I am using elastic agent and the file integrity monitoring integration (1.14.1) to watch a folder and its subfolders for changes.
This works fine but in order to get the true state of the filesystem I have to condense the "raw filesystem events" reported by the integration in order to get the state of the filesystem at that point in time.
I am using an external (script as a) service to do this (aggregate, sort by timestamp, what kind of event? handle accordingly), but is there an internal way of doing this using only the elastic stack?
I have tried using a continous transform but havent had much luck, it works on file based events, but if a folder is deleted for example, I have to delete all files contained, which I dont think I can do in a transform (or can I?).
Another idea was to use Ingest Pipeline processing to do that on incoming events, but other than enriching the datastream with more fields I couldnt figure this out either.
But then again, I am not that smart! Maybe there is an easy solution I am missing? Thanks
tl;dr Can you create a filesystem state from raw events logged from the fim integration using the elastic stack or do you need an outside entity to query, filter and delete?