FAQ: Why do I see blank fields in my FIM events?
If you see the following blank fields in your FIM events, then you may not be able to receive all of the enriched metadata available for those events:
- uid
- auid
- gid
- session
- arguments
- command
- pid
- ppid
- containerId
- containerImage
- containerLabels
- NOTE: containerLabels are shown only on contributing events, not on raw events
- pod_uid
- pod_name
As a workaround, you can use a previous version of the enriched FIM metadata.
To switch to the previous version:
- Open the Command Line.
- Run one of the following commands:
- If you use a default distribution implementation, then run this command:
sudo tsagent config --set enable_legacy_fim true - If you use Docker or Kubernetes, then, in the THREATSTACK_CONFIG_ARGS environmental variable, add the following command:
enable_legacy_fim true - If you use a different orchestration tool, then set this variable to true:
enable_legacy_fim true
- If you use a default distribution implementation, then run this command:
- Restart the F5 Distributed Cloud App Infrastructure Protection (AIP) Agent.