Log Messages

Page last updated:

This topic provides information about log messages emitted by Pivotal File Integrity Monitoring (FIM).

FIM logs events that occur. You can use these samples to configure a Security Information and Event Management (SIEM) system, to verify regular activity and generate alerts for file system operations in monitored directories.

Log Output Destination

FIM produces many different logs depending on what operation is being performed.

  • In Linux, these logs are located in /var/vcap/sys/log/fim/fim.stdout.log.
  • In Windows, these logs are located in C:\var\vcap\sys\log\fim-windows\filesnitch\job-service-wrapper.out.log.

Log Format

FIM can emit logs in the default format or you can configure a custom format using the Output log format field. For information about configuring the log format, see Output Log Format.

Examples of Log Messages

This section contains sample log messages emitted by FIM. You can use these samples to configure a Security Information and Event Management (SIEM) system.

FIM Log Message Types

The list below contains an example FIM log message for each operation:

  • FILESNITCH CHECKIN

    2019-04-05T16:00:27.353542+00:00 localhost filesnitch[6663]: CEF:0|cloud_foundry|fim|1.0.0|0|file integrity monitoring event|0|
    fname="" hostname="fim_1/f66479c7-cd37-4a99-b735-f6f41ba55f01" opname="FILESNITCH CHECKIN" optype=0 ts=1554480027 severity=0

  • CREATE

    2019-04-05T15:52:03.296265+00:00 localhost filesnitch[5990]: CEF:0|cloud_foundry|fim|1.0.0|1|file integrity monitoring event|5|
    fname="/var/vcap/data/jobs/newfile.txt" hostname="fim_1/f66479c7-cd37-4a99-b735-f6f41ba55f01" opname="CREATE" optype=1 ts=1554479523 severity=5

  • WRITE

    2019-04-05T15:52:22.230901+00:00 localhost filesnitch[5990]: CEF:0|cloud_foundry|fim|1.0.0|2|file integrity monitoring event|5|
    fname="/var/vcap/data/jobs/file.txt" hostname="fim_1/f66479c7-cd37-4a99-b735-f6f41ba55f01" opname="WRITE" optype=2 ts=1554479542 severity=5

  • REMOVE

    2019-04-05T15:52:15.636353+00:00 localhost filesnitch[5990]: CEF:0|cloud_foundry|fim|1.0.0|4|file integrity monitoring event|5|
    fname="/var/vcap/data/jobs/file.txt" hostname="fim_1/f66479c7-cd37-4a99-b735-f6f41ba55f01" opname="REMOVE" optype=4 ts=1554479535 severity=5

  • RENAME

    2019-04-05T15:52:28.707094+00:00 localhost filesnitch[5990]: CEF:0|cloud_foundry|fim|1.0.0|8|file integrity monitoring event|5|
    fname="/var/vcap/data/jobs/file.txt" hostname="fim_1/f66479c7-cd37-4a99-b735-f6f41ba55f01" opname="RENAME" optype=8 ts=1554479548 severity=5

  • CHMOD

    2019-04-05T15:52:03.297424+00:00 localhost filesnitch[5990]: CEF:0|cloud_foundry|fim|1.0.0|16|file integrity monitoring event|5|
    fname="/var/vcap/data/jobs/newfile.txt" hostname="fim_1/f66479c7-cd37-4a99-b735-f6f41ba55f01" opname="CHMOD" optype=16 ts=1554479523 severity=5

Examples of Log Messages from Containers

The list below contains examples of FIM log messages from Garden containers and Docker containers:

  • For a Garden container in Pivotal Application Service (PAS)

    CEF:0|cloud_foundry|fim|1.0.0|1|file integrity monitoring event|5|
    fname="/var/vcap/data/grootfs/store/unprivileged/images/5c320add-ac1a-4bd7-78b6-1129/diff/home/vcap/app/public/test.html"
    

  • For a Windows Garden container in Pivotal Application Service for Windows (PASW)

    CEF:0|cloud_foundry|fim|1.0.0|1|file integrity monitoring event|5|
    fname="C:\proc\8174\root\Users\vcap\app\test.html"
    hostname="windows_diego_cell/be1f4854-299d-47d1-98eb-60b0741a3f6b" opname="CREATE" optype=1 ts=1556218123 severity=5
    

  • For a Docker container in Enterprise Pivotal Container Service (PKS)

    CEF:0|cloud_foundry|fim|1.0.0|1|file integrity monitoring event|5|
    fname="/var/vcap/store/docker/docker/overlay2/7e5685c735b2aa97a9680e0b81730a518e3188afbf0f9f1529e492f98ed35f1d/diff/test.html"
    hostname="worker/d1d67195-ad42-4025-83e9-0d43a193ad53" opname="CREATE" optype=1 ts=1556217648 severity=5
    

For how to configure FIM to monitor containers, see Monitor Containers with FIM.