Auditbeat 6.8.7
I'm trying to use the FIM module to monitor C:\Windows in recursive, and when I do this, I just get an error as below:
WARN [file_integrity] file_integrity/eventreader_fsnotify.go:150 fsnotify watcher error {"error": "short read in readEvents()"}
This just repeats over and over until I stop the agent. Can someone assist with what this means and how to fix?
Config excerpt is below:
#path.home:
path.config: ${path.home}/fim/conf
path.data: ${path.home}/fim/data
path.logs: ${path.home}/logs
keystore.path: "${path.config}/fim.keystore"
auditbeat.config.modules:
path: ${path.config}/conf.d/*.yml
reload.period: 10s
reload.enabled: true
auditbeat.max_start_delay: 10s
auditbeat.modules:
- module: file_integrity
paths:
- C:/windows
- C:/windows/system32
- C:/Program Files
- C:/Program Files (x86)
exclude_files:
- '(?i)\.lnk$'
- '(?i)\.swp$'
scan_at_start: true
scan_rate_per_sec: 50 MiB
max_file_size: 100 MiB
hash_types: [sha1]
recursive: trueThis topic was automatically closed 21 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.