from auditbeat documents,file integrity module detect changes by using inotify events from os.it works correctly with created,deleted,moved events by sending a message for each event to elasticserch but when the monitored file is modified by vim editor,file integrity module catch many events.After I debug how vim editor cause these events by using inotifywait.I notice that vim create/update/delete many temporary files (.swp,.swx,4913, etc.) so it should be reasonable if file integrity module catch these events .However I cannot find any message from file integrity module which notify about file updated event. After I turn on debug log on auditbeat,I notice that file integrity module can detect write event but it does not notify file updated event. please see my log snippets.At time 2019-12-14T22:34:52.557+0700 is what I mention to.
1.open file with #vi test.conf
2019-12-14T22:16:12.266+0700 DEBUG [file_integrity] file_integrity/eventreader_fsnotify.go:136 Received fsnotify event {"file_path": "/root/test/.test.conf.swp", "event_flags": "CREATE"}
2019-12-14T22:16:12.266+0700 DEBUG [file_integrity] file_integrity/eventreader_fsnotify.go:136 Received fsnotify event {"file_path": "/root/test/.test.conf.swx", "event_flags": "REMOVE"}
2019-12-14T22:16:12.266+0700 DEBUG [file_integrity] file_integrity/eventreader_fsnotify.go:136 Received fsnotify event {"file_path": "/root/test/.test.conf.swp", "event_flags": "REMOVE"}
2019-12-14T22:16:12.266+0700 DEBUG [file_integrity] file_integrity/metricset.go:252 File changed since it was last seen {"file_path": "/root/test/.test.conf.swp", "took": 191670, "event": {"old": null, "new": {"timestamp":"2019-12-14T15:16:12.26638284Z","path":"/root/test/.test.conf.swp","info":{"inode":100974252,"uid":0,"gid":0,"sid":"","owner":"root","group":"root","size":4096,"mtime":"2019-12-14T15:16:12.264689909Z","ctime":"2019-12-14T15:16:12.264689909Z","type":"file","mode":420,"setuid":false,"setgid":false,"origin":null},"source":"fsnotify","action":"created","hash":{"sha1":"2fd9f6ff74f92b1802066124df9f146b5dc52610"}}}}
2019-12-14T22:16:12.267+0700 DEBUG [file_integrity] file_integrity/metricset.go:252 File changed since it was last seen {"file_path": "/root/test/.test.conf.swx", "took": 6160, "event": {"old": null, "new": {"timestamp":"2019-12-14T15:16:12.266606262Z","path":"/root/test/.test.conf.swx","info":null,"source":"fsnotify","action":"deleted"}}}
2019-12-14T22:16:12.268+0700 DEBUG [file_integrity] file_integrity/eventreader_fsnotify.go:136 Received fsnotify event {"file_path": "/root/test/.test.conf.swp", "event_flags": "CREATE"}
2019-12-14T22:16:12.269+0700 DEBUG [file_integrity] file_integrity/eventreader_fsnotify.go:136 Received fsnotify event {"file_path": "/root/test/.test.conf.swp", "event_flags": "WRITE"}
2019-12-14T22:16:12.270+0700 DEBUG [file_integrity] file_integrity/eventreader_fsnotify.go:136 Received fsnotify event {"file_path": "/root/test/.test.conf.swp", "event_flags": "CHMOD"}
2019-12-14T22:16:16.269+0700 DEBUG [file_integrity] file_integrity/eventreader_fsnotify.go:136 Received fsnotify event {"file_path": "/root/test/.test.conf.swp", "event_flags": "WRITE"}
2019-12-14T22:16:16.270+0700 DEBUG [file_integrity] file_integrity/metricset.go:252 File changed since it was last seen {"file_path": "/root/test/.test.conf.swp", "took": 297524, "event": {"old": {"timestamp":"2019-12-14T15:16:12.270272121Z","path":"/root/test/.test.conf.swp","info":{"inode":100974252,"uid":0,"gid":0,"sid":"","owner":"","group":"","size":4096,"mtime":"2019-12-14T15:16:12.264689909Z","ctime":"2019-12-14T15:16:12.264689909Z","type":"file","mode":420,"setuid":false,"setgid":false,"origin":null},"source":"fsnotify","action":"attributes_modified","hash":{"sha1":"2fd9f6ff74f92b1802066124df9f146b5dc52610"}}, "new": {"timestamp":"2019-12-14T15:16:16.270041359Z","path":"/root/test/.test.conf.swp","info":{"inode":100974252,"uid":0,"gid":0,"sid":"","owner":"root","group":"root","size":12288,"mtime":"2019-12-14T15:16:16.2686964Z","ctime":"2019-12-14T15:16:16.2686964Z","type":"file","mode":420,"setuid":false,"setgid":false,"origin":null},"source":"fsnotify","action":"updated","hash":{"sha1":"730042f3e0de417f03908dc0307565a75e24e7b7"}}}}
2.write fille with :w
2019-12-14T22:34:52.551+0700 DEBUG [file_integrity] file_integrity/eventreader_fsnotify.go:136 Received fsnotify event {"file_path": "/root/test/4913", "event_flags": "REMOVE"}
2019-12-14T22:34:52.551+0700 DEBUG [file_integrity] file_integrity/eventreader_fsnotify.go:136 Received fsnotify event {"file_path": "/root/test/test.conf", "event_flags": "RENAME"}
2019-12-14T22:34:52.552+0700 DEBUG [file_integrity] file_integrity/eventreader_fsnotify.go:136 Received fsnotify event {"file_path": "/root/test/test.conf~", "event_flags": "CREATE"}
2019-12-14T22:34:52.552+0700 DEBUG [file_integrity] file_integrity/metricset.go:252 File changed since it was last seen {"file_path": "/root/test/4913", "took": 6230, "event": {"old": null, "new": {"timestamp":"2019-12-14T15:34:52.551963912Z","path":"/root/test/4913","info":null,"source":"fsnotify","action":"deleted"}}}
2019-12-14T22:34:52.553+0700 DEBUG [file_integrity] file_integrity/metricset.go:252 File changed since it was last seen {"file_path": "/root/test/test.conf", "took": 157659, "event": {"old": {"timestamp":"2019-12-14T15:34:28.493429017Z","path":"/root/test/test.conf","info":{"inode":100974249,"uid":0,"gid":0,"sid":"","owner":"","group":"","size":0,"mtime":"2019-12-14T15:03:43.629492538Z","ctime":"2019-12-14T15:03:43.629492538Z","type":"file","mode":420,"setuid":false,"setgid":false,"origin":null},"source":"scan","action":"none","hash":{"sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709"}}, "new": {"timestamp":"2019-12-14T15:34:52.552019167Z","path":"/root/test/test.conf","info":{"inode":100974253,"uid":0,"gid":0,"sid":"","owner":"root","group":"root","size":2,"mtime":"2019-12-14T15:34:52.550520431Z","ctime":"2019-12-14T15:34:52.550520431Z","type":"file","mode":420,"setuid":false,"setgid":false,"origin":null},"source":"fsnotify","action":"moved","hash":{"sha1":"e5fa44f2b31c1fb553b6021e7360d07d5d91ff5e"}}}}
2019-12-14T22:34:52.554+0700 DEBUG [file_integrity] file_integrity/eventreader_fsnotify.go:136 Received fsnotify event {"file_path": "/root/test/test.conf", "event_flags": "CREATE"}
2019-12-14T22:34:52.554+0700 DEBUG [file_integrity] file_integrity/metricset.go:252 File changed since it was last seen {"file_path": "/root/test/test.conf~", "took": 84476, "event": {"old": null, "new": {"timestamp":"2019-12-14T15:34:52.552237997Z","path":"/root/test/test.conf~","info":{"inode":100974249,"uid":0,"gid":0,"sid":"","owner":"root","group":"root","size":0,"mtime":"2019-12-14T15:03:43.629492538Z","ctime":"2019-12-14T15:34:52.550520431Z","type":"file","mode":420,"setuid":false,"setgid":false,"origin":null},"source":"fsnotify","action":"created","hash":{"sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709"}}}}
2019-12-14T22:34:52.555+0700 DEBUG [file_integrity] file_integrity/eventreader_fsnotify.go:136 Received fsnotify event {"file_path": "/root/test/test.conf", "event_flags": "WRITE"}
2019-12-14T22:34:52.555+0700 DEBUG [file_integrity] file_integrity/eventreader_fsnotify.go:136 Received fsnotify event {"file_path": "/root/test/test.conf", "event_flags": "CHMOD"}
2019-12-14T22:34:52.556+0700 DEBUG [file_integrity] file_integrity/eventreader_fsnotify.go:136 Received fsnotify event {"file_path": "/root/test/.test.conf.swp", "event_flags": "WRITE"}
2019-12-14T22:34:52.557+0700 DEBUG [file_integrity] file_integrity/eventreader_fsnotify.go:136 Received fsnotify event {"file_path": "/root/test/test.conf~", "event_flags": "REMOVE"}
2019-12-14T22:34:52.557+0700 DEBUG [file_integrity] file_integrity/metricset.go:252 File changed since it was last seen {"file_path": "/root/test/.test.conf.swp", "took": 131000, "event": {"old": {"timestamp":"2019-12-14T15:34:28.493169456Z","path":"/root/test/.test.conf.swp","info":{"inode":100974252,"uid":0,"gid":0,"sid":"","owner":"","group":"","size":12288,"mtime":"2019-12-14T15:30:47.314117427Z","ctime":"2019-12-14T15:30:47.314117427Z","type":"file","mode":420,"setuid":false,"setgid":false,"origin":null},"source":"scan","action":"none","hash":{"sha1":"da611b007320981c61dbb7f642c79f5ff020da55"}}, "new": {"timestamp":"2019-12-14T15:34:52.556603673Z","path":"/root/test/.test.conf.swp","info":{"inode":100974252,"uid":0,"gid":0,"sid":"","owner":"root","group":"root","size":12288,"mtime":"2019-12-14T15:34:52.552520435Z","ctime":"2019-12-14T15:34:52.552520435Z","type":"file","mode":420,"setuid":false,"setgid":false,"origin":null},"source":"fsnotify","action":"updated","hash":{"sha1":"530808091273a1887bfeeb6dba788a4087ff8f1b"}}}}
2019-12-14T22:34:52.558+0700 DEBUG [file_integrity] file_integrity/metricset.go:252 File changed since it was last seen {"file_path": "/root/test/test.conf~", "took": 7128, "event": {"old": {"timestamp":"2019-12-14T15:34:52.552237997Z","path":"/root/test/test.conf~","info":{"inode":100974249,"uid":0,"gid":0,"sid":"","owner":"","group":"","size":0,"mtime":"2019-12-14T15:03:43.629492538Z","ctime":"2019-12-14T15:34:52.550520431Z","type":"file","mode":420,"setuid":false,"setgid":false,"origin":null},"source":"fsnotify","action":"created","hash":{"sha1":"da39a3ee5e6b4b0d3255bfef95601890afd80709"}}, "new": {"timestamp":"2019-12-14T15:34:52.557249178Z","path":"/root/test/test.conf~","info":null,"source":"fsnotify","action":"deleted"}}}
2019-12-14T22:34:56.558+0700 DEBUG [file_integrity] file_integrity/eventreader_fsnotify.go:136 Received fsnotify event {"file_path": "/root/test/.test.conf.swp", "event_flags": "WRITE"}
2019-12-14T22:34:56.558+0700 DEBUG [file_integrity] file_integrity/metricset.go:252 File changed since it was last seen {"file_path": "/root/test/.test.conf.swp", "took": 258151, "event": {"old": {"timestamp":"2019-12-14T15:34:52.556603673Z","path":"/root/test/.test.conf.swp","info":{"inode":100974252,"uid":0,"gid":0,"sid":"","owner":"","group":"","size":12288,"mtime":"2019-12-14T15:34:52.552520435Z","ctime":"2019-12-14T15:34:52.552520435Z","type":"file","mode":420,"setuid":false,"setgid":false,"origin":null},"source":"fsnotify","action":"updated","hash":{"sha1":"530808091273a1887bfeeb6dba788a4087ff8f1b"}}, "new": {"timestamp":"2019-12-14T15:34:56.55847786Z","path":"/root/test/.test.conf.swp","info":{"inode":100974252,"uid":0,"gid":0,"sid":"","owner":"root","group":"root","size":12288,"mtime":"2019-12-14T15:34:56.557527027Z","ctime":"2019-12-14T15:34:56.557527027Z","type":"file","mode":420,"setuid":false,"setgid":false,"origin":null},"source":"fsnotify","action":"updated","hash":{"sha1":"c4eee1d7c73f8f04be5010ae50db5a8a89f1e993"}}}}
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.