From 3f37f74f4fd93922bf92dbf02489430ecb6e62d0 Mon Sep 17 00:00:00 2001
From: Panos Koutsovasilis <panos.koutsovasilis@elastic.co>
Date: Wed, 31 Jan 2024 04:47:30 +0200
Subject: [PATCH] feat: add the instantiation of file integrity module with
 kprobes backend

---
 .../module/file_integrity/eventreader_fsnotify.go | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/auditbeat/module/file_integrity/eventreader_fsnotify.go b/auditbeat/module/file_integrity/eventreader_fsnotify.go
index b49bb7b7905e..fa3015f76e10 100644
--- a/auditbeat/module/file_integrity/eventreader_fsnotify.go
+++ b/auditbeat/module/file_integrity/eventreader_fsnotify.go
@@ -23,6 +23,7 @@ import (
 	"errors"
 	"fmt"
 	"path/filepath"
+	"runtime"
 	"syscall"
 	"time"
 
@@ -43,6 +44,18 @@ type reader struct {
 
 // NewEventReader creates a new EventProducer backed by fsnotify.
 func NewEventReader(c Config) (EventProducer, error) {
+
+	if runtime.GOOS == "linux" {
+		switch c.ForceBackend {
+		case BackendKProbes:
+			return &kProbesReader{
+				config:  c,
+				log:     logp.NewLogger(moduleName),
+				parsers: FileParsers(c),
+			}, nil
+		}
+	}
+
 	return &reader{
 		config:  c,
 		log:     logp.NewLogger(moduleName),
@@ -109,7 +122,7 @@ func (r *reader) enqueueEvents(done <-chan struct{}) (events []*Event) {
 	for {
 		ev := r.nextEvent(done)
 		if ev == nil {
-			return
+			return events
 		}
 		events = append(events, ev)
 	}