We're looking to track all file access on a shared volume, and are running the following config:
- module: auditd
-w /share/path_a -p rwa
-w /share/path_b -p rwa
-w /share/path_c -p rwa
This seems to work fine, except that some events have hex-encoded values for
file.path instead of plain text. I can't understand where this hex-encoded value is coming from, but it's making the results quite unusable. These are unique events, and if I filter these out in Kibana with
NOT file.path:\[0-9A-F]*\ then I miss file system events that have occurred.
Any help please?