Troubleshooting File Integrity Monitoring

Note: Pivotal Platform is now part of VMware Tanzu. In v2.1 and later, Pivotal File Integrity Monitoring is named File Integrity Monitoring for VMware Tanzu

Page last updated:

This topic provides instructions to verify that File Integrity Monitoring for VMware Tanzu (FIM) works with your deployment and makes general recommendations for troubleshooting.

About Troubleshooting FIM

This topic provides help for troubleshooting the runtime behavior, to ensure that the deployment is being protected in the way you expect.

BOSH Deploy Issues

Symptom

FIM generates too much syslog activity during BOSH deploys.

Explanation

FIM monitors and reports file changes. BOSH deployments often make changes to the monitored directories and files, which generates corresponding FIM syslog activity during the deployment.

FIM watches for unexpected file changes in all the directories that you configure it to monitor. The default manifest configuration monitors files in many critical directories including /var/vcap/data/jobs and /var/vcap/data/packages. These directories are critical to the normal operation of BOSH Linux VMs, and are monitored because they are not expected to change between BOSH deploys.

Syslog messages generated during a BOSH deploy report file changes in the jobs and packages directories in /var/vcap/.... BOSH deploys update the files in these directories. Thus, FIM reports file-system events that are expected. You can consider these syslog messages either as confirmation of a succeeding BOSH deployment or as false positive events.

Solution

Events occurring during a planned BOSH deployments are normal and can be safely ignored.

To avoid the additional syslog traffic during a BOSH deploy, customize the FIM release deployment manifest to narrow the scope of FIM so that it does not include directories affected by deployments. You can do this either before you deploy BOSH (as a temporary measure) or as part of the normal FIM configuration. Consider your threat environment and risk tolerance and configure FIM accordingly.

FIM Runtime Issues

Symptom

Filesystem events are not reported. The logs are empty.

Explanation:

FIM might not be running or might be misconfigured.

Solution

  • Check whether fim is running. monit summary should return the following output on success.

    The Monit daemon 5.2.5 uptime: 1d 20h 11m
    Process 'fim' running
  • If the process is not running, inspect the contents of /var/vcap/sys/log/fim/fim.std*.log files for clues.


Symptom

Files system events are not reported from a portion of the file system.

Explanation:

FIM is configured to monitor a set of critical directories in the system. It is not configured to monitor the entire file system by default.

Solution

See Watchlist to see the default list of file paths that FIM monitors for file system events. To modify the configuration, see Configure FIM for Linux or Configure FIM for Windows depending on your installation.