Skip to content

Add default filesystems monitored/ignored by Linux Endpoints and document an 8.7 change #2935

New issue
New issue
Open
Open
Add default filesystems monitored/ignored by Linux Endpoints and document an 8.7 change#2935
Labels
Effort: SmallIssues that can be resolved quicklyFeature: Elastic DefendPriority: LowIssues that need attention, but are not urgentTeam: EndpointEndpoint related issuesdocumentationImprovements or additions to documentationv8.7.0v8.8.0
@nicholasberlin

Description

@nicholasberlin
nicholasberlin
opened on Jan 26, 2023

Description

This documentation page has a note:

Even when configured to monitor all file systems (ignore_unknown_filesystems is false),
Elastic Defend will still ignore specific file systems that Elastic has internally identified as incompatible.
The following settings apply to any other file systems.

and this note:

It’s recommended to avoid monitoring network-backed file systems.

I would like to add the specific lists of default ignored and default marked filesystems, and potentially reference them in those notes, or whatever is appropriate.

Note

The following were added in v8.4.0 as part of addressing this issue. So, these have all been present since the feature was introduced and haven't been changed (accurate as Jun 11, 2025)

filesystems ignored by default:

  • cifs
  • lustre
  • nfs
  • nfs4
  • smbfs
  • autofs
  • binfmt_misc
  • bpf
  • cgroup
  • cgroup2
  • configfs
  • debugfs
  • devpts
  • devtmpfs
  • efivarfs
  • fuse.gvfsd-fuse
  • fuse.portal
  • fusectl
  • hugetlbfs
  • inotifyfs
  • mqueue
  • nfsd
  • nsfs
  • proc
  • pstore
  • rpc_pipefs
  • securityfs
  • selinuxfs
  • sysfs
  • tracefs

Note

Similar to the default ignored list, this list was mostly introduced when the feature was introduced, in v8.4.0. Any additions since are annotated with a version. (accurate as Jun 11, 2025)

filesystems monitored by default:

  • ext2
  • ext3
  • ext4
  • overlay
  • tmpfs
  • vfat
  • xfs
  • btrfs (v8.16.0)
  • zfs (v8.16.0)

EDIT (Jun 11, 2025):
I believe documentation for the following two paragraphs is unnecessary, since 8.7 versions of Endpoint is now quite old.

Further, I would like to document the fact that user supplied filesystems linux.advanced.fanotify.monitored_filesystems are overriden by our default list of ignored filesystems. For example, if a user includes nfs4 in linux.advanced.fanotify.monitored_filesystems it will still will not be monitored. In other words, the user cannot override Endpoint's default ignore list.

Finally, the behavior described above is planned to be changed has been merged into 8.7. Starting in 8.7, the user supplied list, linux.advanced.fanotify.monitored_filesystems, will override Endpoint's default ignore list. So, if a user wants to go against our recommendation to ignore network backed filesystems, they are free to do so.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Effort: SmallIssues that can be resolved quicklyFeature: Elastic DefendPriority: LowIssues that need attention, but are not urgentTeam: EndpointEndpoint related issuesdocumentationImprovements or additions to documentationv8.7.0v8.8.0

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions