Iam using Auditbeat's file integrity module to listen to a few folders.
Now, following is the sample of the file_integrity module's output file
{
"osName": "ubuntu",
"osCategory": "linux",
"@timestamp": "2019-03-02T03:28:39.809Z",
"file": {
"inode": "779302",
"owner": "root",
"mode": "0644",
"path": "/etc/auditbeat/auditbeat.yml",
"uid": 0,
"gid": 0,
"size": 33258,
"ctime": "2019-03-02T03:28:22.706Z",
"mtime": "2019-03-02T03:28:22.682Z",
"type": "file",
"group": "root"
},
"osVersion": 16,
"beatName": "auditbeat",
"@version": "1",
"beat": {
"name": "k8720asd",
"hostname": "k8720asd",
"version": "6.5.4"
},
"host": {
"name": "k8720asd"
},
"event": {
"action": [
"updated",
"attributes_modified"
],
"module": "file_integrity"
},
"device": [
"k8720asd"
],
"hash": {
"sha1": "9962115130ee05a05cd8d236c94d8b038d773e43"
}
}
In the above document, there is no information on which user performed the above operations.
Is there anyway that we can get this using the file_integrity module?