Troubleshooting File Integrity Monitoring
Note: Pivotal Platform is now part of VMware Tanzu. In v2.1 and later, Pivotal File Integrity Monitoring is named File Integrity Monitoring for VMware Tanzu
Page last updated:
This topic provides instructions to verify that File Integrity Monitoring for VMware Tanzu (FIM) works with your deployment and makes general recommendations for troubleshooting.
This topic provides help for troubleshooting the runtime behavior, to ensure that the deployment is being protected in the way you expect.
FIM generates too much syslog activity during BOSH deploys.
FIM monitors and reports file changes. BOSH deployments often make changes to the monitored directories and files, which generates corresponding FIM syslog activity during the deployment.
FIM watches for unexpected file changes in all the directories that you configure it to monitor.
The default manifest configuration monitors files in many critical directories including
These directories are critical to the normal operation of BOSH Linux VMs, and are
monitored because they are not expected to change between BOSH deploys.
Syslog messages generated during a BOSH deploy report file changes in the
packages directories in
deploys update the files in these directories. Thus, FIM reports file-system events that are expected.
You can consider these syslog messages either as confirmation of a succeeding BOSH deployment or as false positive events.
Events occurring during a planned BOSH deployments are normal and can be safely ignored.
To avoid the additional syslog traffic during a BOSH deploy, customize the FIM release deployment manifest to narrow the scope of FIM so that it does not include directories affected by deployments. You can do this either before you deploy BOSH (as a temporary measure) or as part of the normal FIM configuration. Consider your threat environment and risk tolerance and configure FIM accordingly.
Filesystem events are not reported. The logs are empty.
FIM might not be running or might be misconfigured.
monit summaryshould return the following output on success.
The Monit daemon 5.2.5 uptime: 1d 20h 11m
Process 'fim' running
If the process is not running, inspect the contents of
/var/vcap/sys/log/fim/fim.std*.logfiles for clues.
Files system events are not reported from a portion of the file system.
FIM is configured to monitor a set of critical directories in the system. It is not configured to monitor the entire file system by default.
See Watchlist to see the default list of file paths that FIM monitors for file system events. To modify the configuration, see Configure FIM for Linux or Configure FIM for Windows depending on your installation.