Examples of FIM Log Messages

Page last updated:

This topic contains sample log messages emitted by the File Integrity Monitoring (FIM) Add-on for Pivotal Cloud Foundry (PCF).

These samples can be used to configure a Security Information and Event Management (SIEM) system to verify regular activity and generate alerts for file system operations of monitored directories.

FIM Log Message Types

FIM produces many different logs depending on what operation is being performed. The destination for these log files can be configured. For more information on configuring the path, see Configure the Output Destination.

For an example of every type of FIM log message that can be configured, see the following:

  • HEARTBEAT

    2019-04-05T16:00:27.353542+00:00 localhost filesnitch[6663]: CEF:0|cloud_foundry|fim|1.0.0|0|file integrity monitoring event|0|
    fname="" hostname="fim_1/f66479c7-cd37-4a99-b735-f6f41ba55f01" opname="FILESNITCH CHECKIN" optype=0 ts=1554480027 severity=0

  • CREATE

    2019-04-05T15:52:03.296265+00:00 localhost filesnitch[5990]: CEF:0|cloud_foundry|fim|1.0.0|1|file integrity monitoring event|5|
    fname="/var/vcap/data/jobs/newfile.txt" hostname="fim_1/f66479c7-cd37-4a99-b735-f6f41ba55f01" opname="CREATE" optype=1 ts=1554479523 severity=5

  • WRITE

    2019-04-05T15:52:22.230901+00:00 localhost filesnitch[5990]: CEF:0|cloud_foundry|fim|1.0.0|2|file integrity monitoring event|5|
    fname="/var/vcap/data/jobs/file.txt" hostname="fim_1/f66479c7-cd37-4a99-b735-f6f41ba55f01" opname="WRITE" optype=2 ts=1554479542 severity=5

  • REMOVE

    2019-04-05T15:52:15.636353+00:00 localhost filesnitch[5990]: CEF:0|cloud_foundry|fim|1.0.0|4|file integrity monitoring event|5|
    fname="/var/vcap/data/jobs/file.txt" hostname="fim_1/f66479c7-cd37-4a99-b735-f6f41ba55f01" opname="REMOVE" optype=4 ts=1554479535 severity=5

  • RENAME

    2019-04-05T15:52:28.707094+00:00 localhost filesnitch[5990]: CEF:0|cloud_foundry|fim|1.0.0|8|file integrity monitoring event|5|
    fname="/var/vcap/data/jobs/file.txt" hostname="fim_1/f66479c7-cd37-4a99-b735-f6f41ba55f01" opname="RENAME" optype=8 ts=1554479548 severity=5

  • CHMOD

    2019-04-05T15:52:03.297424+00:00 localhost filesnitch[5990]: CEF:0|cloud_foundry|fim|1.0.0|16|file integrity monitoring event|5|
    fname="/var/vcap/data/jobs/newfile.txt" hostname="fim_1/f66479c7-cd37-4a99-b735-f6f41ba55f01" opname="CHMOD" optype=16 ts=1554479523 severity=5

For more information on formatting logs, see Event Logging.

Examples of Log Messages from Containers

Examples of FIM log messages from Garden containers and Docker containers are as follows:

  • For a Garden container in Pivotal Application Service (PAS)

    2019-04-25T14:56:10.158714+00:00 localhost filesnitch[79084]: CEF:0|cloud_foundry|fim|1.0.0|1|file integrity monitoring event|5|
    fname="/var/vcap/data/grootfs/store/unprivileged/images/5c320add-ac1a-4bd7-78b6-1129/diff/home/vcap/app/public/test.html"
    

  • For a Docker container in Enterprise Pivotal Container Service (Enterprise PKS)

    2019-04-25T18:40:48.937153+00:00 localhost filesnitch[17875]: CEF:0|cloud_foundry|fim|1.0.0|1|file integrity monitoring event|5|
    fname="/var/vcap/store/docker/docker/overlay2/7e5685c735b2aa97a9680e0b81730a518e3188afbf0f9f1529e492f98ed35f1d/diff/test.html"
    hostname="worker/d1d67195-ad42-4025-83e9-0d43a193ad53" opname="CREATE" optype=1 ts=1556217648 severity=5
    

For how to configure FIM to monitor containers, see Monitor Containers with FIM.