If you suspend scanning (enable the "suspend data collection" option) in a cloud agent configuration profile applied on an agent activated for FIM, and then assign a FIM monitoring profile to that agent, the FIM manifest does not get downloaded on the agent. The FIM manifest gets downloaded once you enable scanning on the agent.
The FIM process on the cloud agent host uses netlink to communicate with the audit system in order to get event notifications. For the FIM process to continuously function, it requires permanent access to netlink.
If any other process on the host (for example auditd) gets hold of netlink, the FIM process tries to establish access to netlink every ten minutes. The FIM process gets access to netlink only after the other process releases access to it.
Until the time the FIM process does not have access to netlink you may face some issues. For instance, if you have an agent running FIM successfully, and you restart the agent or the agent gets self-patched, upon restart the cloud platform may not receive FIM events for a while. This happens because the FIM rules do not get restored upon restart as the FIM process does not have access to netlink.
This happens if you are using 2.0.2 agents (Linux) upgraded to version 2.1 through selfpatch. Agent version 2.0.2 required auditd to be disabled on the host. Upgrading 2.0.2 agents to 2.1 through selfpatch retains this configuration, such that the newly introduced setting UseAuditDispatcher is set to 0 (exclusive mode - auditd not running).
To fix this issue, use the configuration tool located at /usr/local/qualys/cloud-agent/qualys-cloud-agent.sh to set UseAuditDispatcher=1 (auditd compatibility mode). This allows FIM to run along with auditd enabled.
Agents with 1.x version are set with UseAuditDispatcher=1 on selfpatch to 2.1. Fresh installation of 2.1 agent comes with UseAuditDispatcher=1 (by default) where you can run FIM along with auditd enabled.