From bbf8746d0e0a653c6801f979072e47c15a84d074 Mon Sep 17 00:00:00 2001
From: Panos Koutsovasilis <panos.koutsovasilis@elastic.co>
Date: Thu, 2 May 2024 17:53:15 +0300
Subject: [PATCH] [Auditbeat/FIM/fsnotify]: prevent losing events for recursive
 mode on OS X (#39362)

* fix(auditbeat/fim/fsnotify): do not return error immediately as this causes losing events on mac

* doc: update CHANGELOG.next.asciidoc
---
 CHANGELOG.next.asciidoc                                 | 1 +
 auditbeat/module/file_integrity/monitor/monitor_test.go | 2 +-
 auditbeat/module/file_integrity/monitor/recursive.go    | 4 ++--
 3 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index e9e5ec09236c..587b95ef5e55 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -97,6 +97,7 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff]
 - Fix failing to enrich process events in sessionmd processor {issue}38955[38955] {pull}39173[39173] {pull}39243[39243]
 - Prevent scenario of losing children-related file events in a directory for recursive fsnotify backend of auditbeat file integrity module {pull}39133[39133]
 - Allow extra syscalls by auditbeat required in FIM with kprobes back-end {pull}39361[39361]
+- Fix losing events in FIM for OS X by allowing always to walk an added directory to monitor {pull}39362[39362]
 
 
 *Filebeat*
diff --git a/auditbeat/module/file_integrity/monitor/monitor_test.go b/auditbeat/module/file_integrity/monitor/monitor_test.go
index 2f66d6469b26..506f559be551 100644
--- a/auditbeat/module/file_integrity/monitor/monitor_test.go
+++ b/auditbeat/module/file_integrity/monitor/monitor_test.go
@@ -192,7 +192,7 @@ func TestRecursiveSubdirPermissions(t *testing.T) {
 
 	ev, err := readTimeout(t, watcher)
 	assert.Equal(t, errReadTimeout, err)
-	if err != errReadTimeout {
+	if !errors.Is(err, errReadTimeout) {
 		t.Fatalf("Expected timeout, got event %+v", ev)
 	}
 
diff --git a/auditbeat/module/file_integrity/monitor/recursive.go b/auditbeat/module/file_integrity/monitor/recursive.go
index 31f2b5383700..6cdb98f84641 100644
--- a/auditbeat/module/file_integrity/monitor/recursive.go
+++ b/auditbeat/module/file_integrity/monitor/recursive.go
@@ -113,11 +113,11 @@ func (watcher *recursiveWatcher) addRecursive(path string) error {
 		return nil
 	}
 
+	var errs multierror.Errors
 	if err := watcher.watchFile(path, nil); err != nil {
-		return fmt.Errorf("failed adding watcher to '%s': %w", path, err)
+		errs = append(errs, fmt.Errorf("failed adding watcher to '%s': %w", path, err))
 	}
 
-	var errs multierror.Errors
 	err := filepath.Walk(path, func(walkPath string, info os.FileInfo, fnErr error) error {
 		if walkPath == path {
 			return nil