Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

User field missing in log events for Linux and Windows both #191

Open
rajwcoupa opened this issue Feb 17, 2025 · 3 comments
Open

User field missing in log events for Linux and Windows both #191

rajwcoupa opened this issue Feb 17, 2025 · 3 comments

Comments

@rajwcoupa
Copy link

As we digged through the logs, it is difficult to identify which user has modified the files.
@okynos
Copy link
Member

okynos commented Feb 17, 2025

Hello @rajwcoupa

Audit for windows is currently under development, but for Linux it should work giving you the USERID of each modification, did you try it?
Take a look at our documentation of how to configure Audit https://documentation.achiefs.com/docs/configuration-file.html#audit

@rajwcoupa
Copy link
Author

Hi @okynos ,

In the audit section, I am unable to find any reference related to username or user ID being logged in the event data. I expected the event logs to contain user-related details such as uid, gid, or username, but they are not present in the generated events.

Here is my current configuration:

node: "FIM"
events:
destination: file
file: /var/lib/fim/events.json

audit:

  • path: /tmp
    labels: ["tmp", "linux"]
    ignore: [".swp"]

monitor:

  • path: /bin/
  • path: /usr/bin/
    labels: ["usr/bin", "linux"]
  • path: /etc
    labels: ["config", "linux"]

log:
file: /var/log/fim/fim.log
level: debug

Below is a sample event from /var/lib/fim/events.json generated with the above configuration:

{ "checksum": "2ec5c0f07bd5a228ac1d112a1cda0ecf964a3aa6eff44140c4552da08187acd5efe772418e86306957d87dd02f0facf829f7b7de4221152f34c165777c0b2fa1", "detailed_operation": "ACCESS_CLOSE_WRITE", "file": "/etc/vahana/data/vahana_slaves.json", "file_size": 102, "fpid": 73077, "hostname": "qas3734utl2", "id": "0c5dd016-fed8-46a2-99dc-ff57eb5696dd", "labels": [ "etc", "linux" ], "node": "FIM", "operation": "ACCESS", "system": "linux", "timestamp": "1739804104933", "version": "0.5.2" }

As you can see, there are no fields capturing the userid or username associated with the event. Could you confirm if there is a way to enable user-related fields in the logs? Are there any specific configuration changes required to capture user information?

Note: I tried to set the directory to be monitored under audit > path as well, but I see no events being generated for those paths, in this example /tmp.

Thanks!

@okynos
Copy link
Member

okynos commented Feb 17, 2025

Do you have Audit daemon installed? It is required to retrieve additional information from the system. In any case, you should see a message in the logs if FIM can not find Audit.

Could you try to force an Audit event? For example perform touch /tmp/file.txt

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@okynos @rajwcoupa