[auditbeat][fim] Revert "Update Auditbeat file_integrity module to default to auto backend with intelligent fallback" by marc-gr · Pull Request #50166 · elastic/beats

marc-gr · 2026-04-16T14:13:54Z

After some consideration we decided to revert this even after going through the breaking change committee as we need to figure out what the real impact it might have on current users.

…fault to…" This reverts commit f2a90c5.

elasticmachine · 2026-04-16T14:14:00Z

Pinging @elastic/sec-windows-platform (Team:Security-Windows Platform)

github-actions · 2026-04-16T14:14:07Z

🤖 GitHub comments

Just comment with:

run docs-build : Re-trigger the docs validation. (use unformatted text in the comment!)

github-actions · 2026-04-16T14:15:15Z

🔍 Preview links for changed docs

github-actions · 2026-04-16T14:15:19Z

Vale Linting Results

Summary: 9 suggestions found

💡 Suggestions (9)

File	Line	Rule	Message
docs/reference/auditbeat/auditbeat-module-file_integrity.md	22	Elastic.Wordiness	Consider using 'because' instead of 'since'.
docs/reference/auditbeat/auditbeat-module-file_integrity.md	22	Elastic.Wordiness	Consider using 'to' instead of 'in order to'.
docs/reference/auditbeat/auditbeat-module-file_integrity.md	26	Elastic.Wordiness	Consider using 'because' instead of 'Since'.
docs/reference/auditbeat/auditbeat-module-file_integrity.md	27	Elastic.Wordiness	Consider using 'because' instead of 'since'.
docs/reference/auditbeat/auditbeat-module-file_integrity.md	27	Elastic.WordChoice	Consider using 'can, might' instead of 'may', unless the term is in the UI.
docs/reference/auditbeat/auditbeat-module-file_integrity.md	74	Elastic.Semicolons	Use semicolons judiciously.
docs/reference/auditbeat/auditbeat-module-file_integrity.md	86	Elastic.Wordiness	Consider using 'because' instead of 'since'.
docs/reference/auditbeat/auditbeat-module-file_integrity.md	92	Elastic.WordChoice	Consider using 'deactivates, deselects, hides, turns off, makes unavailable' instead of 'disables', unless the term is in the UI.
docs/reference/auditbeat/auditbeat-module-file_integrity.md	137	Elastic.Semicolons	Use semicolons judiciously.

The Vale linter checks documentation changes against the Elastic Docs style guide.

To use Vale locally or report issues, refer to Elastic style guide for Vale.

coderabbitai · 2026-04-16T14:23:30Z

📝 Walkthrough

Walkthrough

The PR refactors the file_integrity module's backend selection mechanism from a dynamic auto-fallback system to explicit, OS-specific defaults. The Backend configuration field now defaults to fsnotify instead of auto, eliminating auto-selection logic previously contained in eventreader.go. Backend-specific reader constructors are simplified via platform-specific NewEventReader factory functions that dispatch explicitly based on the configured backend. Configuration validation was updated to enforce OS-specific backend restrictions. Documentation, configuration templates, and tests were updated to reflect these new defaults and behavior changes.

Possibly related PRs

[auditbeat][fim] Update Auditbeat file_integrity module to default to auto backend with intelligent fallback #47498: Directly related PR that adds auto-fallback mechanism and auto default, opposing the direction of this PR which removes auto-fallback and sets explicit fsnotify default.

Suggested labels

docs

✨ Finishing Touches

📝 Generate docstrings

Create stacked PR
Commit on current branch

🧪 Generate unit tests (beta)

Create PR with unit tests
Commit unit tests in branch revert-47498-feat/fim-auto-backend

🛠️ Update Documentation: Commit on current branch
🛠️ Update Documentation: Create PR

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

coderabbitai

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@auditbeat/auditbeat.reference.yml`:
- Around line 102-106: The reference config hard-codes backend: fsnotify which
is rejected by Config.Validate on Windows; update the top-level backend entry
(the "backend" field in auditbeat.reference.yml) to be platform-neutral by
either removing the explicit backend line or setting it to "auto" (or generate
OS-specific variants) so Windows users copying the reference do not get a
validation error; ensure any documentation/x-pack copies are updated the same
way.

In `@auditbeat/module/file_integrity/config.go`:
- Around line 179-198: Validation currently only checks runtime.GOOS and allows
backends that won't be available on the built architecture and doesn't enforce
ETW rules for resolved-backend auto/unset; update the checks around c.Backend
(BackendETW, BackendAuto) and the flush_interval validation so you first resolve
what backend will actually be used given runtime.GOOS and runtime.GOARCH (treat
BackendAuto or empty as the platform default), then validate: 1) reject ebpf on
linux when runtime.GOARCH is not amd64/arm64, 2) reject etw on non-windows, 3)
ensure flush_interval >= 1s whenever the resolved backend is ETW (i.e. c.Backend
== BackendETW or resolved backend == ETW for BackendAuto/empty on Windows), and
append errors to errs accordingly using the existing symbols (c.Backend,
BackendETW, BackendAuto, c.FlushInterval).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

Push a commit to this branch (recommended)
Create a new PR with the fixes

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 7d97c923-b415-4bc9-a09e-65cc7aa05700

📥 Commits

Reviewing files that changed from the base of the PR and between 1b1113d and a55a136.

📒 Files selected for processing (20)

auditbeat/auditbeat.reference.yml
auditbeat/module/file_integrity/_meta/config.yml.tmpl
auditbeat/module/file_integrity/_meta/docs.md
auditbeat/module/file_integrity/config.go
auditbeat/module/file_integrity/ebpfreader_supported.go
auditbeat/module/file_integrity/eventreader.go
auditbeat/module/file_integrity/eventreader_fsevents.go
auditbeat/module/file_integrity/eventreader_fsnotify.go
auditbeat/module/file_integrity/eventreader_kprobes.go
auditbeat/module/file_integrity/eventreader_linux.go
auditbeat/module/file_integrity/eventreader_other.go
auditbeat/module/file_integrity/eventreader_test.go
auditbeat/module/file_integrity/eventreader_windows.go
auditbeat/module/file_integrity/eventreader_windows_test.go
auditbeat/module/file_integrity/metricset_test.go
auditbeat/tests/system/test_file_integrity.py
changelog/fragments/1730894400-auditbeat-fim-backend-auto-fallback.yaml
docs/reference/auditbeat/auditbeat-module-file_integrity.md
docs/reference/auditbeat/auditbeat-reference-yml.md
x-pack/auditbeat/auditbeat.reference.yml

💤 Files with no reviewable changes (7)

changelog/fragments/1730894400-auditbeat-fim-backend-auto-fallback.yaml
auditbeat/tests/system/test_file_integrity.py
auditbeat/module/file_integrity/eventreader_windows_test.go
auditbeat/module/file_integrity/metricset_test.go
auditbeat/module/file_integrity/eventreader_test.go
auditbeat/module/file_integrity/eventreader.go
auditbeat/module/file_integrity/eventreader_fsnotify.go

coderabbitai · 2026-04-16T14:23:33Z

  # Select the backend which will be used to source events.
  # "fsnotify" doesn't have the ability to associate user data to file events.
  # Valid values: auto, fsnotify, kprobes, ebpf.
-  # When "auto" is used, the module will try backends in order of preference:
-  # - Linux: ebpf -> kprobes -> fsnotify
-  # - Windows: etw -> fsnotify
-  # Default: auto.
-  backend: auto
+  # Default: fsnotify.
+  backend: fsnotify


⚠️ Potential issue | 🟠 Major

This reference config is now invalid on Windows.

Config.Validate rejects fsnotify on Windows, but this top-level reference file hard-codes backend: fsnotify unconditionally. A Windows user copying this block from the shipped reference config will get a config error immediately. Keep this reference platform-neutral (auto/omitted) or generate OS-specific variants; the docs and x-pack copies need the same correction.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed. In `@auditbeat/auditbeat.reference.yml` around lines 102 - 106, The reference config hard-codes backend: fsnotify which is rejected by Config.Validate on Windows; update the top-level backend entry (the "backend" field in auditbeat.reference.yml) to be platform-neutral by either removing the explicit backend line or setting it to "auto" (or generate OS-specific variants) so Windows users copying the reference do not get a validation error; ensure any documentation/x-pack copies are updated the same way.

coderabbitai · 2026-04-16T14:23:33Z

+	if c.Backend != "" {
+		switch runtime.GOOS {
+		case "linux":
+			if c.Backend == BackendETW {
+				errs = append(errs, errors.New("backend etw is not supported on linux"))
+			}
+		case "windows":
+			if c.Backend != BackendETW && c.Backend != BackendAuto {
+				errs = append(errs, errors.New("windows only supports etw or auto backend"))
+			}
+		default:
+			if c.Backend != BackendAuto {
+				errs = append(errs, errors.New("backend can only be specified on linux or windows"))
+			}
 		}
 	}

 	// Validate flush_interval for ETW backend
-	if runtime.GOOS == "windows" && (c.Backend == BackendETW || c.Backend == "auto" || c.Backend == "") && c.FlushInterval < time.Second {
+	if c.Backend == BackendETW && c.FlushInterval < time.Second {
 		errs = append(errs, fmt.Errorf("flush_interval must be at least 1 second, got %v", c.FlushInterval))


⚠️ Potential issue | 🟠 Major

Backend validation regressed for real runtime support.

This now validates by GOOS only, so Linux accepts backend: ebpf even on non-amd64/arm64 builds where the eBPF reader is not compiled, and Windows no longer enforces the ETW flush_interval >= 1s rule for backend: auto/unset even though those values still resolve to ETW. That turns invalid configs into late startup failures instead of rejecting them up front.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed. In `@auditbeat/module/file_integrity/config.go` around lines 179 - 198, Validation currently only checks runtime.GOOS and allows backends that won't be available on the built architecture and doesn't enforce ETW rules for resolved-backend auto/unset; update the checks around c.Backend (BackendETW, BackendAuto) and the flush_interval validation so you first resolve what backend will actually be used given runtime.GOOS and runtime.GOARCH (treat BackendAuto or empty as the platform default), then validate: 1) reject ebpf on linux when runtime.GOARCH is not amd64/arm64, 2) reject etw on non-windows, 3) ensure flush_interval >= 1s whenever the resolved backend is ETW (i.e. c.Backend == BackendETW or resolved backend == ETW for BackendAuto/empty on Windows), and append errors to errs accordingly using the existing symbols (c.Backend, BackendETW, BackendAuto, c.FlushInterval).

github-actions · 2026-04-17T07:53:30Z

TL;DR

golangci-lint is still failing for PR #50166 across all matrix jobs, and this run now has multiple lint classes (not only forbidigo). Immediate action: fix the auditbeat/module/file_integrity/*_test.go lint findings (especially unchecked errors + forbidden logger creation), then re-run lint.

Remediation

Replace test-time logp.NewLogger(...) usage with test logger helpers (logptest.NewTestingLogger(t, "")) in:
- auditbeat/module/file_integrity/eventreader_test.go:54
- auditbeat/module/file_integrity/eventreader_test.go:256
- auditbeat/module/file_integrity/eventreader_windows_test.go:691
Fix unchecked errors (errcheck) by asserting returned errors in:
- auditbeat/module/file_integrity/metricset_test.go:148 (all OS)
- auditbeat/module/file_integrity/metricset_test.go:213 (macOS/ubuntu)
- auditbeat/module/file_integrity/metricset_test.go:273 (macOS/ubuntu)
- auditbeat/module/file_integrity/eventreader_windows_test.go:757, :781, :867 (windows)
Clean remaining lint in tests:
- testifylint (eventreader_test.go:78: prefer assert.Equal)
- windows-only: gosec (eventreader_windows_test.go:876) and unused helpers (:532, :581, :628, :654)
Re-run golangci-lint for auditbeat/module/file_integrity (or re-run the workflow) after updates.

Investigation details

Root Cause

The failing step is golangci-lint (step 5) in all three jobs (lint (ubuntu-latest), lint (macos-latest), lint (windows-latest)).

Compared with the previous detective report, the failure is not materially the same anymore: this run includes additional errcheck, testifylint, and (on Windows) gosec + unused errors, beyond forbidigo.

Evidence

Workflow: https://github.com/elastic/beats/actions/runs/24553246113
Jobs/step:
- lint (ubuntu-latest) → golangci-lint
- lint (macos-latest) → golangci-lint
- lint (windows-latest) → golangci-lint
Key log excerpts:
- ##[error]auditbeat/module/file_integrity/metricset_test.go:148:11: Error return value is not checked (errcheck)
- ##[error]auditbeat/module/file_integrity/eventreader_test.go:54:35: use of \logp.NewLogger` forbidden ... (forbidigo)`
- ##[error]auditbeat/module/file_integrity/eventreader_test.go:78:4: equal-values: use assert.Equal (testifylint)
- ##[error]auditbeat\module\file_integrity\eventreader_windows_test.go:876:9: G204: Subprocess launched with a potential tainted input or cmd arguments (gosec)
- ##[error]auditbeat\module\file_integrity\eventreader_windows_test.go:532:6: func testDeleteSymlink is unused (unused)

Validation

Not run locally in this workflow context (analysis based on workflow job logs).

Follow-up

After fixing the test files above, re-trigger lint; if anything remains, iterate on only the remaining reported lines (current failures are concentrated under auditbeat/module/file_integrity).

What is this? | From workflow: PR Actions Detective

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

Revert "[auditbeat][fim] Update Auditbeat file_integrity module to de…

a55a136

…fault to…" This reverts commit f2a90c5.

marc-gr requested review from a team as code owners April 16, 2026 14:13

marc-gr added Auditbeat Team:Security-Windows Platform Windows Platform Team in Security Solution backport-9.4 labels Apr 16, 2026

botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Apr 16, 2026

botelastic bot removed the needs_team Indicates that the issue/PR needs a Team:* label label Apr 16, 2026

marc-gr requested a review from a team April 16, 2026 14:15

github-actions bot deployed to docs-preview April 16, 2026 14:15 View deployment

marc-gr added the skip-changelog label Apr 16, 2026

coderabbitai bot reviewed Apr 16, 2026

View reviewed changes

mergify bot assigned marc-gr Apr 16, 2026

This comment has been minimized.

Sign in to view

Merge branch 'main' into revert-47498-feat/fim-auto-backend

48793df

github-actions bot deployed to docs-preview April 17, 2026 07:26 View deployment

Conversation

marc-gr commented Apr 16, 2026

Uh oh!

elasticmachine commented Apr 16, 2026

Uh oh!

github-actions bot commented Apr 16, 2026

🤖 GitHub comments

Uh oh!

github-actions bot commented Apr 16, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

🔍 Preview links for changed docs

Uh oh!

github-actions bot commented Apr 16, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Vale Linting Results

Uh oh!

coderabbitai bot commented Apr 16, 2026

Walkthrough

Possibly related PRs

Suggested labels

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Apr 16, 2026

Choose a reason for hiding this comment

Uh oh!

coderabbitai bot Apr 16, 2026

Choose a reason for hiding this comment

Uh oh!

This comment has been minimized.

github-actions bot commented Apr 17, 2026

TL;DR

Remediation

Root Cause

Evidence

Validation

Follow-up

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

github-actions bot commented Apr 16, 2026 •

edited

Loading

github-actions bot commented Apr 16, 2026 •

edited

Loading