DOCS: improve exclude_files option of file_integrity v2

elastic · Jun 10, 2023 · 32226ce · 32226ce
1 parent 526e6d2
commit 32226ce
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 14 deletions.
diff --git a/auditbeat/auditbeat.reference.yml b/auditbeat/auditbeat.reference.yml
@@ -80,6 +80,9 @@ auditbeat.modules:
   - /usr/sbin
   - /etc
 
+  # Detect changes to files included in subdirectories. Disabled by default.
+  recursive: false
+
   # List of regular expressions to filter out notifications for unwanted files.
   # Wrap in single quotes to workaround YAML escaping rules. By default no files
   # are ignored.
@@ -88,6 +91,10 @@ auditbeat.modules:
   - '~$'
   - '/\.git($|/)'
 
+  # If recursive is set to true, subdirectories can also be excluded here by
+  #  specifying them.
+  # - '(?i)/tmp/'
+
   # List of regular expressions used to explicitly include files. When configured,
   # Auditbeat will ignore files unless they match a pattern.
   #include_files:
@@ -110,9 +117,6 @@ auditbeat.modules:
   # Default is sha1.
   hash_types: [sha1]
 
-  # Detect changes to files included in subdirectories. Disabled by default.
-  recursive: false
-
   # Set to true to publish fields with null values in events.
   #keep_null: false
 

diff --git a/auditbeat/docs/modules/file_integrity.asciidoc b/auditbeat/docs/modules/file_integrity.asciidoc
@@ -19,7 +19,7 @@ This module uses features of the operating system to monitor file changes in
 realtime. When the module starts it creates a subscription with the OS to
 receive notifications of changes to the specified files or directories. Upon
 receiving notification of a change the module will read the file's metadata
-and the compute a hash of the file's contents.
+and then compute a hash of the file's contents.
 
 At startup this module will perform an initial scan of the configured files
 and directories to generate baseline data for the monitored paths and detect
@@ -56,6 +56,7 @@ Linux.
   - /sbin
   - /usr/sbin
   - /etc
+  recursive: false
   exclude_files:
   - '(?i)\.sw[nop]$'
   - '~$'
@@ -65,7 +66,6 @@ Linux.
   scan_rate_per_sec: 50 MiB
   max_file_size: 100 MiB
   hash_types: [sha1]
-  recursive: false
 ----
 
 This module also supports the
@@ -82,6 +82,12 @@ the watch target. If the link does not resolve to a valid target, the symbolic
 link itself will be watched; if the symlink target becomes valid after module
 start up this will not be picked up by the file system watches.
 
+*`recursive`*:: By default, the watches set to the paths specified in
+`paths` are not recursive. This means that only changes to the contents
+of this directories are watched. If `recursive` is set to `true`, the
+`file_integrity` module will watch for changes on this directories and all
+their subdirectories.
+
 *`exclude_files`*:: A list of regular expressions used to filter out events
 for unwanted files. The expressions are matched against the full path of every
 file and directory. When used in conjunction with `include_files`, file paths need
@@ -90,6 +96,8 @@ By default, no files are excluded. See <<regexp-support>>
 for a list of supported regexp patterns. It is recommended to wrap regular
 expressions in single quotation marks to avoid issues with YAML escaping
 rules.
+If recursive is set to true, subdirectories can also be excluded here by
+specifying them.
 
 *`include_files`*:: A list of regular expressions used to specify which files to
 select. When configured, only files matching the pattern will be monitored.
@@ -138,12 +146,6 @@ when a file event involves the file. Files that are not targets of the specific
 file parser are only sniffed to examine whether analysis should proceed. This will
 usually only involve reading a small number of bytes.
 
-*`recursive`*:: By default, the watches set to the paths specified in
-`paths` are not recursive. This means that only changes to the contents
-of this directories are watched. If `recursive` is set to `true`, the
-`file_integrity` module will watch for changes on this directories and all
-their subdirectories.
-
 include::{docdir}/auditbeat-options.asciidoc[]
 
 

diff --git a/x-pack/auditbeat/auditbeat.reference.yml b/x-pack/auditbeat/auditbeat.reference.yml
@@ -80,6 +80,9 @@ auditbeat.modules:
   - /usr/sbin
   - /etc
 
+  # Detect changes to files included in subdirectories. Disabled by default.
+  recursive: false
+
   # List of regular expressions to filter out notifications for unwanted files.
   # Wrap in single quotes to workaround YAML escaping rules. By default no files
   # are ignored.
@@ -88,6 +91,10 @@ auditbeat.modules:
   - '~$'
   - '/\.git($|/)'
 
+  # If recursive is set to true, subdirectories can also be excluded here by
+  #  specifying them.
+  # - '(?i)/tmp/'
+
   # List of regular expressions used to explicitly include files. When configured,
   # Auditbeat will ignore files unless they match a pattern.
   #include_files:
@@ -110,9 +117,6 @@ auditbeat.modules:
   # Default is sha1.
   hash_types: [sha1]
 
-  # Detect changes to files included in subdirectories. Disabled by default.
-  recursive: false
-
   # Set to true to publish fields with null values in events.
   #keep_null: false