Skip to content

Commit

Permalink
[Auditbeat/FIM/fsnotify]: prevent losing events for recursive mode on…
Browse files Browse the repository at this point in the history
… OS X (#39362) (#39376)

* fix(auditbeat/fim/fsnotify): do not return error immediately as this causes losing events on mac

* doc: update CHANGELOG.next.asciidoc

(cherry picked from commit bbf8746)

Co-authored-by: Panos Koutsovasilis <[email protected]>
  • Loading branch information
mergify[bot] and pkoutsovasilis authored May 7, 2024
1 parent 01deef0 commit 14359f3
Show file tree
Hide file tree
Showing 3 changed files with 5 additions and 3 deletions.
2 changes: 2 additions & 0 deletions CHANGELOG.next.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -97,6 +97,8 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff]
- Fix failing to enrich process events in sessionmd processor {issue}38955[38955] {pull}39173[39173] {pull}39243[39243]
- Prevent scenario of losing children-related file events in a directory for recursive fsnotify backend of auditbeat file integrity module {pull}39133[39133]
- Allow extra syscalls by auditbeat required in FIM with kprobes back-end {pull}39361[39361]
- Fix losing events in FIM for OS X by allowing always to walk an added directory to monitor {pull}39362[39362]



*Filebeat*
Expand Down
2 changes: 1 addition & 1 deletion auditbeat/module/file_integrity/monitor/monitor_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -192,7 +192,7 @@ func TestRecursiveSubdirPermissions(t *testing.T) {

ev, err := readTimeout(t, watcher)
assert.Equal(t, errReadTimeout, err)
if err != errReadTimeout {
if !errors.Is(err, errReadTimeout) {
t.Fatalf("Expected timeout, got event %+v", ev)
}

Expand Down
4 changes: 2 additions & 2 deletions auditbeat/module/file_integrity/monitor/recursive.go
Original file line number Diff line number Diff line change
Expand Up @@ -113,11 +113,11 @@ func (watcher *recursiveWatcher) addRecursive(path string) error {
return nil
}

var errs multierror.Errors
if err := watcher.watchFile(path, nil); err != nil {
return fmt.Errorf("failed adding watcher to '%s': %w", path, err)
errs = append(errs, fmt.Errorf("failed adding watcher to '%s': %w", path, err))
}

var errs multierror.Errors
err := filepath.Walk(path, func(walkPath string, info os.FileInfo, fnErr error) error {
if walkPath == path {
return nil
Expand Down

0 comments on commit 14359f3

Please sign in to comment.