Track Changes to Text Configuration File

I'm looking for help in figuring out the right approach to take for tracking changes to files. Originally I thought Auditbeat's file_integrity module would work, but (as the name suggests) it only tracks that "a change" was made, and not the details (configuration value X was 10 and is now 20, configuration value Y was introduced/removed)

My searching has pointed me mostly to intrusion detection tool suites and some other utilities that keep a copy of /etc/ files in git allowing changes to be tracked there.

Our business need to is to be able to track what changes were made to certain files and when, to assist in troubleshooting. Our software is installed on customer systems, and some of our customers are permitted to make changes to files (for example database tuning etc). If we can track a change, it might help a few days later when the customer calls us and says something else isn't working.

In an ideal world, I could look at a visualization (with a large span of time) and have an indication that one of the configuration files had changed. I'd also like to do this entirely with the elastic stack if possible (reducing the need to introduce another tool suite).

Does anyone have any guidance on how I can approach this?

This is a tough one. The fact that some solutions turn to having a Git repo to track anything is a telling sign. Also though, Git is very, very good at this.

As the vendor of this software, if I were you I'd push to providing a more blessed way for users to make changes to the config files. In Unix systems, sometimes there are special commands that "wrap" editing files, such as vipw and visudo. Having such a utility would give your software the opportunity to log changes as needed. Ideas also come into mind for nice-looking editing interfaces, validating changes, protecting a whitelist of files that can be edited, maintain checksums to ensure edits aren't done outside of the blessed method... etc, etc.

I don't see a way of doing this just with Elastic stack products though. The requirements here are on the pre-ingest side.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.