Using scan_at_start with include_files does not work

[strawgate]

For confirmed bugs, please report:

• Version: 7.13.1
• Operating System: Windows
• Discuss Forum URL:
• Steps to Reproduce:

auditbeat.yml:

{
   "logging":{
      "level":"debug"
   },
   "auditbeat":{
      "modules":[
         {
            "module":"file_integrity",
            "paths":[
               "C:\\Users"
            ],
            "include_files":[
               "\\\\test\\.txt"
            ],
            "scan_at_start":true,
            "scan_rate_per_sec":"10 MiB",
            "max_file_size":"100 MiB",
            "hash_types":[
               "sha256"
            ],
            "recursive":true,
            "tags":"test"
         }
      ]
   }
}

This should scan test.txt (or do absolutely nothing if my match is bad) and produce a single event on initial scan. It should then produce events when the file is modified.

Instead it scans the entire users directory, outputting an event for every file, and then it monitors test.txt for changes:

Example event outputted that shouldnt have been:

2021-08-07T16:08:01.046-0500	DEBUG	[file_integrity]	file_integrity/metricset.go:291	File changed since it was last seen	{"file_path": "C:\\Users\\scandinavia\\AppData\\Local\\Temp\\yp4ggz2k.fy0\\resources\\app\\ServiceHub\\Services\\Microsoft.Developer.IdentityService\\zh-Hans", "took": 0, "event": {"action": "created", "old": null, "new": {"timestamp":"2021-08-07T21:08:01.0444163Z","path":"C:\\Users\\scandinavia\\AppData\\Local\\Temp\\yp4ggz2k.fy0\\resources\\app\\ServiceHub\\Services\\Microsoft.Developer.IdentityService\\zh-Hans","info":{"inode":281474977567954,"uid":0,"gid":0,"sid":"","owner":"","group":"","size":0,"mtime":"2021-07-20T08:08:30.9743538Z","ctime":"2021-07-07T03:48:23.7612897Z","type":"dir","mode":2147484159,"setuid":false,"setgid":false,"origin":null},"source":"scan","action":"created"}}}
2021-08-07T16:08:01.049-0500	DEBUG	[processors]	processing/processors.go:203	Publish event: {
  "@timestamp": "2021-08-07T21:08:01.044Z",
  "@metadata": {
    "beat": "auditbeat",
    "type": "_doc",
    "version": "7.13.1"
  },
  "host": {
    "name": "scandinavia"
  },
  "agent": {
    "id": "b195b53f-9e49-4d29-bd1e-7dc5ed6381b3",
    "name": "scandinavia",
    "type": "auditbeat",
    "version": "7.13.1",
    "hostname": "scandinavia",
    "ephemeral_id": "942ed043-31fd-472d-89ae-9506f4e0d541"
  },
  "service": {
    "type": "file_integrity"
  },
  "file": {
    "drive_letter": "C",
    "path": "C:\\Users\\scandinavia\\AppData\\Local\\Temp\\yp4ggz2k.fy0\\resources\\app\\ServiceHub\\Services\\Microsoft.Developer.IdentityService\\zh-Hans",
    "inode": "281474977567954",
    "mtime": "2021-07-20T08:08:30.974Z",
    "ctime": "2021-07-07T03:48:23.761Z",
    "type": "dir"
  },
  "event": {
    "module": "file_integrity",
    "dataset": "file",
    "kind": "event",
    "category": [
      "file"
    ],
    "type": [
      "creation"
    ],
    "action": [
      "created"
    ]
  },
  "tags": [
    "test"
  ],
  "ecs": {
    "version": "1.9.0"
  }
}

[botelastic]

This issue doesn't have a Team:<team> label.