You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
-w /tmp/folder with space -p r -k test1
-w "/tmp/folder with space" -p r -k test2
-w '/tmp/folder with space' -p r -k test3
-w /tmp/folder\ with\ space -p r -k test4
-w "/tmp/folder\ with\ space" -p r -k test5
-w '/tmp/folder\ with\ space' -p r -k test6
If an auditd key containing a whitespace is used, everything after the whitespace is ignored. For example if the following rule:
-w /tmp/test -p r -k "test matched"
is triggered, the log only contains "test as auditd key.
Not sure if we missed an obvious way to escape spaces in a path. Even though paths with spaces are rather unusual for linux, it should be possible.
Note that the linux audit system (auditd) solves this issue by converting ascii strings to their hexadecimal representation, if they contain special characters (e.g. whitespaces)
Any help will be appreciated.
Kind regards
The text was updated successfully, but these errors were encountered:
Hi,
the monitoring of files/folders with a space in the path was not possible using auditbeat (version 7.13).
We also posted our issue on the elastic discuss forum a month ago: https://discuss.elastic.co/t/auditbeat-monitoring-of-files-folders-with-a-space-in-the-path-not-possible/277537
The following rules all resulted in errors:
If an auditd key containing a whitespace is used, everything after the whitespace is ignored. For example if the following rule:
is triggered, the log only contains
"test
as auditd key.Not sure if we missed an obvious way to escape spaces in a path. Even though paths with spaces are rather unusual for linux, it should be possible.
Note that the linux audit system (auditd) solves this issue by converting ascii strings to their hexadecimal representation, if they contain special characters (e.g. whitespaces)
Any help will be appreciated.
Kind regards
The text was updated successfully, but these errors were encountered: