From c6187b6ca981916ed9c347bc18415bd48d31ee9a Mon Sep 17 00:00:00 2001
From: Panos Koutsovasilis <panos.koutsovasilis@elastic.co>
Date: Thu, 2 May 2024 17:53:15 +0300
Subject: [PATCH] [Auditbeat/FIM/fsnotify]: prevent losing events for recursive
 mode on OS X (#39362)

* fix(auditbeat/fim/fsnotify): do not return error immediately as this causes losing events on mac

* doc: update CHANGELOG.next.asciidoc

(cherry picked from commit bbf8746d0e0a653c6801f979072e47c15a84d074)
---
 CHANGELOG.next.asciidoc                                 | 2 ++
 auditbeat/module/file_integrity/monitor/monitor_test.go | 2 +-
 auditbeat/module/file_integrity/monitor/recursive.go    | 4 ++--
 3 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index f45083c0d19..269b13ec660 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -96,6 +96,8 @@ https://github.com/elastic/beats/compare/v8.8.1\...main[Check the HEAD diff]
 - Set field types to correctly match ECS in sessionmd processor {issue}38955[38955] {pull}38994[38994]
 - Fix failing to enrich process events in sessionmd processor {issue}38955[38955] {pull}39173[39173] {pull}39243[39243]
 - Prevent scenario of losing children-related file events in a directory for recursive fsnotify backend of auditbeat file integrity module {pull}39133[39133]
+- Allow extra syscalls by auditbeat required in FIM with kprobes back-end {pull}39361[39361]
+- Fix losing events in FIM for OS X by allowing always to walk an added directory to monitor {pull}39362[39362]
 
 
 *Filebeat*
diff --git a/auditbeat/module/file_integrity/monitor/monitor_test.go b/auditbeat/module/file_integrity/monitor/monitor_test.go
index 2f66d6469b2..506f559be55 100644
--- a/auditbeat/module/file_integrity/monitor/monitor_test.go
+++ b/auditbeat/module/file_integrity/monitor/monitor_test.go
@@ -192,7 +192,7 @@ func TestRecursiveSubdirPermissions(t *testing.T) {
 
 	ev, err := readTimeout(t, watcher)
 	assert.Equal(t, errReadTimeout, err)
-	if err != errReadTimeout {
+	if !errors.Is(err, errReadTimeout) {
 		t.Fatalf("Expected timeout, got event %+v", ev)
 	}
 
diff --git a/auditbeat/module/file_integrity/monitor/recursive.go b/auditbeat/module/file_integrity/monitor/recursive.go
index 31f2b538370..6cdb98f8464 100644
--- a/auditbeat/module/file_integrity/monitor/recursive.go
+++ b/auditbeat/module/file_integrity/monitor/recursive.go
@@ -113,11 +113,11 @@ func (watcher *recursiveWatcher) addRecursive(path string) error {
 		return nil
 	}
 
+	var errs multierror.Errors
 	if err := watcher.watchFile(path, nil); err != nil {
-		return fmt.Errorf("failed adding watcher to '%s': %w", path, err)
+		errs = append(errs, fmt.Errorf("failed adding watcher to '%s': %w", path, err))
 	}
 
-	var errs multierror.Errors
 	err := filepath.Walk(path, func(walkPath string, info os.FileInfo, fnErr error) error {
 		if walkPath == path {
 			return nil