Auditbeat identifying directories as files

Hi, Running Auditbeat 6.4.2 and monitoring a directory.

I can see when someone is navigating through a directory tree so for file.path I get

/PTC/mq/code
/PTC/mq/code/4Q2018
/PTC/mq/code/4Q2018/scan
/PTC/mq/code/4Q2018/scan/src
/PTC/mq/code/4Q2018/scan/src/api-server-master
/PTC/mq/code/4Q2018/scan/src/api-server-master/Dockerfile

Apart from this last one, all the previous ones are directories. This last one was a file I copied.

auditd.summary.object.type has them all set to path

and even the event.action is set to open-file.

I'm guessing this might be a limitation, but it would be unbelievably useful to me to filter out directories at the Logstash/Elasticsearch end.

Can this be done?

Please let me know if you need any more info. Thanks, N

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.