Missing log events for deleted files within a folder using Auditbeat 8.6 for Windows file integrity

I am using Auditbeat 8.6 for Windows file integrity and have noticed that when I delete a folder, the event is captured and shows that the folder was deleted, but there are no logs of the individual files within the deleted folder until I restart the Auditbeat service, even though the 'recursive' parameter is set to true.
I've also observed that when I create a new folder, the event is captured correctly and shows the creation logs for both the folder and all its files.

Can anyone explain why this is happening and if there is a way to capture the deleted files within the folder without having to restart the service?

I speculate that Windows tells Auditbeat that the folder was deleted, but it does not send delete events for the contents of the directory. Therefore you only see that one delete event.

When Auditbeat restarts, it reconciles its persisted state of the filesystem with the real filesystem by scanning every file. When this happens it notices that the files stored in that folder are gone and generates events.

An enhancement would be to trigger the reconciliation process when a directory is deleted on Windows. It could iterate over its stored database and generate delete events for everything that was a child of the directory. And also purge those records from the database so that it doesn't send them again on restart.

Open question is whether this is unique to Windows. I think other OSes require that the contents of the directory be deleted before the parent directory. So then the OS generates events for each deleted file.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.