Let's say I want to monitor the /watch_me.txt file with auditbeat file_integrity module. The following configuration do work and send events on modifications of this file :
- module: file_integrity
enabled: true
paths:
- /watch_me.txt
recursive: false
Now I want to also monitor all the files in all the /etc/ directory and its subfolders recursively. So I add the path to /etc to the paths list and I enable the recursive option :
- module: file_integrity
enabled: true
paths:
- /etc
- /watch_me.txt
recursive: true
Problem : auditbeat doesn't send events on modifications of the /watch_me.txt file anymore with this last configuration. After some tests, I realized that when you specify individual files (and not directories) in the paths list, then these files won't be monitored if the recursive option is set to true. Only directories and their content are monitored when recursive is true.
Is this expected behaviour ? How can I watch both individual files and entire directories ?
Thank you,
Mathieu
PS: I use the auditbeat:7.8.1 docker image from https://www.docker.elastic.co/r/beats