Skip to content

Elastic Defend: Adds info about supported Linux file systems#5276

Draft
benironside wants to merge 3 commits intomainfrom
2935
Draft

Elastic Defend: Adds info about supported Linux file systems#5276
benironside wants to merge 3 commits intomainfrom
2935

Conversation

@benironside
Copy link
Contributor

@benironside benironside commented Feb 24, 2026

Fixes #5274 by adding information about which Linux file systems Elastic Defend can and cannot monitor.

Generative AI disclosure

  1. Did you use a generative AI (GenAI) tool to assist in creating this contribution?
  • Yes
  • [x ] No

@benironside benironside self-assigned this Feb 24, 2026
@github-actions
Copy link
Contributor

github-actions bot commented Feb 24, 2026
edited
Loading

✅ Vale Linting Results

No issues found on modified lines!

The Vale linter checks documentation changes against the Elastic Docs style guide.

To use Vale locally or report issues, refer to Elastic style guide for Vale.

@github-actions
Copy link
Contributor

github-actions bot commented Feb 24, 2026
edited
Loading

🔍 Preview links for changed docs

@benironside benironside marked this pull request as ready for review February 24, 2026 02:08
@benironside benironside requested a review from a team as a code owner February 24, 2026 02:08
nicholasberlin
nicholasberlin reviewed Feb 24, 2026
View reviewed changes
Copy link
Contributor

@nicholasberlin nicholasberlin left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Out-of-the-box defaults

With default advanced options, i.e. ignore_unknown_filesystems: true, and both user lists empty, Endpoint does the following:

  • Monitors ext2, ext3, ext4, overlay, tmpfs, vfat, btrfs, zfs, xfs
  • Ignores all 29 filesystems in the default ignore list
  • All other filesystems are ignored as unknown

With default advanced options, except ignore_unknown_filesystems as false:

  • Ignores all 29 filesystems in the default ignore list
  • All other filesystems are monitored

Advanced option precedence

Here's a break down of Endpoint's decision tree from two perspectives:

  1. Endpoint encounters a filesystem not on the default ignore list.
  2. Endpoint encounters a filesystem on the default ignore list.

1. Not on default ignore list (by order of precedence):

  • in ignored_filesystems -- strongest, always forces ignore
  • in monitored_filesystems -- monitored
  • in default monitor list -- monitored
  • not in any list
    • ignore_unknown_filesystems is true -- ignored
    • ignore_unknown_fileystems is false -- monitored

2. On default ignore list (by order of precedence):

  • in monitored_filesystems -- monitored
  • otherwise -- ignored

solutions/security/configure-elastic-defend/configure-linux-file-system-monitoring.md
Even when configured to monitor all file systems (`ignore_unknown_filesystems` is `false`), {{elastic-defend}} will still ignore specific file systems that Elastic has internally identified as incompatible. The following settings apply to any *other* file systems.

:::{dropdown} View incompatible file systems
{{elastic-defend}} cannot monitor the following incompatible file systems:
Copy link
Contributor

@nicholasberlin nicholasberlin Feb 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cannot is in accurate. This is a list of filesystems ignored by default. Since 8.7, this list can be overridden by the advanced option: monitored_filesystems (prior to 8.7, the advanced option did not override).

It is not recommended to override them, especially for network-backed filesystems like nfs. There's already a note on line 100 about this.

@benironside benironside marked this pull request as draft February 24, 2026 19:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nicholasberlin nicholasberlin nicholasberlin left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@benironside benironside

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add default filesystems monitored/ignored by Linux Endpoints and document an 8.7 change

2 participants

@benironside @nicholasberlin