I'm looking for help in figuring out the right approach to take for tracking changes to files. Originally I thought Auditbeat's file_integrity module would work, but (as the name suggests) it only tracks that "a change" was made, and not the details (configuration value X was 10 and is now 20, configuration value Y was introduced/removed)
My searching has pointed me mostly to intrusion detection tool suites and some other utilities that keep a copy of /etc/ files in git allowing changes to be tracked there.
Our business need to is to be able to track what changes were made to certain files and when, to assist in troubleshooting. Our software is installed on customer systems, and some of our customers are permitted to make changes to files (for example database tuning etc). If we can track a change, it might help a few days later when the customer calls us and says something else isn't working.
In an ideal world, I could look at a visualization (with a large span of time) and have an indication that one of the configuration files had changed. I'd also like to do this entirely with the elastic stack if possible (reducing the need to introduce another tool suite).
Does anyone have any guidance on how I can approach this?