Error monitoring Windows folders recursively

Auditbeat 6.8.7

I'm trying to use the FIM module to monitor C:\Windows in recursive, and when I do this, I just get an error as below:

WARN [file_integrity] file_integrity/eventreader_fsnotify.go:150 fsnotify watcher error {"error": "short read in readEvents()"}

This just repeats over and over until I stop the agent. Can someone assist with what this means and how to fix?

Config excerpt is below:

path.config: ${path.home}/fim/conf ${path.home}/fim/data
path.logs: ${path.home}/logs
keystore.path: "${path.config}/fim.keystore"

  path: ${path.config}/conf.d/*.yml
  reload.period: 10s
  reload.enabled: true

auditbeat.max_start_delay: 10s

- module: file_integrity
  - C:/windows
  - C:/windows/system32
  - C:/Program Files
  - C:/Program Files (x86)

  - '(?i)\.lnk$'
  - '(?i)\.swp$'

  scan_at_start: true
  scan_rate_per_sec: 50 MiB
  max_file_size: 100 MiB
  hash_types: [sha1]
  recursive: true

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.