From 70cff3a4ecb8d24b614153d94bbdfb6527e1d8c3 Mon Sep 17 00:00:00 2001
From: Panos Koutsovasilis <panos.koutsovasilis@elastic.co>
Date: Thu, 2 May 2024 17:53:15 +0300
Subject: [PATCH 1/2] [Auditbeat/FIM/fsnotify]: prevent losing events for
 recursive mode on OS X (#39362)

* fix(auditbeat/fim/fsnotify): do not return error immediately as this causes losing events on mac

* doc: update CHANGELOG.next.asciidoc

(cherry picked from commit bbf8746d0e0a653c6801f979072e47c15a84d074)
---
 CHANGELOG.next.asciidoc                                 | 2 ++
 auditbeat/module/file_integrity/monitor/monitor_test.go | 2 +-
 auditbeat/module/file_integrity/monitor/recursive.go    | 4 ++--
 3 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index 8e114c2c222..3e30b1b93e8 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -36,6 +36,8 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 
 
 - Prevent scenario of losing children-related file events in a directory for recursive fsnotify backend of auditbeat file integrity module {pull}39133[39133]
+- Allow extra syscalls by auditbeat required in FIM with kprobes back-end {pull}39361[39361]
+- Fix losing events in FIM for OS X by allowing always to walk an added directory to monitor {pull}39362[39362]
 
 
 *Filebeat*
diff --git a/auditbeat/module/file_integrity/monitor/monitor_test.go b/auditbeat/module/file_integrity/monitor/monitor_test.go
index 2b907f74d82..b55e79ddc11 100644
--- a/auditbeat/module/file_integrity/monitor/monitor_test.go
+++ b/auditbeat/module/file_integrity/monitor/monitor_test.go
@@ -232,7 +232,7 @@ func TestRecursiveSubdirPermissions(t *testing.T) {
 
 	ev, err := readTimeout(t, watcher)
 	assert.Equal(t, errReadTimeout, err)
-	if err != errReadTimeout {
+	if !errors.Is(err, errReadTimeout) {
 		t.Fatalf("Expected timeout, got event %+v", ev)
 	}
 
diff --git a/auditbeat/module/file_integrity/monitor/recursive.go b/auditbeat/module/file_integrity/monitor/recursive.go
index cf3957363b5..f5a843d4ee2 100644
--- a/auditbeat/module/file_integrity/monitor/recursive.go
+++ b/auditbeat/module/file_integrity/monitor/recursive.go
@@ -114,11 +114,11 @@ func (watcher *recursiveWatcher) addRecursive(path string) error {
 		return nil
 	}
 
+	var errs multierror.Errors
 	if err := watcher.watchFile(path, nil); err != nil {
-		return fmt.Errorf("failed adding watcher to '%s': %w", path, err)
+		errs = append(errs, fmt.Errorf("failed adding watcher to '%s': %w", path, err))
 	}
 
-	var errs multierror.Errors
 	err := filepath.Walk(path, func(walkPath string, info os.FileInfo, fnErr error) error {
 		if walkPath == path {
 			return nil

From 3a1101193311081025c588bde54c270e6aaeeb60 Mon Sep 17 00:00:00 2001
From: Panos Koutsovasilis <panos.koutsovasilis@elastic.co>
Date: Thu, 2 May 2024 21:27:25 +0300
Subject: [PATCH 2/2] doc: remove redundant changes from
 CHANGELOG.next.asciidoc

---
 CHANGELOG.next.asciidoc | 1 -
 1 file changed, 1 deletion(-)

diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index 3e30b1b93e8..c6c6fc3a07e 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -36,7 +36,6 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d
 
 
 - Prevent scenario of losing children-related file events in a directory for recursive fsnotify backend of auditbeat file integrity module {pull}39133[39133]
-- Allow extra syscalls by auditbeat required in FIM with kprobes back-end {pull}39361[39361]
 - Fix losing events in FIM for OS X by allowing always to walk an added directory to monitor {pull}39362[39362]