I am using Auditbeat 8.6 for Windows file integrity and have noticed that when I delete a folder, the event is captured and shows that the folder was deleted, but there are no logs of the individual files within the deleted folder until I restart the Auditbeat service, even though the 'recursive' parameter is set to true.
I've also observed that when I create a new folder, the event is captured correctly and shows the creation logs for both the folder and all its files.
Can anyone explain why this is happening and if there is a way to capture the deleted files within the folder without having to restart the service?
I speculate that Windows tells Auditbeat that the folder was deleted, but it does not send delete events for the contents of the directory. Therefore you only see that one delete event.
When Auditbeat restarts, it reconciles its persisted state of the filesystem with the real filesystem by scanning every file. When this happens it notices that the files stored in that folder are gone and generates events.
An enhancement would be to trigger the reconciliation process when a directory is deleted on Windows. It could iterate over its stored database and generate delete events for everything that was a child of the directory. And also purge those records from the database so that it doesn't send them again on restart.
Open question is whether this is unique to Windows. I think other OSes require that the contents of the directory be deleted before the parent directory. So then the OS generates events for each deleted file.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.