Monitoring files changes

I use auditbeat for monitoring files and directories and works fine when access to file from "vim, nano, etc" . But if modify from script or cat (redirection) not capture the event.


vim /tmp/foo (edit and save) -> Detected
cat /etc/hosts > /tmp/foo -> Not detected

Can you helpme.

Redirection works correctly on my FIM setup (6.6.1)

Can you share the FIM portion of your config?

I works with auditbeat, and my rule:

[root@elk ~]# grep lala /etc/auditbeat/auditbeat.yml
    -w /tmp/lala -p wa -k change

Edit file with vim

And edit file (the same) with cat

Not detected process/command (only says bash)



What I can observe is that the coreutils apps ( are identified under their execution process /usr/bin/bash

vim is detected as /usr/bin/vim while other linux coreutils (touch, echo, cat, etc) are /usr/bin/bash

I solved. Put the directory under file_integrity module and the changes (cat, echo, etc) are detected .

Thanks for your help

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.