the monitoring of files/folders with a space in the path was not possible using auditbeat (version 7.13):
The following rules all resulted in errors:
-w /tmp/folder with space -p r -k test1 -w "/tmp/folder with space" -p r -k test2 -w '/tmp/folder with space' -p r -k test3 -w /tmp/folder\ with\ space -p r -k test4 -w "/tmp/folder\ with\ space" -p r -k test5 -w '/tmp/folder\ with\ space' -p r -k test6
If an auditd key containing a whitespace is used, everything after the whitespace is ignored. For example if the following rule:
-w /tmp/test -p r -k "test matched"
is triggered, the log only contains
"test as auditd key.
Not sure if we missed an obvious way to escape spaces in a path. Even though paths with spaces are rather unusual for linux, it should be possible.
Note that the linux audit system (auditd) solves this issue by converting ascii strings to their hexadecimal representation, if they contain special characters (e.g. whitespaces)
Any help will be appreciated.