Does auditbeat (file integrity module) make it possible to display modified lines in a file?
For example, when I change the content of a file, auditbeat can display at what line the content of the file has been changed.
Hello and welcome,
No, it will not show the difference in the content of the file, just if the file was changed.
1 Like
Hi sir, Is there any reference that auditbeat can't do that thing? and can filebeat do that?
The documentation explains how it works.
This module uses features of the operating system to monitor file changes in realtime. When the module starts it creates a subscription with the OS to receive notifications of changes to the specified files or directories. Upon receiving notification of a change the module will read the file’s metadata and the compute a hash of the file’s contents.
It uses the hash of the file contents, not the content itself. So, if a file has changed, the calculated hash would be different, but you will not have any information about what were the changes.
Filebeat also cannot do that, it is designed to read the content of files and send it to Elasticsearch and it keep track of what was already read from a file.
You can however configure it to read the same file multiple times, but it will not compare with any previous version, you would need to compare it yourself.
What are you trying to achieve?
1 Like
I want to achieve to view modified lines in a file, sir
Yeah, but what is the goal for this? What you want to monitor and track? What are the requirements? What kind of files?
Depending on what you want to do you may be able to implement something with a custom script using diff or maybe even use git to track change.
My goal is to monitor changes in the content of a file, what I want to monitor is all types of files in a directory, for example (/var/www/html). And the changes can be seen on which line the changes occurred.