Troubleshooting File Integrity Monitoring
Note: Pivotal Platform is now part of VMware Tanzu. In v2.1 and later, Pivotal File Integrity Monitoring is named File Integrity Monitoring for VMware Tanzu
Page last updated:
This topic provides instructions to verify that File Integrity Monitoring for VMware Tanzu (FIM) works with your deployment and makes general recommendations for troubleshooting.
About Troubleshooting FIM
This topic provides help for troubleshooting the runtime behavior, to ensure that the deployment is being protected in the way you expect.
BOSH Deploy Issues
Symptom
FIM generates too much syslog activity during BOSH deploys.
Explanation
FIM monitors and reports file changes. BOSH deployments often make changes to the monitored directories and files, which generates corresponding FIM syslog activity during the deployment.
FIM watches for unexpected file changes in all the directories that you configure it to monitor.
The default manifest configuration monitors files in many critical directories including /var/vcap/data/jobs
and /var/vcap/data/packages
.
These directories are critical to the normal operation of BOSH Linux VMs, and are
monitored because they are not expected to change between BOSH deploys.
Syslog messages generated during a BOSH deploy report file changes in the jobs
and packages
directories in /var/vcap/...
. BOSH
deploys update the files in these directories. Thus, FIM reports file-system events that are expected.
You can consider these syslog messages either as confirmation of a succeeding BOSH deployment or as false positive events.
Solution
Events occurring during a planned BOSH deployments are normal and can be safely ignored.
To avoid the additional syslog traffic during a BOSH deploy, customize the FIM release deployment manifest to narrow the scope of FIM so that it does not include directories affected by deployments. You can do this either before you deploy BOSH (as a temporary measure) or as part of the normal FIM configuration. Consider your threat environment and risk tolerance and configure FIM accordingly.
FIM Runtime Issues
Symptom
Filesystem events are not reported. The logs are empty.
Explanation:
FIM might not be running or might be misconfigured.
Solution
Check whether
fim
is running.monit summary
should return the following output on success.The Monit daemon 5.2.5 uptime: 1d 20h 11m
Process 'fim' runningIf the process is not running, inspect the contents of
/var/vcap/sys/log/fim/fim.std*.log
files for clues.
Symptom
Files system events are not reported from a portion of the file system.
Explanation:
FIM is configured to monitor a set of critical directories in the system. It is not configured to monitor the entire file system by default.
Solution
See Watchlist to see the default list of file paths that FIM monitors for file system events. To modify the configuration, see Configure FIM for Linux or Configure FIM for Windows depending on your installation.