---
title: Configure Linux file system monitoring
description: This page explains how you can configure which filesystems Elastic Defend monitors on your Linux hosts. By default, Elastic Defend monitors specific Linux...
url: https://www.elastic.co/elastic/docs-builder/docs/3028/solutions/security/configure-elastic-defend/configure-linux-file-system-monitoring
products:
- Elastic Cloud Serverless
- Elastic Security
applies_to:
- Serverless Security projects: Generally available
- Elastic Stack: Generally available
---
# Configure Linux file system monitoring
This page explains how you can configure which filesystems Elastic Defend monitors on your Linux hosts.
By default, Elastic Defend monitors specific Linux filesystem types that Elastic has tested for compatibility, and ignores all others.
Elastic Defend monitors the following file systems by default:
- ext2
- ext3
- ext4
- overlay
- tmpfs
- vfat
- xfs
- btrfs
- zfs
However, you can implement different behavior by configuring the advanced settings related to **fanotify**, a Linux feature that monitors file system events.
## Configure fanotify advanced settings
- Find **Policies** in the navigation menu or by using the [global search field](https://www.elastic.co/elastic/docs-builder/docs/3028/explore-analyze/find-and-organize/find-apps-and-objects).
- Click a policy’s name.
- Scroll down and select **Show advanced settings**.
From here, you can change the following settings:
- `linux.advanced.fanotify.ignore_unknown_filesystems` (boolean)
- `linux.advanced.fanotify.monitored_filesystems` (list)
- `linux.advanced.fanotify.ignored_filesystems` (list)
More details about each setting appear below.
Determines whether to ignore file systems that are neither monitored by default nor listed under `linux.advanced.fanotify.monitored_filesystems`. Enter one of the following:
- `true`: (Default) Monitor only the monitored-by-default file systems and any listed as `monitored_filesystems`.
- `false`: Monitor all filesystems except the ignored-by-default filesystems and any listed as `ignored_filesystems`.
Even when `ignore_unknown_filesystems` is `false`, Elastic Defend still ignores the following file systems unless they're in `linux.advanced.fanotify.monitored_filesystems`:
Elastic Defend does not monitor the following file systems unless they are in `linux.advanced.fanotify.monitored_filesystems`:
- cifs
- lustre
- nfs
- nfs4
- smbfs
- autofs
- binfmt_misc
- bpf
- cgroup
- cgroup2
- configfs
- debugfs
- devpts
- devtmpfs
- efivarfs
- fuse.gvfsd-fuse
- fuse.portal
- fusectl
- hugetlbfs
- inotifyfs
- mqueue
- nfsd
- nsfs
- proc
- pstore
- rpc_pipefs
- securityfs
- selinuxfs
- sysfs
- tracefs
Specifies file systems to monitor. Enter a comma-separated list of [file system names](#find-file-system-names) as they appear in `/proc/filesystems` (for example: `jfs,ufs,ramfs`).
It’s recommended to avoid monitoring network-backed file systems.
Entries in this setting are overridden by entries in `ignored_filesystems`.
Specifies filesystems to ignore. Enter a comma-separated list of [file system names](#find-file-system-names) as they appear in `/proc/filesystems` (for example: `ext4,tmpfs`).
Entries in this setting override entries in `monitored_filesystems` and the `linux.advanced.fanotify.ignore_unknown_filesystems: false` setting.
Ignoring filesystems can create gaps in your security coverage. Use additional security layers for ignored filesystems.
## Btrfs subvolume monitoring
Btrfs (B-tree file system) is a Linux file system that supports subvolumes — independent directory trees that can be mounted separately within a single file system. Some Linux distributions mount only Btrfs subvolumes without mounting the root volume.
Due to a limitation in fanotify, Elastic Defend cannot directly monitor Btrfs subvolumes. Fanotify can only monitor the root of a Btrfs file system.
If your Linux hosts use Btrfs with subvolume-only mounts, you must also mount the Btrfs root volume to enable malware protection coverage. Without the root volume mounted, Elastic Defend cannot detect or prevent malware on files within those subvolumes.
## Find file system names
This section provides a few ways to determine the file system names needed for `linux.advanced.fanotify.monitored_filesystems` and `linux.advanced.fanotify.ignored_filesystems`.
In a typical setup, when you install Elastic Agent, Filebeat is installed alongside Elastic Endpoint and will automatically ship Elastic Endpoint logs to Elasticsearch. Elastic Endpoint will generate a log message about the file that was scanned when an event occurs.
To find the system file name:
1. Find **Hosts** in the navigation menu, or search for `Security/Explore/Hosts` by using the [global search field](https://www.elastic.co/elastic/docs-builder/docs/3028/explore-analyze/find-and-organize/find-apps-and-objects).
2. From the Hosts page, search for `message: "Current sync path"` to reveal the file path.
3. If you have access to the endpoint, run `findmnt -o FSTYPE -T ` to return the file system. For example:
```shell
> findmnt -o FSTYPE -T /etc/passwd
FSTYPE
ext4
```
This returns the file system name as `ext4`.
Alternatively, you can also find the file system name by correlating data from two other log messages:
1. Search the logs for `message: "Current fdinfo"` to reveal the `mnt_id` value of the file path. In this example, the `mnt_id` value is `29`:
```shell
pos: 12288
flags: 02500002
mnt_id: 29
ino: 2367737
```
2. Search the logs for `message: "Current mountinfo"` to reveal the file system that corresponds to the `mnt_id` value you found in the previous step:
```shell
29 1 8:2 / / rw,relatime shared:1 - ext4 /dev/sda2 rw,errors=remount-ro
```
The first number, `29`, is the `mnt_id`, and the first field after the hyphen (`-`) is the file system name, `ext4`.