Let's say I want to monitor the
/watch_me.txt file with auditbeat file_integrity module. The following configuration do work and send events on modifications of this file :
- module: file_integrity enabled: true paths: - /watch_me.txt recursive: false
Now I want to also monitor all the files in all the
/etc/ directory and its subfolders recursively. So I add the path to
/etc to the paths list and I enable the
recursive option :
- module: file_integrity enabled: true paths: - /etc - /watch_me.txt recursive: true
Problem : auditbeat doesn't send events on modifications of the
/watch_me.txt file anymore with this last configuration. After some tests, I realized that when you specify individual files (and not directories) in the
paths list, then these files won't be monitored if the recursive option is set to true. Only directories and their content are monitored when
recursive is true.
Is this expected behaviour ? How can I watch both individual files and entire directories ?
PS: I use the
auditbeat:7.8.1 docker image from https://www.docker.elastic.co/r/beats