Hi There,
I installed Auditbeat to monitor who is changed or deleted file share, It works well if I login window and change or delete the files and shows who delete these files. but the Aauditbeat message doesn't show who deleted or changed the file when I access via the shared folder.
I am just a newbie, I hope that you are going to help me.
Many thanks,
The file_integrity module tells you when a file changes, but does not tell you information about the user that made changes. None of the OS APIs used to monitor the changes provide this detail.
If you need to monitor the user that makes the changes then use the operating system's auditing features. On Windows you can setup a file auditing policy and then collect the audit events with Winlogbeat https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder. On Linux you can use the auditd module that's part of Auditbeat.
Hi Andrew Koh,
Thank you so much!
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
