File integrity module not capturing user data

Iam using Auditbeat's file integrity module to listen to a few folders.
Now, following is the sample of the file_integrity module's output file

              "osName": "ubuntu",
              "osCategory": "linux",
              "@timestamp": "2019-03-02T03:28:39.809Z",
              "file": {
                "inode": "779302",
                "owner": "root",
                "mode": "0644",
                "path": "/etc/auditbeat/auditbeat.yml",
                "uid": 0,
                "gid": 0,
                "size": 33258,
                "ctime": "2019-03-02T03:28:22.706Z",
                "mtime": "2019-03-02T03:28:22.682Z",
                "type": "file",
                "group": "root"
              "osVersion": 16,
              "beatName": "auditbeat",
              "@version": "1",
              "beat": {
                "name": "k8720asd",
                "hostname": "k8720asd",
                "version": "6.5.4"
              "host": {
                "name": "k8720asd"
              "event": {
                "action": [
                "module": "file_integrity"
              "device": [
              "hash": {
                "sha1": "9962115130ee05a05cd8d236c94d8b038d773e43"

In the above document, there is no information on which user performed the above operations.
Is there anyway that we can get this using the file_integrity module?

The file integrity monitoring (FIM) module doesn't provide an audit trail for who made the change. This is because the Linux API (inotify) doesn't provide the data. If you need the user you can setup a rule with the auditd module to generate an event when a file is written.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.