From ae44ee54dac29c994d2a3de25c5c955d83b67e4b Mon Sep 17 00:00:00 2001
From: Vijay Samuel <vjsamuel@ebay.com>
Date: Tue, 30 Jun 2020 00:58:03 -0700
Subject: [PATCH 1/2] Create fsnotify watcher only when starting file_integrity
 module

---
 CHANGELOG.next.asciidoc                          |  1 +
 .../file_integrity/eventreader_fsnotify.go       | 16 ++++++++--------
 2 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index 9d8db101f4e5..6cacfb3c2d5b 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -148,6 +148,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 - system/socket: Fix dataset using 100% CPU and becoming unresponsive in some scenarios. {pull}19033[19033]
 - system/socket: Fixed tracking of long-running connections. {pull}19033[19033]
 - system/package: Fix librpm loading on Fedora 31/32. {pull}NNNN[NNNN]
+- file_integrity: Create fsnotify watcher only when starting file_integrity module {pull}19505[19505]
 
 *Filebeat*
 
diff --git a/auditbeat/module/file_integrity/eventreader_fsnotify.go b/auditbeat/module/file_integrity/eventreader_fsnotify.go
index 4c59191dfe71..fa8fdf4407fe 100644
--- a/auditbeat/module/file_integrity/eventreader_fsnotify.go
+++ b/auditbeat/module/file_integrity/eventreader_fsnotify.go
@@ -39,19 +39,19 @@ type reader struct {
 
 // NewEventReader creates a new EventProducer backed by fsnotify.
 func NewEventReader(c Config) (EventProducer, error) {
-	watcher, err := monitor.New(c.Recursive)
-	if err != nil {
-		return nil, err
-	}
-
 	return &reader{
-		watcher: watcher,
-		config:  c,
-		log:     logp.NewLogger(moduleName),
+		config: c,
+		log:    logp.NewLogger(moduleName),
 	}, nil
 }
 
 func (r *reader) Start(done <-chan struct{}) (<-chan Event, error) {
+	watcher, err := monitor.New(r.config.Recursive)
+	if err != nil {
+		return nil, err
+	}
+
+	r.watcher = watcher
 	if err := r.watcher.Start(); err != nil {
 		return nil, errors.Wrap(err, "unable to start watcher")
 	}

From f293c689573bb9efdfca4866273efff10fe85f53 Mon Sep 17 00:00:00 2001
From: Vijay Samuel <vjsamuel@ebay.com>
Date: Tue, 30 Jun 2020 22:45:15 -0700
Subject: [PATCH 2/2] Add close to Start() so that failed starts don't create
 resource leaks

---
 auditbeat/module/file_integrity/eventreader_fsnotify.go | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/auditbeat/module/file_integrity/eventreader_fsnotify.go b/auditbeat/module/file_integrity/eventreader_fsnotify.go
index fa8fdf4407fe..4d82015b90d9 100644
--- a/auditbeat/module/file_integrity/eventreader_fsnotify.go
+++ b/auditbeat/module/file_integrity/eventreader_fsnotify.go
@@ -53,6 +53,8 @@ func (r *reader) Start(done <-chan struct{}) (<-chan Event, error) {
 
 	r.watcher = watcher
 	if err := r.watcher.Start(); err != nil {
+		// Ensure that watcher is closed so that we don't leak watchers
+		r.watcher.Close()
 		return nil, errors.Wrap(err, "unable to start watcher")
 	}