If I may, I just want to have your inputs on the reference documentation here: File Integrity Monitoring for Linux | InsightIDR Documentation)
It is clearly stated that ONLY “write” events are monitored if I do the modification on the audit.rules.
Now if i want to monitor all events (rwxa) then does it mean i dont need to do the modification at all?
Or I still need to put it in, in the audit.rules the declaration would be like → -w /bin -p wrxa?
Am thinking that if I need to monitor all events then instead of doing the modification which only monitors the “write” events, might as well just read everything in the audit.log file thru the agent.
Reference: Configure the Insight Agent to Send Additional Logs | InsightIDR Documentation
Am not just sure if it is essential that I declared everything (files specific) in the audit.rules to get my File Monitong