fim icon indicating copy to clipboard operation
fim copied to clipboard
verified publisher icon Achiefs

User field missing in log events for Linux and Windows both

Open rajwcoupa opened this issue 10 months ago • 7 comments

As we digged through the logs, it is difficult to identify which user has modified the files.

rajwcoupa avatar Feb 17 '25 15:02 rajwcoupa

Hello @rajwcoupa

Audit for windows is currently under development, but for Linux it should work giving you the USERID of each modification, did you try it? Take a look at our documentation of how to configure Audit https://documentation.achiefs.com/docs/configuration-file.html#audit

okynos avatar Feb 17 '25 20:02 okynos

Hi @okynos ,

In the audit section, I am unable to find any reference related to username or user ID being logged in the event data. I expected the event logs to contain user-related details such as uid, gid, or username, but they are not present in the generated events.

Here is my current configuration:

node: "FIM" events: destination: file file: /var/lib/fim/events.json

audit:

  • path: /tmp labels: ["tmp", "linux"] ignore: [".swp"]

monitor:

  • path: /bin/
  • path: /usr/bin/ labels: ["usr/bin", "linux"]
  • path: /etc labels: ["config", "linux"]

log: file: /var/log/fim/fim.log level: debug

Below is a sample event from /var/lib/fim/events.json generated with the above configuration:

{ "checksum": "2ec5c0f07bd5a228ac1d112a1cda0ecf964a3aa6eff44140c4552da08187acd5efe772418e86306957d87dd02f0facf829f7b7de4221152f34c165777c0b2fa1", "detailed_operation": "ACCESS_CLOSE_WRITE", "file": "/etc/vahana/data/vahana_slaves.json", "file_size": 102, "fpid": 73077, "hostname": "qas3734utl2", "id": "0c5dd016-fed8-46a2-99dc-ff57eb5696dd", "labels": [ "etc", "linux" ], "node": "FIM", "operation": "ACCESS", "system": "linux", "timestamp": "1739804104933", "version": "0.5.2" }

As you can see, there are no fields capturing the userid or username associated with the event. Could you confirm if there is a way to enable user-related fields in the logs? Are there any specific configuration changes required to capture user information?

Note: I tried to set the directory to be monitored under audit > path as well, but I see no events being generated for those paths, in this example /tmp.

Thanks!

rajwcoupa avatar Feb 17 '25 21:02 rajwcoupa

Do you have Audit daemon installed? It is required to retrieve additional information from the system. In any case, you should see a message in the logs if FIM can not find Audit.

Could you try to force an Audit event? For example perform touch /tmp/file.txt

okynos avatar Feb 17 '25 21:02 okynos

Hello everyone. Thanks for this tool. But I ran into the same problem, there is no user field in Windows and Linux. Which Audit daemon are you talking about, where can I find it? Please clarify, is it worth waiting in the coming weeks or months for Windows in the first place?

config Linux:


events:
  watcher: Recommended
  destination: both
  endpoint:
    address: "http://test:8080"
    insecure: true
    index: "fim-test-index"
    credentials:
      user: "admin"
      password: "admin"
  file: /var/lib/fim/events.json

audit:
  - path: /usr/bin/
    labels: ["/usr/bin", "linux"]
    ignore: [".swp"]

monitor:
  - path: /bin/
  - path: /usr/bin/
    labels: ["usr/bin", "linux"]
  - path: /etc
    labels: ["etc", "linux"]

log:
  file: /var/log/fim/fim.log
  # Available levels [debug, info, error, warning]
  level: info

Linux:

{"checksum":"a69f73cca23a9ac5c8b567dc185a756e97c982164fe25859e0d1dcc1475c80a615b2123af1f5f94c11e3e9402c3ac558f500199d95b6d3e301758586281dcd26","detailed_operation":"MODIFY_RENAME_TO","file":"/usr/bin/test_26032025.txt","file_size":0,"fpid":242542,"hostname":"test","id":"e63e2664-cb59-4236-9ae8-4bf38427904c","labels":["usr/bin","linux"],"node":"FIM_TEST","operation":"WRITE","system":"linux","timestamp":"1742998308051","version":"0.5.2"}```

Windows:

{"checksum":"UNKNOWN","detailed_operation":"MODIFY_ANY","file":"C:\\Temp\\test","file_size":0,"fpid":19320,"hostname":"TEST","id":"8e16f1c9-e731-4c9e-9ae8-87b69a18d012","labels":["Temp"],"node":"FIM","operation":"WRITE","system":"windows","timestamp":"1742993894854","version":"0.5.2"}

TurtleOld avatar Mar 26 '25 14:03 TurtleOld

Hello @TurtleOld, Could you check your fim.log file at /var/log/fim/fim.log path for some indication or issue with Audit? Audit is a daemon/service that usually comes with many Linux distributions but sometimes it doesn't so, maybe you need to install it. If you are testing FIM in a container it could not work with Audit (It technically can but will require a few more steps and permissions to work). That's the main reason to produce monitor events in the first place (Monitor events are what you are currently getting)

Currently, to fetch user information in Windows, there is a development in progress but not ready yet, probably it will be out soon. Let me know if some of those indications solve the problem. Thanks for taking the time to use FIM!

okynos avatar Mar 26 '25 17:03 okynos

@okynos Thanks, auditd was not installed on Linux. Is it possible to find out about Windows, is there any immediate plans to introduce a feature to display the user who changed the directory or file?

TurtleOld avatar Mar 27 '25 07:03 TurtleOld

@TurtleOld Yes there is a development branch in progress, take a look at the related issue about Windows Audit information https://github.com/Achiefs/fim/issues/82 (The branch is https://github.com/Achiefs/fim/tree/82-add-audit-windows) Feel free to review the code and include modifications if you wish. Unfortunately, right now I'm focused on https://github.com/Achiefs/fim/issues/177 this development will be out soon and I will jump to Audit. Thanks for using FIM.

okynos avatar Mar 27 '25 21:03 okynos