. Do you mind if I send you an auditbeat.exe so you can test if the issue is gone?

0xFFFFFF · April 12, 2018, 12:41pm

Hi Adrisr,

Thank you for your support,

no problem, send it

Regards.

adrisr · April 12, 2018, 12:48pm

Here you have

https://drive.google.com/open?id=1dhxG4yzILiLctlmsFWFgZxRio6j_artl

0xFFFFFF · April 12, 2018, 1:17pm

tested , it's works!

adrisr · April 12, 2018, 1:49pm

Cool, thanks for testing. I will submit the patch and hopefully it will be available in 6.3

Topic		Replies	Views
Windows FIM Module - how to use custom path without recursive Beats auditbeat	1	271	December 29, 2023
Problem with filestream access denied on windows Beats filebeat	1	370	November 17, 2022
Recursive file paths Beats auditbeat	2	1199	November 4, 2022
Error monitoring Windows folders recursively Beats auditbeat	2	546	May 5, 2020
Auditbeat vs Winlogbeat Beats auditbeat	3	2247	August 1, 2019

Auditbeat // File intergrity // Windows / GetFileAttributes: Access is denied

Related topics