This topic gives you information about log messages emitted by File Integrity Monitoring for VMware Tanzu (FIM). You can use these samples to configure a Security Information and Event Management (SIEM) system, to verify regular activity and generate alerts for file system operations in monitored directories.

Log Output Destination

FIM produces many different logs depending on what operation is being performed.

  • In Linux, these logs are located in /var/log/syslog.
  • In Windows, these logs are located in C:\var\vcap\sys\log\fim-windows\filesnitch\job-service-wrapper.out.log.

Log Format

FIM can emit logs in the default format or you can configure a custom format using the Output log format field. For information about configuring the log format, see Output Log Format.

Examples of Log Messages

This section contains sample log messages emitted by FIM. You can use these samples to configure a Security Information and Event Management (SIEM) system. These include:

  • Examples of log messages output by FIM
  • Examples of FIM log messages output by containers
  • An example of a log message output by the BOSH Context Adaptor for FIM (BCAF)

FIM Log Message Types

The list below contains an example FIM log message for each operation:

  • FILESNITCH CHECKIN

    2019-04-05T16:00:27.353542+00:00 localhost filesnitch[6663]: CEF:0|cloud_foundry|fim|1.0.0|0|file integrity monitoring event|0|
fname="" hostname="fim_1/f66479c7-cd37-4a99-b735-f6f41ba55f01" opname="FILESNITCH CHECKIN" optype=0 ts=1554480027 severity=0

  • CREATE

    2019-04-05T15:52:03.296265+00:00 localhost filesnitch[5990]: CEF:0|cloud_foundry|fim|1.0.0|1|file integrity monitoring event|5|
fname="/var/vcap/data/jobs/newfile.txt" hostname="fim_1/f66479c7-cd37-4a99-b735-f6f41ba55f01" opname="CREATE" optype=1 mode="-rw-r--r--" uid=0 user="root" gid=0 group="root" ts=1554479523 severity=5

  • WRITE

    2019-04-05T15:52:22.230901+00:00 localhost filesnitch[5990]: CEF:0|cloud_foundry|fim|1.0.0|2|file integrity monitoring event|5|
fname="/var/vcap/data/jobs/file.txt" hostname="fim_1/f66479c7-cd37-4a99-b735-f6f41ba55f01" opname="WRITE" optype=2 ts=1554479542 severity=5

  • REMOVE

    2019-04-05T15:52:15.636353+00:00 localhost filesnitch[5990]: CEF:0|cloud_foundry|fim|1.0.0|4|file integrity monitoring event|5|
fname="/var/vcap/data/jobs/file.txt" hostname="fim_1/f66479c7-cd37-4a99-b735-f6f41ba55f01" opname="REMOVE" optype=4 ts=1554479535 severity=5

  • RENAME

    2019-04-05T15:52:28.707094+00:00 localhost filesnitch[5990]: CEF:0|cloud_foundry|fim|1.0.0|8|file integrity monitoring event|5|
fname="/var/vcap/data/jobs/file.txt" hostname="fim_1/f66479c7-cd37-4a99-b735-f6f41ba55f01" opname="RENAME" optype=8 ts=1554479548 severity=5

  • CHMOD

    2019-04-05T15:52:03.297424+00:00 localhost filesnitch[5990]: CEF:0|cloud_foundry|fim|1.0.0|16|file integrity monitoring event|5|
fname="/var/vcap/data/jobs/newfile.txt" hostname="fim_1/f66479c7-cd37-4a99-b735-f6f41ba55f01" opname="CHMOD" optype=16 mode="-rw-r--r--" uid=0 user="root" gid=0 group="root" ts=1554479523 severity=5

Examples of Log Messages from Containers

The list below contains examples of FIM log messages from Garden containers and Docker containers:

  • For a Garden container in VMware Tanzu Application Service for VMs (TAS for VMs)

    CEF:0|cloud_foundry|fim|1.0.0|1|file integrity monitoring event|5|
fname="/var/vcap/data/grootfs/store/unprivileged/volumes/5c320add-ac1a-4bd7-78b6-1129/diff/home/vcap/app/public/test.html" opname="CREATE" optype=1 mode="-rw-r--r--" uid=2000 user="unknown" gid=2000 group="unknown" ts=1556218123 severity=5

  • For a Windows Garden container in VMware Tanzu Application Service for VMs [Windows] (TAS for VMs [Windows])

    CEF:0|cloud_foundry|fim|1.0.0|1|file integrity monitoring event|5|
fname="C:\proc\8174\root\Users\vcap\app\test.html"
hostname="windows_diego_cell/be1f4854-299d-47d1-98eb-60b0741a3f6b" opname="CREATE" optype=1 ts=1556218123 severity=5

For how to configure FIM to monitor containers, see Monitor Containers with FIM.

Example of Log Messages Identified by BCAF

All file events triggered by BOSH are labeled as a bosh-triggered event:

CEF:0|cloud_foundry|fim|1.0.0|16|file integrity monitoring event|3| bosh-triggered event|
fname="/var/vcap/data/jobs/vxlan-policy-agent/1d6231f203386fa2313a4a12ed058d5f423757df/bin"
hostname="diego_cell/a91f1807-ae87-47f6-ae65-14a5767332d5" opname="CHMOD" optype=16 mode="drwxr-x---" uid=0 user="root" gid=1000 group="vcap" ts=1583521619 severity=3

For more information about this process, see BOSH Context Adaptor for FIM (BCAF).

check-circle-line exclamation-circle-line close-line
Scroll to top icon