Auditbeat: monitoring of single files fails with 'recursive: true'

Let's say I want to monitor the /watch_me.txt file with auditbeat file_integrity module. The following configuration do work and send events on modifications of this file :

- module: file_integrity
  enabled: true
  paths:
  - /watch_me.txt

  recursive: false

Now I want to also monitor all the files in all the /etc/ directory and its subfolders recursively. So I add the path to /etc to the paths list and I enable the recursive option :

- module: file_integrity
  enabled: true
  paths:
  - /etc
  - /watch_me.txt

  recursive: true

Problem : auditbeat doesn't send events on modifications of the /watch_me.txt file anymore with this last configuration. After some tests, I realized that when you specify individual files (and not directories) in the paths list, then these files won't be monitored if the recursive option is set to true. Only directories and their content are monitored when recursive is true.

Is this expected behaviour ? How can I watch both individual files and entire directories ?

Thank you,

Mathieu

PS: I use the auditbeat:7.8.1 docker image from https://www.docker.elastic.co/r/beats

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.