Troubleshooting the FIM Add-on for PCF
Page last updated:
This topic provides instructions to verify that File Integrity Monitoring (FIM) Add-on for PCF works with your Pivotal Cloud Foundry (PCF) deployment and makes general recommendations for troubleshooting.
This topic provides help for troubleshooting the runtime behavior, to ensure that the deployment is being protected in the way you expect.
The FIM Add-on generates too much syslog activity during BOSH deploys.
The FIM Add-on monitors and reports file changes. BOSH deployments often make changes to the monitored directories and files, which generates corresponding FIM syslog activity during the deployment.
The FIM Add-on watches for unexpected file changes in all the directories that you configure it to monitor.
The default manifest configuration monitors files in many critical directories including
These directories are critical to the normal operation of PCF and are monitored because they are not expected to change during operation of the platform (between BOSH deploys).
Syslog messages generated during a BOSH deploy report file changes in the
packages folders in
deploys update the files in these folders. Thus, the FIM Add-on reports filesystem events that are expected.
You can consider these syslog messages either as confirmation of a succeeding BOSH deployment or as false positive events.
Events occurring during a planned BOSH deployments are normal and may be safely ignored.
To avoid the additional syslog traffic during a BOSH deploy, customize the FIM release deployment manifest to narrow the scope of FIM so that it does not include directories affected by deployments. You can do this either before you deploy BOSH (as a temporary measure) or as part of the normal FIM configuration. Consider your threat environment and risk tolerance and configure FIM Add-on accordingly.
Filesystem events are not reported. The logs are empty.
The FIM Add-on might not be running or might be misconfigured.
monit summaryshould return the following output on success.
The Monit daemon 5.2.5 uptime: 1d 20h 11m
Process 'fim' running
If the process isn’t running, inspect the contents of
/var/vcap/sys/log/fim/fim.std*.logfiles for clues.
Filesystem events are not reported from a portion of the filesystem.
The FIM Add-on is configured to monitor a set of critical directories in the system. It is not configured to monitor the entire filesystem by default.
Refer to this configuration section for inspecting defaults and instructions on adjusting the list in the runtime manifest.