Hi, Running Auditbeat 6.4.2 and monitoring a directory.
I can see when someone is navigating through a directory tree so for file.path I get
/PTC/mq/code
/PTC/mq/code/4Q2018
/PTC/mq/code/4Q2018/scan
/PTC/mq/code/4Q2018/scan/src
/PTC/mq/code/4Q2018/scan/src/api-server-master
/PTC/mq/code/4Q2018/scan/src/api-server-master/Dockerfile
Apart from this last one, all the previous ones are directories. This last one was a file I copied.
auditd.summary.object.type has them all set to path
and even the event.action is set to open-file.
I'm guessing this might be a limitation, but it would be unbelievably useful to me to filter out directories at the Logstash/Elasticsearch end.
Can this be done?
Please let me know if you need any more info. Thanks, N