Let's say I want to monitor the /watch_me.txt
file with auditbeat file_integrity module. The following configuration do work and send events on modifications of this file :
- module: file_integrity
enabled: true
paths:
- /watch_me.txt
recursive: false
Now I want to also monitor all the files in all the /etc/
directory and its subfolders recursively. So I add the path to /etc
to the paths list and I enable the recursive
option :
- module: file_integrity
enabled: true
paths:
- /etc
- /watch_me.txt
recursive: true
Problem : auditbeat doesn't send events on modifications of the /watch_me.txt
file anymore with this last configuration. After some tests, I realized that when you specify individual files (and not directories) in the paths
list, then these files won't be monitored if the recursive option is set to true. Only directories and their content are monitored when recursive
is true.
Is this expected behaviour ? How can I watch both individual files and entire directories ?
Thank you,
Mathieu
PS: I use the auditbeat:7.8.1
docker image from https://www.docker.elastic.co/r/beats