File Inegrity Monitoring not working

Victoria Babasanmi

unread,

Jul 8, 2021, 3:15:52 AM7/8/21

to Wazuh mailing list

Hi,

For some reason, I am unable to get the file integrity monitor to work. see my configuration below. Kindly advise on configuration changes

<scan_on_start>yes</scan_on_start>

<alert_new_files>yes</alert_new_files>

<auto_ignore frequency="10" timeframe="3600">no</auto_ignore>

<directories check_all="yes" realtime="yes" report_changes="yes">C:\Users\toria\Downloads</directories>

<windows_registry arch="both" check_all="yes">HKEY_LOCAL_MACHINE\SOFTWARE</windows_registry>

<windows_registry arch="32bit" check_all="no" check_mtime="yes">HKEY_LOCAL_MACHINE\SYSTEM\Setup</windows_registry>

<windows_registry arch="64bit" report_changes="yes">HKEY_LOCAL_MACHINE\SYSTEM\Setup</windows_registry>

<ignore>/etc/hosts.deny</ignore>

<ignore>/etc/mail/statistics</ignore>

<ignore>/etc/random-seed</ignore>

<ignore>/etc/random.seed</ignore>

<ignore>/etc/adjtime</ignore>

<ignore>/etc/httpd/logs</ignore>

<ignore>/etc/utmpx</ignore>

<ignore>/etc/wtmpx</ignore>

<ignore>/etc/cups/certs</ignore>

<ignore>/etc/dumpdates</ignore>

<ignore>/etc/svc/volatile</ignore>

<nodiff>/etc/ssl/private.key</nodiff>

<skip_nfs>yes</skip_nfs>

<skip_dev>yes</skip_dev>

<skip_proc>yes</skip_proc>

<skip_sys>yes</skip_sys>

<process_priority>10</process_priority>

<max_eps>100</max_eps>

<max_interval>1h</max_interval>

<max_eps>10</max_eps>

</synchronization>

</syscheck>

Best Regards,

mauro.e...@wazuh.com

unread,

Jul 8, 2021, 3:44:22 AM7/8/21

to Wazuh mailing list

Hi,

I see you are mixing *nix and Windows stanzas, this is most likely the cause of FIM failing to work.

If this is set up in an agent's ossec.conf:
- On *nix environment, remove the <windows_registry> blocks as well as any blocks with Windows specific paths like 'C:\tmp'

- On Windows environment, the *nix style paths shouldn't be a problem, but I would remove them to keep things tidy.

After any changes are applied to ossec.conf, remember to restart the agent for them to take effect.

If this is set up in a centralized agent.conf, you will need to split the configuration in blocks specifying which OS they apply to, kindly check the following documentation link and ask if you have any doubts:

https://documentation.wazuh.com/current/user-manual/reference/centralized-configuration.html

You can also check the agent's logs for any messages that could lead to explaining why FIM is not starting, by default they are found under /var/ossec/logs/ossec.log and C:\Program Files (x86)\ossec-agent\ossec.log

Best regards,

Mauro.

Message has been deleted

mauro.e...@wazuh.com

unread,

Jul 8, 2021, 7:59:32 AM7/8/21

to Wazuh mailing list

Hi again,

The integrator feature works with alerts, not with the FIM inventory. If the file you downloaded has not been modified lately then it will not generate an alert, have you tried deleting and downloading it again? The fact that the file shows up in the inventory tells me that the directory is almost certainly being monitored correctly.

Best regards,

Mauro.

On Thursday, July 8, 2021 at 12:46:48 PM UTC+2 thetor...@gmail.com wrote:

Hello,

I am able to see it in the inventory. but not on the dashboard. The said file I downloaded is a virus. I have integrated with virus total but it isnt being detected as such. Kindly find attached my virus total configuration.

Best Regards

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/YKn66Y__wnI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/3d3c7e6b-14ad-40af-94d5-7f3b0f5096ebn%40googlegroups.com.

Victoria Babasanmi

unread,

Jul 8, 2021, 8:29:13 AM7/8/21

to mauro.e...@wazuh.com, Wazuh mailing list

Hello Mauro,

I deleted and redownloaded it. It still doesn't show up on the dashboard. Apart from Configuring the Virus total as an integrator, is there any other step required to get it to work?

Best Regards

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/26d553ce-d4db-4f3f-9f61-bfa127519e21n%40googlegroups.com.

mauro.e...@wazuh.com

unread,

Jul 8, 2021, 9:24:55 AM7/8/21

to Wazuh mailing list

Hi,

The first requirement for this to work would be to ensure a FIM alert is triggered, could you check the alerts.json file on your manager? It is usually located under /var/ossec/logs/alerts/alerts.json In order to test this fully I would run "tail -f /var/ossec/logs/alerts/alerts.json" and download the file, if no alerts is generated, then we will need to check the agent configuration.

In order to see the active configuration being used by the agent I recommend using the dev tools on the web UI and run GET /agents/{agent_id}/config/syscheck/syscheck (replace {agent_id} with the ID of the agent where you are running the tests). If you can share the result of this query and tell me in which directory you are downloading the file, we might find the reason why no alert is being triggered.

Best regards,

Mauro.

Victoria Babasanmi

unread,

Jul 8, 2021, 2:33:34 PM7/8/21

to mauro.e...@wazuh.com, Wazuh mailing list

Hello Mauo,

Kindly find the result as requested. This is the folder "C:\Users\toria\Downloads" I am downloading to.

{
"data": {
"syscheck": {
"disabled": "no",
"frequency": 43200,
"skip_nfs": "yes",
"skip_dev": "yes",
"skip_sys": "yes",
"skip_proc": "yes",
"scan_on_start": "yes",
"file_limit": {
"enabled": "yes",
"entries": 100000
},
"diff": {
"disk_quota": {
"enabled": "yes",
"limit": 1048576
},
"file_size": {
"enabled": "yes",
"limit": 51200
}
},
"directories": [
{
"opts": [
"check_md5sum",
"check_sha1sum",
"check_perm",
"check_size",
"check_owner",
"check_group",
"check_mtime",
"check_inode",
"realtime",
"check_sha256sum",
"check_attrs"
],
"dir": "c:\programdata\microsoft\windows\start menu\programs\startup",
"recursion_level": 256,
"diff_size_limit": 51200
},
{
"opts": [
"check_md5sum",
"check_sha1sum",
"check_perm",
"check_size",
"check_owner",
"check_group",
"check_mtime",
"check_inode",
"realtime",
"check_sha256sum",
"check_attrs"
],
"dir": "c:\users\toria\downloads",
"recursion_level": 256,
"diff_size_limit": 51200
},
{
"opts": [
"check_md5sum",
"check_sha1sum",
"check_perm",
"check_size",
"check_owner",
"check_group",
"check_mtime",
"check_inode",
"check_sha256sum",
"check_attrs"
],
"dir": "c:\windows",
"recursion_level": 0,
"restrict": "regedit.exe$|system.ini$|win.ini$",
"diff_size_limit": 51200
},
{
"opts": [
"check_md5sum",
"check_sha1sum",
"check_perm",
"check_size",
"check_owner",
"check_group",
"check_mtime",
"check_inode",
"check_sha256sum",
"check_attrs"
],
"dir": "c:\windows\sysnative",
"recursion_level": 0,
"restrict": "winrm.vbs$",
"diff_size_limit": 51200
},
{
"opts": [
"check_md5sum",
"check_sha1sum",
"check_perm",
"check_size",
"check_owner",
"check_group",
"check_mtime",
"check_inode",
"check_sha256sum",
"check_attrs"
],
"dir": "c:\windows\sysnative\drivers\etc",
"recursion_level": 0,
"diff_size_limit": 51200
},
{
"opts": [
"check_md5sum",
"check_sha1sum",
"check_perm",
"check_size",
"check_owner",
"check_group",
"check_mtime",
"check_inode",
"check_sha256sum",
"check_attrs"
],
"dir": "c:\windows\sysnative\wbem",
"recursion_level": 0,
"restrict": "wmic.exe$",
"diff_size_limit": 51200
},
{
"opts": [
"check_md5sum",
"check_sha1sum",
"check_perm",
"check_size",
"check_owner",
"check_group",
"check_mtime",
"check_inode",
"check_sha256sum",
"check_attrs"
],
"dir": "c:\windows\sysnative\windowspowershell\v1.0",
"recursion_level": 0,
"restrict": "powershell.exe$",
"diff_size_limit": 51200
},
{
"opts": [
"check_md5sum",
"check_sha1sum",
"check_perm",
"check_size",
"check_owner",
"check_group",
"check_mtime",
"check_inode",
"check_sha256sum",
"check_attrs"
],
"dir": "c:\windows\system32",
"recursion_level": 0,
"restrict": "winrm.vbs$",
"diff_size_limit": 51200
},
{
"opts": [
"check_md5sum",
"check_sha1sum",
"check_perm",
"check_size",
"check_owner",
"check_group",
"check_mtime",
"check_inode",
"check_sha256sum",
"check_attrs"
],
"dir": "c:\windows\system32\drivers\etc",
"recursion_level": 0,
"diff_size_limit": 51200
},
{
"opts": [
"check_md5sum",
"check_sha1sum",
"check_perm",
"check_size",
"check_owner",
"check_group",
"check_mtime",
"check_inode",
"check_sha256sum",
"check_attrs"
],
"dir": "c:\windows\system32\wbem",
"recursion_level": 0,
"restrict": "wmic.exe$",
"diff_size_limit": 51200
},
{
"opts": [
"check_md5sum",
"check_sha1sum",
"check_perm",
"check_size",
"check_owner",
"check_group",
"check_mtime",
"check_inode",
"check_sha256sum",
"check_attrs"
],
"dir": "c:\windows\system32\windowspowershell\v1.0",
"recursion_level": 0,
"restrict": "powershell.exe$",
"diff_size_limit": 51200
}
],
"ignore": [
"c:\programdata\microsoft\windows\start menu\programs\startup\desktop.ini"
],
"ignore_sregex": [
".log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$"
],
"windows_audit_interval": 60,
"registry": [
{
"opts": [
"check_md5sum",
"check_sha1sum",
"check_sha256sum",
"check_size",
"check_owner",
"check_group",
"check_perm",
"check_mtime",
"check_type"
],
"entry": "HKEY_LOCAL_MACHINE\Software\Classes\batfile",
"arch": "32bit",
"diff_size_limit": 51200,
"recursion_level": 512
},
{
"opts": [
"check_md5sum",
"check_sha1sum",
"check_sha256sum",
"check_size",
"check_owner",
"check_group",
"check_perm",
"check_mtime",
"check_type"
],
"entry": "HKEY_LOCAL_MACHINE\Software\Classes\cmdfile",
"arch": "32bit",
"diff_size_limit": 51200,
"recursion_level": 512
},
{
"opts": [
"check_md5sum",
"check_sha1sum",
"check_sha256sum",
"check_size",
"check_owner",
"check_group",
"check_perm",
"check_mtime",
"check_type"
],
"entry": "HKEY_LOCAL_MACHINE\Software\Classes\comfile",
"arch": "32bit",
"diff_size_limit": 51200,
"recursion_level": 512
},
{
"opts": [
"check_md5sum",
"check_sha1sum",
"check_sha256sum",
"check_size",
"check_owner",
"check_group",
"check_perm",
"check_mtime",
"check_type"
],
"entry": "HKEY_LOCAL_MACHINE\Software\Classes\exefile",
"arch": "32bit",
"diff_size_limit": 51200,
"recursion_level": 512
},
{
"opts": [
"check_md5sum",
"check_sha1sum",
"check_sha256sum",
"check_size",
"check_owner",
"check_group",
"check_perm",
"check_mtime",
"check_type"
],
"entry": "HKEY_LOCAL_MACHINE\Software\Classes\piffile",
"arch": "32bit",
"diff_size_limit": 51200,
"recursion_level": 512
},
{
"opts": [
"check_md5sum",
"check_sha1sum",
"check_sha256sum",
"check_size",
"check_owner",
"check_group",
"check_perm",
"check_mtime",
"check_type"
],
"entry": "HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects",
"arch": "32bit",
"diff_size_limit": 51200,
"recursion_level": 512
},
{
"opts": [
"check_md5sum",
"check_sha1sum",
"check_sha256sum",
"check_size",
"check_owner",
"check_group",
"check_perm",
"check_mtime",
"check_type"
],
"entry": "HKEY_LOCAL_MACHINE\Software\Classes\Directory",
"arch": "32bit",
"diff_size_limit": 51200,
"recursion_level": 512
},
{
"opts": [
"check_md5sum",
"check_sha1sum",
"check_sha256sum",
"check_size",
"check_owner",
"check_group",
"check_perm",
"check_mtime",
"check_type"
],
"entry": "HKEY_LOCAL_MACHINE\Software\Classes\Folder",
"arch": "32bit",
"diff_size_limit": 51200,
"recursion_level": 512
},
{
"opts": [
"check_md5sum",
"check_sha1sum",
"check_sha256sum",
"check_size",
"check_owner",
"check_group",
"check_perm",
"check_mtime",
"check_type"
],
"entry": "HKEY_LOCAL_MACHINE\Software\Classes\Protocols",
"arch": "64bit",
"diff_size_limit": 51200,
"recursion_level": 512
},
{
"opts": [
"check_md5sum",
"check_sha1sum",
"check_sha256sum",
"check_size",
"check_owner",
"check_group",
"check_perm",
"check_mtime",
"check_type"
],
"entry": "HKEY_LOCAL_MACHINE\Software\Classes\Protocols",
"arch": "32bit",
"diff_size_limit": 51200,
"recursion_level": 512
},
{
"opts": [
"check_md5sum",
"check_sha1sum",
"check_sha256sum",
"check_size",
"check_owner",
"check_group",
"check_perm",
"check_mtime",
"check_type"
],
"entry": "HKEY_LOCAL_MACHINE\Software\Policies",
"arch": "64bit",
"diff_size_limit": 51200,
"recursion_level": 512
},
{
"opts": [
"check_md5sum",
"check_sha1sum",
"check_sha256sum",
"check_size",
"check_owner",
"check_group",
"check_perm",
"check_mtime",
"check_type"
],
"entry": "HKEY_LOCAL_MACHINE\Software\Policies",
"arch": "32bit",
"diff_size_limit": 51200,
"recursion_level": 512
},
{
"opts": [
"check_md5sum",
"check_sha1sum",
"check_sha256sum",
"check_size",
"check_owner",
"check_group",
"check_perm",
"check_mtime",
"check_type"
],
"entry": "HKEY_LOCAL_MACHINE\Security",
"arch": "32bit",
"diff_size_limit": 51200,
"recursion_level": 512
},
{
"opts": [
"check_md5sum",
"check_sha1sum",
"check_sha256sum",
"check_size",
"check_owner",
"check_group",
"check_perm",
"check_mtime",
"check_type"
],
"entry": "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer",
"arch": "64bit",
"diff_size_limit": 51200,
"recursion_level": 512
},
{
"opts": [
"check_md5sum",
"check_sha1sum",
"check_sha256sum",
"check_size",
"check_owner",
"check_group",
"check_perm",
"check_mtime",
"check_type"
],
"entry": "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer",
"arch": "32bit",
"diff_size_limit": 51200,
"recursion_level": 512
},
{
"opts": [
"check_md5sum",
"check_sha1sum",
"check_sha256sum",
"check_size",
"check_owner",
"check_group",
"check_perm",
"check_mtime",
"check_type"
],
"entry": "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services",
"arch": "32bit",
"diff_size_limit": 51200,
"recursion_level": 512
},
{
"opts": [
"check_md5sum",
"check_sha1sum",
"check_sha256sum",
"check_size",
"check_owner",
"check_group",
"check_perm",
"check_mtime",
"check_type"
],
"entry": "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs",
"arch": "32bit",
"diff_size_limit": 51200,
"recursion_level": 512
},
{
"opts": [
"check_md5sum",
"check_sha1sum",
"check_sha256sum",
"check_size",
"check_owner",
"check_group",
"check_perm",
"check_mtime",
"check_type"
],
"entry": "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg",
"arch": "32bit",
"diff_size_limit": 51200,
"recursion_level": 512
},
{
"opts": [
"check_md5sum",
"check_sha1sum",
"check_sha256sum",
"check_size",
"check_owner",
"check_group",
"check_perm",
"check_mtime",
"check_type"
],
"entry": "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run",
"arch": "64bit",
"diff_size_limit": 51200,
"recursion_level": 512
},
{
"opts": [
"check_md5sum",
"check_sha1sum",
"check_sha256sum",
"check_size",
"check_owner",
"check_group",
"check_perm",
"check_mtime",
"check_type"
],
"entry": "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run",
"arch": "32bit",
"diff_size_limit": 51200,
"recursion_level": 512
},
{
"opts": [
"check_md5sum",
"check_sha1sum",
"check_sha256sum",
"check_size",
"check_owner",
"check_group",
"check_perm",
"check_mtime",
"check_type"
],
"entry": "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce",
"arch": "64bit",
"diff_size_limit": 51200,
"recursion_level": 512
},
{
"opts": [
"check_md5sum",
"check_sha1sum",
"check_sha256sum",
"check_size",
"check_owner",
"check_group",
"check_perm",
"check_mtime",
"check_type"
],
"entry": "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce",
"arch": "32bit",
"diff_size_limit": 51200,
"recursion_level": 512
},
{
"opts": [
"check_md5sum",
"check_sha1sum",
"check_sha256sum",
"check_size",
"check_owner",
"check_group",
"check_perm",
"check_mtime",
"check_type"
],
"entry": "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx",
"arch": "32bit",
"diff_size_limit": 51200,
"recursion_level": 512
},
{
"opts": [
"check_md5sum",
"check_sha1sum",
"check_sha256sum",
"check_size",
"check_owner",
"check_group",
"check_perm",
"check_mtime",
"check_type"
],
"entry": "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL",
"arch": "64bit",
"diff_size_limit": 51200,
"recursion_level": 512
},
{
"opts": [
"check_md5sum",
"check_sha1sum",
"check_sha256sum",
"check_size",
"check_owner",
"check_group",
"check_perm",
"check_mtime",
"check_type"
],
"entry": "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL",
"arch": "32bit",
"diff_size_limit": 51200,
"recursion_level": 512
},
{
"opts": [
"check_md5sum",
"check_sha1sum",
"check_sha256sum",
"check_size",
"check_owner",
"check_group",
"check_perm",
"check_mtime",
"check_type"
],
"entry": "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies",
"arch": "64bit",
"diff_size_limit": 51200,
"recursion_level": 512
},
{
"opts": [
"check_md5sum",
"check_sha1sum",
"check_sha256sum",
"check_size",
"check_owner",
"check_group",
"check_perm",
"check_mtime",
"check_type"
],
"entry": "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies",
"arch": "32bit",
"diff_size_limit": 51200,
"recursion_level": 512
},
{
"opts": [
"check_md5sum",
"check_sha1sum",
"check_sha256sum",
"check_size",
"check_owner",
"check_group",
"check_perm",
"check_mtime",
"check_type"
],
"entry": "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows",
"arch": "64bit",
"diff_size_limit": 51200,
"recursion_level": 512
},
{
"opts": [
"check_md5sum",
"check_sha1sum",
"check_sha256sum",
"check_size",
"check_owner",
"check_group",
"check_perm",
"check_mtime",
"check_type"
],
"entry": "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows",
"arch": "32bit",
"diff_size_limit": 51200,
"recursion_level": 512
},
{
"opts": [
"check_md5sum",
"check_sha1sum",
"check_sha256sum",
"check_size",
"check_owner",
"check_group",
"check_perm",
"check_mtime",
"check_type"
],
"entry": "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon",
"arch": "64bit",
"diff_size_limit": 51200,
"recursion_level": 512
},
{
"opts": [
"check_md5sum",
"check_sha1sum",
"check_sha256sum",
"check_size",
"check_owner",
"check_group",
"check_perm",
"check_mtime",
"check_type"
],
"entry": "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon",
"arch": "32bit",
"diff_size_limit": 51200,
"recursion_level": 512
},
{
"opts": [
"check_md5sum",
"check_sha1sum",
"check_sha256sum",
"check_size",
"check_owner",
"check_group",
"check_perm",
"check_mtime",
"check_type"
],
"entry": "HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components",
"arch": "64bit",
"diff_size_limit": 51200,
"recursion_level": 512
},
{
"opts": [
"check_md5sum",
"check_sha1sum",
"check_sha256sum",
"check_size",
"check_owner",
"check_group",
"check_perm",
"check_mtime",
"check_type"
],
"entry": "HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components",
"arch": "32bit",
"diff_size_limit": 51200,
"recursion_level": 512
}
],
"key_ignore": [
{
"entry": "HKEY_LOCAL_MACHINE\Security\Policy\Secrets",
"arch": "32bit"
},
{
"entry": "HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users",
"arch": "32bit"
},
{
"entry": "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs",
"arch": "32bit"
},
{
"entry": "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP",
"arch": "32bit"
},
{
"entry": "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSIn",
"arch": "32bit"
},
{
"entry": "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSOut",
"arch": "32bit"
},
{
"entry": "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap",
"arch": "32bit"
},
{
"entry": "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo",
"arch": "32bit"
},
{
"entry": "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PolicyAgent\Parameters\Cache",
"arch": "32bit"
},
{
"entry": "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx",
"arch": "32bit"
},
{
"entry": "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ADOVMPPackage\Final",
"arch": "32bit"
}
],
"key_ignore_sregex": [
{
"entry": "\Enum$",
"arch": "32bit"
}
],
"allow_remote_prefilter_cmd": "no",
"synchronization": {
"enabled": "yes",
"registry_enabled": "yes",
"max_interval": 3600,
"interval": 300,
"response_timeout": 30,
"queue_size": 16384,
"max_eps": 10
},
"max_eps": 100,
"process_priority": 10,
"database": "disk"
}
},
"error": 0
}

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/d0eecc3f-cb98-4927-901f-98ef4abf97can%40googlegroups.com.

mauro.e...@wazuh.com

unread,

Jul 9, 2021, 3:17:10 AM7/9/21

to Wazuh mailing list

Hi,

I'm guessing you did not see the alert being generated on the alerts.json file? I see the C:\Users\toria\Downloads directory is being properly monitored in realtime from the following block:

"opts": [
"check_md5sum",
"check_sha1sum",
"check_perm",
"check_size",
"check_owner",
"check_group",
"check_mtime",
"check_inode",
"realtime",
"check_sha256sum",
"check_attrs"
],
"dir": "c:\users\toria\downloads",
"recursion_level": 256,
"diff_size_limit": 51200
},

Could you check the agent log on the Windows machine? If realtime is working properly you should see message reading "(6012): Real-time file integrity monitoring started." after the initial scan on the agent has finished. You should also take the opportunity to see if there are any error or warning messages that might be affecting your agent.

Also, please confirm to me if you have been able to see the alert being generated in the alerts.json file (sorry for insisting!)

Best regards,

Mauro.

Victoria Babasanmi

unread,

Jul 12, 2021, 6:31:43 AM7/12/21

to mauro.e...@wazuh.com, Wazuh mailing list

Hello Mauro,

Hope this mail meets you well. Thanks for the response.

I just checked the agent log. Real time monitoring started. I can see this error below. I can see that it has been detected as a virus. The question is why can i not see the alerts on the dashboard. I am also not able to see it on the alert.json.

ERROR: Could not get message for (Application)
2021/07/12 10:57:18 ossec-agent: ERROR: Could not get message for (Application)
2021/07/12 11:03:17 ossec-agent: ERROR: (6716): Could not open handle for 'c:\users\toria\downloads\unconfirmed 765367.crdownload'. Error code: 2
2021/07/12 11:03:17 ossec-agent: WARNING: At get_user(c:\users\toria\downloads\unconfirmed 765367.crdownload): CreateFile(): The system cannot find the file specified. (2)
2021/07/12 11:10:50 ossec-agent: ERROR: (6716): Could not open handle for 'c:\users\toria\downloads\91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac\91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac'. Error code: 225
2021/07/12 11:10:51 ossec-agent: WARNING: At get_user(c:\users\toria\downloads\91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac\91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac): CreateFile(): Operation did not complete successfully because the file contains a virus or potentially unwanted software. (225)
2021/07/12 11:10:51 ossec-agent: ERROR: (6716): Could not open handle for 'c:\users\toria\downloads\91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac\91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac'. Error code: 225
2021/07/12 11:10:51 ossec-agent: WARNING: At get_user(c:\users\toria\downloads\91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac\91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac): CreateFile(): Operation did not complete successfully because the file contains a virus or potentially unwanted software. (225)
2021/07/12 11:10:51 ossec-agent: ERROR: (6716): Could not open handle for 'c:\users\toria\downloads\91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac\91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac'. Error code: 225
2021/07/12 11:10:51 ossec-agent: WARNING: At get_user(c:\users\toria\downloads\91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac\91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac): CreateFile(): Operation did not complete successfully because the file contains a virus or potentially unwanted software. (225)
2021/07/12 11:10:51 ossec-agent: ERROR: (6716): Could not open handle for 'c:\users\toria\downloads\91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac\91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac'. Error code: 225
2021/07/12 11:10:51 ossec-agent: WARNING: At get_user(c:\users\toria\downloads\91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac\91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac): CreateFile(): Operation did not complete successfully because the file contains a virus or potentially unwanted software. (225)
2021/07/12 11:10:51 ossec-agent: ERROR: (6716): Could not open handle for 'c:\users\toria\downloads\91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac\91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac'. Error code: 225
2021/07/12 11:10:51 ossec-agent: WARNING: At get_user(c:\users\toria\downloads\91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac\91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac): CreateFile(): Operation did not complete successfully because the file contains a virus or potentially unwanted software. (225)
2021/07/12 11:10:51 ossec-agent: ERROR: (6716): Could not open handle for 'c:\users\toria\downloads\91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac\91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac'. Error code: 225
2021/07/12 11:10:51 ossec-agent: WARNING: At get_user(c:\users\toria\downloads\91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac\91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac): CreateFile(): Operation did not complete successfully because the file contains a virus or potentially unwanted software. (225)
2021/07/12 11:10:51 ossec-agent: ERROR: (6716): Could not open handle for 'c:\users\toria\downloads\91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac\91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac'. Error code: 225
2021/07/12 11:10:51 ossec-agent: WARNING: At get_user(c:\users\toria\downloads\91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac\91bfa2445d998425c81f30d293235429ca6a8c6c8f326536478952a2a6754aac): CreateFile(): Operation did not complete successfully because the file contains a virus or potentially unwanted software. (225)

Best Regards

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/03e21395-5fa3-4264-89be-2057098eb074n%40googlegroups.com.

mauro.e...@wazuh.com

unread,

Jul 12, 2021, 8:33:43 AM7/12/21

to Wazuh mailing list

Hi,

In this case, Windows itself is preventing Wazuh from opening the file due to it being a virus. Since Windows does not allow us to open the file, we won't be able to analyze it and report on it.

I think you will need to find a different way to complement FIM in this regard, Windows Defender might be reporting the virus on the Security channel in event viewer, if this is the case, monitoring that eventchannel might allow you to implement a couple of rules regarding potential viruses and unwanted software.

I will open an issue on our github repo so we can investigate these error codes further and come up with some way to send an alert, so that it doesn't end up being silent on kibana. (I will post the issue here once I open it so you can follow up on it).

Best regards,

Mauro.

mauro.e...@wazuh.com

unread,

Jul 12, 2021, 8:48:08 AM7/12/21

to Wazuh mailing list

Here is the issue I created, feel free to add any futher information to it. https://github.com/wazuh/wazuh/issues/9251

Victoria Babasanmi

unread,

Jul 12, 2021, 10:32:20 AM7/12/21

to mauro.e...@wazuh.com, Wazuh mailing list

Hello Mauro,

I'm experiencing this same issue with the ubuntu test systems. And there is no error in the Ubuntu's Agent log

Best Regards

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/f0240e57-939d-42e1-8e15-92cddd007b40n%40googlegroups.com.

mauro.e...@wazuh.com

unread,

Jul 13, 2021, 2:18:49 AM7/13/21

to Wazuh mailing list

Hi again!

First things first, have you changed the configuration on your *nix agents to not have any Windows specific paths and tags? Specifically the <windows_registry> tag is not supported on *nix systems and could cause the agent to not start properly. Check the status of the agent by either of these commands:

systemctl status wazuh-agent

/var/ossec/bin/ossec-control status

ps aux | grep [o]ssec

With either of them, you should see ossec-syscheckd as running in order for FIM to work. If you could issue the same API query that you used earlier for the windows agent but using the ID of one of the Ubuntu agents and tell me where you are placing the infected file, that would also be of help.

If you are not getting any alerts at all on the alerts.json file (not just from FIM), then that is why you are not seeing any new events on the web UI. You should check the <jsonout_output> tag is set to yes on your manager's configuration and check that it is properly opening the alerts.json file by using lsof (if available):

root@server:/home/vagrant# lsof /var/ossec/logs/alerts/alerts.json
COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF    NODE NAME
wazuh-ana 1575 wazuh   15w   REG    8,1     6953 2566614 /var/ossec/logs/alerts/alerts.json
filebeat 3776 root    8r   REG    8,1     6953 2566614 /var/ossec/logs/alerts/alerts.json

Best regards,

Mauro.

Victoria Babasanmi

unread,

Jul 14, 2021, 4:13:29 AM7/14/21

to mauro.e...@wazuh.com, Wazuh mailing list

Hello Mauo,

Kindly find the result as requested. This is the folder " /home/test/folder " I am downloading to. When I create new text files in the folder, it shows up on the inventory. But when I download the infected fle i get nothing. Agent is started properly. I get the Vulnerability alerts on the alerts.json

Agent Status:

root@ubuntu:/var/ossec/etc# /var/ossec/bin/ossec-control status
wazuh-modulesd is running...
ossec-logcollector is running...
ossec-syscheckd is running...
ossec-agentd is running...
ossec-execd is running...
root@ubuntu:/var/ossec/etc# ps aux | grep [o]ssec
root 8845 0.0 0.0 18336 888 pts/0 T Jul12 0:00 nano ossec.conf
root 8882 0.0 0.0 18336 844 pts/0 T Jul12 0:00 nano ossec.conf
root 15355 0.0 0.0 22064 792 ? Sl Jul12 0:08 /var/ossec/bin/ossec-execd
ossec 15366 0.1 0.1 309172 2064 ? Sl Jul12 3:16 /var/ossec/bin/ossec-agentd
root 15380 0.0 0.2 320156 4260 ? SNl Jul12 1:19 /var/ossec/bin/ossec-syscheckd
root 15392 0.0 0.0 390712 788 ? Sl Jul12 0:48 /var/ossec/bin/ossec-logcollector
root 15408 0.0 0.3 497300 6636 ? Sl Jul12 2:29 /var/ossec/bin/wazuh-modulesd

DEV tools get script output

"check_sha256sum"
],
"dir": "/bin",

"recursion_level": 256,
"diff_size_limit": 51200
},
{
"opts": [
"check_md5sum",
"check_sha1sum",
"check_perm",
"check_size",
"check_owner",
"check_group",
"check_mtime",
"check_inode",
"check_sha256sum"
],

"dir": "/boot",

"recursion_level": 256,
"diff_size_limit": 51200
},
{
"opts": [
"check_md5sum",
"check_sha1sum",
"check_perm",
"check_size",
"check_owner",
"check_group",
"check_mtime",
"check_inode",
"check_sha256sum"
],

"dir": "/etc",

"recursion_level": 256,
"diff_size_limit": 51200
},
{
"opts": [
"check_md5sum",
"check_sha1sum",
"check_perm",
"check_size",
"check_owner",
"check_group",
"check_mtime",
"check_inode",
"realtime",

"report_changes",
"check_sha256sum"
],
"dir": "/home/test/folder",

"recursion_level": 256,
"diff_size_limit": 51200
},
{
"opts": [
"check_md5sum",
"check_sha1sum",
"check_perm",
"check_size",
"check_owner",
"check_group",
"check_mtime",
"check_inode",
"check_sha256sum"
],

"dir": "/sbin",

"recursion_level": 256,
"diff_size_limit": 51200
},
{
"opts": [
"check_md5sum",
"check_sha1sum",
"check_perm",
"check_size",
"check_owner",
"check_group",
"check_mtime",
"check_inode",
"check_sha256sum"
],

"dir": "/usr/bin",

"recursion_level": 256,
"diff_size_limit": 51200
},
{
"opts": [
"check_md5sum",
"check_sha1sum",
"check_perm",
"check_size",
"check_owner",
"check_group",
"check_mtime",
"check_inode",
"check_sha256sum"
],

"dir": "/usr/sbin",

"recursion_level": 256,
"diff_size_limit": 51200
}
],

"nodiff": [
"/etc/ssl/private.key"
],
"ignore": [
"/etc/mtab",
"/etc/hosts.deny",
"/etc/mail/statistics",
"/etc/random-seed",
"/etc/random.seed",
"/etc/adjtime",
"/etc/httpd/logs",
"/etc/utmpx",
"/etc/wtmpx",
"/etc/cups/certs",
"/etc/dumpdates",
"/etc/svc/volatile"
],
"ignore_sregex": [
".log$|.swp$"
],
"whodata": {
"restart_audit": "yes",
"startup_healthcheck": "yes"

},
"allow_remote_prefilter_cmd": "no",
"synchronization": {
"enabled": "yes",

"max_interval": 3600,
"interval": 300,
"response_timeout": 30,
"queue_size": 16384,
"max_eps": 10
},
"max_eps": 100,
"process_priority": 10,
"database": "disk"
}
},
"error": 0
}

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/37daac0e-116f-4315-aecd-694af0ce80a7n%40googlegroups.com.

mauro.e...@wazuh.com

unread,

Jul 14, 2021, 4:52:35 AM7/14/21

to Wazuh mailing list

Again I see that the directory is properly configured and the fact that you do get alerts on other files confirms it.

{
"opts": [
"check_md5sum",
"check_sha1sum",
"check_perm",
"check_size",
"check_owner",
"check_group",
"check_mtime",
"check_inode",
"realtime",
"report_changes",
"check_sha256sum"
],
"dir": "/home/test/folder",
"recursion_level": 256,
"diff_size_limit": 51200
},

Does the server have any other security software that might be blocking access to the file? If you checked the logs and no errors or warnings are being issued, it might be worth it to turn on debug mode and check if there are any clues on those logs.

In order to turn on debug mode for FIM you will need to add the following line in the internal options file located at /var/ossec/etc/local_internal_options.conf in your agent and restart it:

syscheck.debug=2

Once the initial scan is done, try to download the infected file again and check the logs. If you need help you can share it here (after removing any public IPs, API keys or sensitive information in general).

Best regards,

Mauro.

Victoria Babasanmi

unread,

Jul 14, 2021, 8:23:59 AM7/14/21

to mauro.e...@wazuh.com, Wazuh mailing list

Hi Mauro;

See the logs below

2021/07/14 13:17:49 ossec-syscheckd[38881] fim_diff_changes.c:432 at fim_file_diff(): DEBUG: (6351): The files are identical, don't compute differences
2021/07/14 13:17:49 ossec-syscheckd[38881] run_check.c:97 at send_syscheck_msg(): DEBUG: (6321): Sending FIM event: {"type":"event","data":{"path":"/home/test/folder/d1e0553b8f4923e4bd8361b408daf6f5c47e140fcd98bb9fbca068b861a235c2.zip","mode":"realtime","type":"modified","timestamp":1626265069,"attributes":{"type":"file","size":104083,"perm":"rw-rw-r--","uid":"1000","gid":"1000","user_name":"test","group_name":"test","inode":662656,"mtime":1626265069,"hash_md5":"6ecb4020abc43324be1550db6d323100","hash_sha1":"3b259e0928aeaf6ed57432d76c979ef25e9a5ee9","hash_sha256":"71cb5c020a9ef54ff6a4da8db5ca1611aa9d893d89d01de0d9e510bc0cfb7649","checksum":"1abfa106580fcba72717bb5b49bd8a3e0674c51b"},"changed_attributes":["size","md5","sha1","sha256"],"old_attributes":{"type":"file","size":34451,"perm":"rw-rw-r--","uid":"1000","gid":"1000","user_name":"test","group_name":"test","inode":662656,"mtime":1626265069,"hash_md5":"fa0fc78493fed2baa48106f5e11a2088","hash_sha1":"941411372e52a3915cd261a137c2f094b9d957e9","hash_sha256":"a4132bd43eff90b5db65e80c4ad2c9890915b1c43e9747dced3de9c56b78d3e2","checksum":"5ce025297b03e127eed27aec0b508f73b99b3927"},"content_changes":"Binary files /var/ossec/queue/diff/tmp/tmp-entry and /home/test/folder/d1e0553b8f4923e4bd8361b408daf6f5c47e140fcd98bb9fbca068b861a235c2.zip differ\n"}}
2021/07/14 13:17:49 ossec-syscheckd[38881] fim_diff_changes.c:432 at fim_file_diff(): DEBUG: (6351): The files are identical, don't compute differences
2021/07/14 13:17:49 ossec-syscheckd[38881] run_check.c:97 at send_syscheck_msg(): DEBUG: (6321): Sending FIM event: {"type":"event","data":{"path":"/home/test/folder/d1e0553b8f4923e4bd8361b408daf6f5c47e140fcd98bb9fbca068b861a235c2.zip","mode":"realtime","type":"modified","timestamp":1626265069,"attributes":{"type":"file","size":138899,"perm":"rw-rw-r--","uid":"1000","gid":"1000","user_name":"test","group_name":"test","inode":662656,"mtime":1626265069,"hash_md5":"20a46e37ba34c1704f76cbb849b4ca70","hash_sha1":"f958b7c1ac280d5c006446b885123af5b56d62a5","hash_sha256":"a57d03c3e95d70901ebb6994538e599e02bbb32ac1bf1b8bac5f5513712f1dd8","checksum":"2b37e39d8c4f307353771f6fe37a66e22d1a91c6"},"changed_attributes":["size","md5","sha1","sha256"],"old_attributes":{"type":"file","size":104083,"perm":"rw-rw-r--","uid":"1000","gid":"1000","user_name":"test","group_name":"test","inode":662656,"mtime":1626265069,"hash_md5":"6ecb4020abc43324be1550db6d323100","hash_sha1":"3b259e0928aeaf6ed57432d76c979ef25e9a5ee9","hash_sha256":"71cb5c020a9ef54ff6a4da8db5ca1611aa9d893d89d01de0d9e510bc0cfb7649","checksum":"1abfa106580fcba72717bb5b49bd8a3e0674c51b"},"content_changes":"Binary files /var/ossec/queue/diff/tmp/tmp-entry and /home/test/folder/d1e0553b8f4923e4bd8361b408daf6f5c47e140fcd98bb9fbca068b861a235c2.zip differ\n"}}
2021/07/14 13:17:49 ossec-syscheckd[38881] run_check.c:97 at send_syscheck_msg(): DEBUG: (6321): Sending FIM event: {"type":"event","data":{"path":"/home/test/folder/d1e0553b8f4923e4bd8361b408daf6f5c47e140fcd98bb9fbca068b861a235c2.zip","mode":"realtime","type":"modified","timestamp":1626265069,"attributes":{"type":"file","size":243347,"perm":"rw-rw-r--","uid":"1000","gid":"1000","user_name":"test","group_name":"test","inode":662656,"mtime":1626265069,"hash_md5":"279c8809a54d49eef5bb1073babc0284","hash_sha1":"4f7551f573812e823ab419a8d0b8e4f97f20f3de","hash_sha256":"fe9d37659244e2b0018c9ce24a25427be9f55ef56883a3c8dec7f1728e19d907","checksum":"c4361adf8bcaf068a472ded3ddacd17aa6e3768d"},"changed_attributes":["size","md5","sha1","sha256"],"old_attributes":{"type":"file","size":138899,"perm":"rw-rw-r--","uid":"1000","gid":"1000","user_name":"test","group_name":"test","inode":662656,"mtime":1626265069,"hash_md5":"20a46e37ba34c1704f76cbb849b4ca70","hash_sha1":"f958b7c1ac280d5c006446b885123af5b56d62a5","hash_sha256":"a57d03c3e95d70901ebb6994538e599e02bbb32ac1bf1b8bac5f5513712f1dd8","checksum":"2b37e39d8c4f307353771f6fe37a66e22d1a91c6"},"content_changes":"Binary files /var/ossec/queue/diff/tmp/tmp-entry and /home/test/folder/d1e0553b8f4923e4bd8361b408daf6f5c47e140fcd98bb9fbca068b861a235c2.zip differ\n"}}
2021/07/14 13:17:49 ossec-syscheckd[38881] run_check.c:97 at send_syscheck_msg(): DEBUG: (6321): Sending FIM event: {"type":"event","data":{"path":"/home/test/folder/d1e0553b8f4923e4bd8361b408daf6f5c47e140fcd98bb9fbca068b861a235c2.zip","mode":"realtime","type":"modified","timestamp":1626265069,"attributes":{"type":"file","size":260755,"perm":"rw-rw-r--","uid":"1000","gid":"1000","user_name":"test","group_name":"test","inode":662656,"mtime":1626265069,"hash_md5":"ef5a592a273981462ec6cbbd95cf665b","hash_sha1":"2ee378d0e57cf1e115a8878be24db69f3ba38097","hash_sha256":"fe67603888c2cc08f030f1c6b2c6db06817a44a300af05270aac3b4bea3ffb1c","checksum":"b217abac75cd49290b131ea996f56165f89d4c09"},"changed_attributes":["size","md5","sha1","sha256"],"old_attributes":{"type":"file","size":243347,"perm":"rw-rw-r--","uid":"1000","gid":"1000","user_name":"test","group_name":"test","inode":662656,"mtime":1626265069,"hash_md5":"279c8809a54d49eef5bb1073babc0284","hash_sha1":"4f7551f573812e823ab419a8d0b8e4f97f20f3de","hash_sha256":"fe9d37659244e2b0018c9ce24a25427be9f55ef56883a3c8dec7f1728e19d907","checksum":"c4361adf8bcaf068a472ded3ddacd17aa6e3768d"},"content_changes":"Binary files /var/ossec/queue/diff/tmp/tmp-entry and /home/test/folder/d1e0553b8f4923e4bd8361b408daf6f5c47e140fcd98bb9fbca068b861a235c2.zip differ\n"}}
2021/07/14 13:17:49 ossec-syscheckd[38881] run_check.c:97 at send_syscheck_msg(): DEBUG: (6321): Sending FIM event: {"type":"event","data":{"path":"/home/test/folder/d1e0553b8f4923e4bd8361b408daf6f5c47e140fcd98bb9fbca068b861a235c2.zip","mode":"realtime","type":"modified","timestamp":1626265069,"attributes":{"type":"file","size":365203,"perm":"rw-rw-r--","uid":"1000","gid":"1000","user_name":"test","group_name":"test","inode":662656,"mtime":1626265069,"hash_md5":"1029f3bfd1c12d05a8c755187b1e21ed","hash_sha1":"38fb64327160ba9381d465589ffd0e7d28807b37","hash_sha256":"7ef2a8affd1662987a1570e76beaa1d90159d3ea62bffdfc0334c7c222c4498f","checksum":"194db177c5a1da05cdcca6c28abac93179eaf4b9"},"changed_attributes":["size","md5","sha1","sha256"],"old_attributes":{"type":"file","size":260755,"perm":"rw-rw-r--","uid":"1000","gid":"1000","user_name":"test","group_name":"test","inode":662656,"mtime":1626265069,"hash_md5":"ef5a592a273981462ec6cbbd95cf665b","hash_sha1":"2ee378d0e57cf1e115a8878be24db69f3ba38097","hash_sha256":"fe67603888c2cc08f030f1c6b2c6db06817a44a300af05270aac3b4bea3ffb1c","checksum":"b217abac75cd49290b131ea996f56165f89d4c09"},"content_changes":"Binary files /var/ossec/queue/diff/tmp/tmp-entry and /home/test/folder/d1e0553b8f4923e4bd8361b408daf6f5c47e140fcd98bb9fbca068b861a235c2.zip differ\n"}}
2021/07/14 13:17:49 ossec-syscheckd[38881] run_check.c:97 at send_syscheck_msg(): DEBUG: (6321): Sending FIM event: {"type":"event","data":{"path":"/home/test/folder/d1e0553b8f4923e4bd8361b408daf6f5c47e140fcd98bb9fbca068b861a235c2.zip","mode":"realtime","type":"modified","timestamp":1626265069,"attributes":{"type":"file","size":400019,"perm":"rw-rw-r--","uid":"1000","gid":"1000","user_name":"test","group_name":"test","inode":662656,"mtime":1626265069,"hash_md5":"6d19c655e583cd532943b054b88de218","hash_sha1":"195b5736dff2c6615f83692d195da9ac62249324","hash_sha256":"9b0904f63b1273a0f57390c640183fefb5cb376b3c8e486124fef87332ed4bcf","checksum":"f3cc95a12c7726959a9b114bd06ca6bfe0f028df"},"changed_attributes":["size","md5","sha1","sha256"],"old_attributes":{"type":"file","size":365203,"perm":"rw-rw-r--","uid":"1000","gid":"1000","user_name":"test","group_name":"test","inode":662656,"mtime":1626265069,"hash_md5":"1029f3bfd1c12d05a8c755187b1e21ed","hash_sha1":"38fb64327160ba9381d465589ffd0e7d28807b37","hash_sha256":"7ef2a8affd1662987a1570e76beaa1d90159d3ea62bffdfc0334c7c222c4498f","checksum":"194db177c5a1da05cdcca6c28abac93179eaf4b9"},"content_changes":"Binary files /var/ossec/queue/diff/tmp/tmp-entry and /home/test/folder/d1e0553b8f4923e4bd8361b408daf6f5c47e140fcd98bb9fbca068b861a235c2.zip differ\n"}}
2021/07/14 13:17:49 ossec-syscheckd[38881] run_realtime.c:191 at realtime_process(): DEBUG: Duplicate event in real-time buffer: /home/test/folder/d1e0553b8f4923e4bd8361b408daf6f5c47e140fcd98bb9fbca068b861a235c2.zip
2021/07/14 13:17:49 ossec-syscheckd[38881] run_check.c:97 at send_syscheck_msg(): DEBUG: (6321): Sending FIM event: {"type":"event","data":{"path":"/home/test/folder/d1e0553b8f4923e4bd8361b408daf6f5c47e140fcd98bb9fbca068b861a235c2.zip","mode":"realtime","type":"modified","timestamp":1626265069,"attributes":{"type":"file","size":448139,"perm":"rw-rw-r--","uid":"1000","gid":"1000","user_name":"test","group_name":"test","inode":662656,"mtime":1554368940,"hash_md5":"d088c258751048f3feefbf4e9a688a6a","hash_sha1":"c9692d614c8b79191ecc4ff8375fb5bdbdaaa601","hash_sha256":"2c76f3e55a276f5a79270412d0920ee358668eec906955fc79478c1aa9a647d2","checksum":"38edf13082a228eba9afd7f42a1504a2d3dafcf0"},"changed_attributes":["size","mtime","md5","sha1","sha256"],"old_attributes":{"type":"file","size":400019,"perm":"rw-rw-r--","uid":"1000","gid":"1000","user_name":"test","group_name":"test","inode":662656,"mtime":1626265069,"hash_md5":"6d19c655e583cd532943b054b88de218","hash_sha1":"195b5736dff2c6615f83692d195da9ac62249324","hash_sha256":"9b0904f63b1273a0f57390c640183fefb5cb376b3c8e486124fef87332ed4bcf","checksum":"f3cc95a12c7726959a9b114bd06ca6bfe0f028df"},"content_changes":"Binary files /var/ossec/queue/diff/tmp/tmp-entry and /home/test/folder/d1e0553b8f4923e4bd8361b408daf6f5c47e140fcd98bb9fbca068b861a235c2.zip differ\n"}}
root@ubuntu:/var/ossec/logs# tail ossec.log
2021/07/14 13:17:49 ossec-syscheckd[38881] fim_diff_changes.c:432 at fim_file_diff(): DEBUG: (6351): The files are identical, don't compute differences
2021/07/14 13:17:49 ossec-syscheckd[38881] run_check.c:97 at send_syscheck_msg(): DEBUG: (6321): Sending FIM event: {"type":"event","data":{"path":"/home/test/folder/d1e0553b8f4923e4bd8361b408daf6f5c47e140fcd98bb9fbca068b861a235c2.zip","mode":"realtime","type":"modified","timestamp":1626265069,"attributes":{"type":"file","size":104083,"perm":"rw-rw-r--","uid":"1000","gid":"1000","user_name":"test","group_name":"test","inode":662656,"mtime":1626265069,"hash_md5":"6ecb4020abc43324be1550db6d323100","hash_sha1":"3b259e0928aeaf6ed57432d76c979ef25e9a5ee9","hash_sha256":"71cb5c020a9ef54ff6a4da8db5ca1611aa9d893d89d01de0d9e510bc0cfb7649","checksum":"1abfa106580fcba72717bb5b49bd8a3e0674c51b"},"changed_attributes":["size","md5","sha1","sha256"],"old_attributes":{"type":"file","size":34451,"perm":"rw-rw-r--","uid":"1000","gid":"1000","user_name":"test","group_name":"test","inode":662656,"mtime":1626265069,"hash_md5":"fa0fc78493fed2baa48106f5e11a2088","hash_sha1":"941411372e52a3915cd261a137c2f094b9d957e9","hash_sha256":"a4132bd43eff90b5db65e80c4ad2c9890915b1c43e9747dced3de9c56b78d3e2","checksum":"5ce025297b03e127eed27aec0b508f73b99b3927"},"content_changes":"Binary files /var/ossec/queue/diff/tmp/tmp-entry and /home/test/folder/d1e0553b8f4923e4bd8361b408daf6f5c47e140fcd98bb9fbca068b861a235c2.zip differ\n"}}
2021/07/14 13:17:49 ossec-syscheckd[38881] fim_diff_changes.c:432 at fim_file_diff(): DEBUG: (6351): The files are identical, don't compute differences
2021/07/14 13:17:49 ossec-syscheckd[38881] run_check.c:97 at send_syscheck_msg(): DEBUG: (6321): Sending FIM event: {"type":"event","data":{"path":"/home/test/folder/d1e0553b8f4923e4bd8361b408daf6f5c47e140fcd98bb9fbca068b861a235c2.zip","mode":"realtime","type":"modified","timestamp":1626265069,"attributes":{"type":"file","size":138899,"perm":"rw-rw-r--","uid":"1000","gid":"1000","user_name":"test","group_name":"test","inode":662656,"mtime":1626265069,"hash_md5":"20a46e37ba34c1704f76cbb849b4ca70","hash_sha1":"f958b7c1ac280d5c006446b885123af5b56d62a5","hash_sha256":"a57d03c3e95d70901ebb6994538e599e02bbb32ac1bf1b8bac5f5513712f1dd8","checksum":"2b37e39d8c4f307353771f6fe37a66e22d1a91c6"},"changed_attributes":["size","md5","sha1","sha256"],"old_attributes":{"type":"file","size":104083,"perm":"rw-rw-r--","uid":"1000","gid":"1000","user_name":"test","group_name":"test","inode":662656,"mtime":1626265069,"hash_md5":"6ecb4020abc43324be1550db6d323100","hash_sha1":"3b259e0928aeaf6ed57432d76c979ef25e9a5ee9","hash_sha256":"71cb5c020a9ef54ff6a4da8db5ca1611aa9d893d89d01de0d9e510bc0cfb7649","checksum":"1abfa106580fcba72717bb5b49bd8a3e0674c51b"},"content_changes":"Binary files /var/ossec/queue/diff/tmp/tmp-entry and /home/test/folder/d1e0553b8f4923e4bd8361b408daf6f5c47e140fcd98bb9fbca068b861a235c2.zip differ\n"}}
2021/07/14 13:17:49 ossec-syscheckd[38881] run_check.c:97 at send_syscheck_msg(): DEBUG: (6321): Sending FIM event: {"type":"event","data":{"path":"/home/test/folder/d1e0553b8f4923e4bd8361b408daf6f5c47e140fcd98bb9fbca068b861a235c2.zip","mode":"realtime","type":"modified","timestamp":1626265069,"attributes":{"type":"file","size":243347,"perm":"rw-rw-r--","uid":"1000","gid":"1000","user_name":"test","group_name":"test","inode":662656,"mtime":1626265069,"hash_md5":"279c8809a54d49eef5bb1073babc0284","hash_sha1":"4f7551f573812e823ab419a8d0b8e4f97f20f3de","hash_sha256":"fe9d37659244e2b0018c9ce24a25427be9f55ef56883a3c8dec7f1728e19d907","checksum":"c4361adf8bcaf068a472ded3ddacd17aa6e3768d"},"changed_attributes":["size","md5","sha1","sha256"],"old_attributes":{"type":"file","size":138899,"perm":"rw-rw-r--","uid":"1000","gid":"1000","user_name":"test","group_name":"test","inode":662656,"mtime":1626265069,"hash_md5":"20a46e37ba34c1704f76cbb849b4ca70","hash_sha1":"f958b7c1ac280d5c006446b885123af5b56d62a5","hash_sha256":"a57d03c3e95d70901ebb6994538e599e02bbb32ac1bf1b8bac5f5513712f1dd8","checksum":"2b37e39d8c4f307353771f6fe37a66e22d1a91c6"},"content_changes":"Binary files /var/ossec/queue/diff/tmp/tmp-entry and /home/test/folder/d1e0553b8f4923e4bd8361b408daf6f5c47e140fcd98bb9fbca068b861a235c2.zip differ\n"}}
2021/07/14 13:17:49 ossec-syscheckd[38881] run_check.c:97 at send_syscheck_msg(): DEBUG: (6321): Sending FIM event: {"type":"event","data":{"path":"/home/test/folder/d1e0553b8f4923e4bd8361b408daf6f5c47e140fcd98bb9fbca068b861a235c2.zip","mode":"realtime","type":"modified","timestamp":1626265069,"attributes":{"type":"file","size":260755,"perm":"rw-rw-r--","uid":"1000","gid":"1000","user_name":"test","group_name":"test","inode":662656,"mtime":1626265069,"hash_md5":"ef5a592a273981462ec6cbbd95cf665b","hash_sha1":"2ee378d0e57cf1e115a8878be24db69f3ba38097","hash_sha256":"fe67603888c2cc08f030f1c6b2c6db06817a44a300af05270aac3b4bea3ffb1c","checksum":"b217abac75cd49290b131ea996f56165f89d4c09"},"changed_attributes":["size","md5","sha1","sha256"],"old_attributes":{"type":"file","size":243347,"perm":"rw-rw-r--","uid":"1000","gid":"1000","user_name":"test","group_name":"test","inode":662656,"mtime":1626265069,"hash_md5":"279c8809a54d49eef5bb1073babc0284","hash_sha1":"4f7551f573812e823ab419a8d0b8e4f97f20f3de","hash_sha256":"fe9d37659244e2b0018c9ce24a25427be9f55ef56883a3c8dec7f1728e19d907","checksum":"c4361adf8bcaf068a472ded3ddacd17aa6e3768d"},"content_changes":"Binary files /var/ossec/queue/diff/tmp/tmp-entry and /home/test/folder/d1e0553b8f4923e4bd8361b408daf6f5c47e140fcd98bb9fbca068b861a235c2.zip differ\n"}}
2021/07/14 13:17:49 ossec-syscheckd[38881] run_check.c:97 at send_syscheck_msg(): DEBUG: (6321): Sending FIM event: {"type":"event","data":{"path":"/home/test/folder/d1e0553b8f4923e4bd8361b408daf6f5c47e140fcd98bb9fbca068b861a235c2.zip","mode":"realtime","type":"modified","timestamp":1626265069,"attributes":{"type":"file","size":365203,"perm":"rw-rw-r--","uid":"1000","gid":"1000","user_name":"test","group_name":"test","inode":662656,"mtime":1626265069,"hash_md5":"1029f3bfd1c12d05a8c755187b1e21ed","hash_sha1":"38fb64327160ba9381d465589ffd0e7d28807b37","hash_sha256":"7ef2a8affd1662987a1570e76beaa1d90159d3ea62bffdfc0334c7c222c4498f","checksum":"194db177c5a1da05cdcca6c28abac93179eaf4b9"},"changed_attributes":["size","md5","sha1","sha256"],"old_attributes":{"type":"file","size":260755,"perm":"rw-rw-r--","uid":"1000","gid":"1000","user_name":"test","group_name":"test","inode":662656,"mtime":1626265069,"hash_md5":"ef5a592a273981462ec6cbbd95cf665b","hash_sha1":"2ee378d0e57cf1e115a8878be24db69f3ba38097","hash_sha256":"fe67603888c2cc08f030f1c6b2c6db06817a44a300af05270aac3b4bea3ffb1c","checksum":"b217abac75cd49290b131ea996f56165f89d4c09"},"content_changes":"Binary files /var/ossec/queue/diff/tmp/tmp-entry and /home/test/folder/d1e0553b8f4923e4bd8361b408daf6f5c47e140fcd98bb9fbca068b861a235c2.zip differ\n"}}
2021/07/14 13:17:49 ossec-syscheckd[38881] run_check.c:97 at send_syscheck_msg(): DEBUG: (6321): Sending FIM event: {"type":"event","data":{"path":"/home/test/folder/d1e0553b8f4923e4bd8361b408daf6f5c47e140fcd98bb9fbca068b861a235c2.zip","mode":"realtime","type":"modified","timestamp":1626265069,"attributes":{"type":"file","size":400019,"perm":"rw-rw-r--","uid":"1000","gid":"1000","user_name":"test","group_name":"test","inode":662656,"mtime":1626265069,"hash_md5":"6d19c655e583cd532943b054b88de218","hash_sha1":"195b5736dff2c6615f83692d195da9ac62249324","hash_sha256":"9b0904f63b1273a0f57390c640183fefb5cb376b3c8e486124fef87332ed4bcf","checksum":"f3cc95a12c7726959a9b114bd06ca6bfe0f028df"},"changed_attributes":["size","md5","sha1","sha256"],"old_attributes":{"type":"file","size":365203,"perm":"rw-rw-r--","uid":"1000","gid":"1000","user_name":"test","group_name":"test","inode":662656,"mtime":1626265069,"hash_md5":"1029f3bfd1c12d05a8c755187b1e21ed","hash_sha1":"38fb64327160ba9381d465589ffd0e7d28807b37","hash_sha256":"7ef2a8affd1662987a1570e76beaa1d90159d3ea62bffdfc0334c7c222c4498f","checksum":"194db177c5a1da05cdcca6c28abac93179eaf4b9"},"content_changes":"Binary files /var/ossec/queue/diff/tmp/tmp-entry and /home/test/folder/d1e0553b8f4923e4bd8361b408daf6f5c47e140fcd98bb9fbca068b861a235c2.zip differ\n"}}
2021/07/14 13:17:49 ossec-syscheckd[38881] run_realtime.c:191 at realtime_process(): DEBUG: Duplicate event in real-time buffer: /home/test/folder/d1e0553b8f4923e4bd8361b408daf6f5c47e140fcd98bb9fbca068b861a235c2.zip
2021/07/14 13:17:49 ossec-syscheckd[38881] run_check.c:97 at send_syscheck_msg(): DEBUG: (6321): Sending FIM event: {"type":"event","data":{"path":"/home/test/folder/d1e0553b8f4923e4bd8361b408daf6f5c47e140fcd98bb9fbca068b861a235c2.zip","mode":"realtime","type":"modified","timestamp":1626265069,"attributes":{"type":"file","size":448139,"perm":"rw-rw-r--","uid":"1000","gid":"1000","user_name":"test","group_name":"test","inode":662656,"mtime":1554368940,"hash_md5":"d088c258751048f3feefbf4e9a688a6a","hash_sha1":"c9692d614c8b79191ecc4ff8375fb5bdbdaaa601","hash_sha256":"2c76f3e55a276f5a79270412d0920ee358668eec906955fc79478c1aa9a647d2","checksum":"38edf13082a228eba9afd7f42a1504a2d3dafcf0"},"changed_attributes":["size","mtime","md5","sha1","sha256"],"old_attributes":{"type":"file","size":400019,"perm":"rw-rw-r--","uid":"1000","gid":"1000","user_name":"test","group_name":"test","inode":662656,"mtime":1626265069,"hash_md5":"6d19c655e583cd532943b054b88de218","hash_sha1":"195b5736dff2c6615f83692d195da9ac62249324","hash_sha256":"9b0904f63b1273a0f57390c640183fefb5cb376b3c8e486124fef87332ed4bcf","checksum":"f3cc95a12c7726959a9b114bd06ca6bfe0f028df"},"content_changes":"Binary files /var/ossec/queue/diff/tmp/tmp-entry and /home/test/folder/d1e0553b8f4923e4bd8361b408daf6f5c47e140fcd98bb9fbca068b861a235c2.zip differ\n"}}
root@ubuntu:/var/ossec/logs# tail ossec.log
2021/07/14 13:17:49 ossec-syscheckd[38881] fim_diff_changes.c:432 at fim_file_diff(): DEBUG: (6351): The files are identical, don't compute differences
2021/07/14 13:17:49 ossec-syscheckd[38881] run_check.c:97 at send_syscheck_msg(): DEBUG: (6321): Sending FIM event: {"type":"event","data":{"path":"/home/test/folder/d1e0553b8f4923e4bd8361b408daf6f5c47e140fcd98bb9fbca068b861a235c2.zip","mode":"realtime","type":"modified","timestamp":1626265069,"attributes":{"type":"file","size":104083,"perm":"rw-rw-r--","uid":"1000","gid":"1000","user_name":"test","group_name":"test","inode":662656,"mtime":1626265069,"hash_md5":"6ecb4020abc43324be1550db6d323100","hash_sha1":"3b259e0928aeaf6ed57432d76c979ef25e9a5ee9","hash_sha256":"71cb5c020a9ef54ff6a4da8db5ca1611aa9d893d89d01de0d9e510bc0cfb7649","checksum":"1abfa106580fcba72717bb5b49bd8a3e0674c51b"},"changed_attributes":["size","md5","sha1","sha256"],"old_attributes":{"type":"file","size":34451,"perm":"rw-rw-r--","uid":"1000","gid":"1000","user_name":"test","group_name":"test","inode":662656,"mtime":1626265069,"hash_md5":"fa0fc78493fed2baa48106f5e11a2088","hash_sha1":"941411372e52a3915cd261a137c2f094b9d957e9","hash_sha256":"a4132bd43eff90b5db65e80c4ad2c9890915b1c43e9747dced3de9c56b78d3e2","checksum":"5ce025297b03e127eed27aec0b508f73b99b3927"},"content_changes":"Binary files /var/ossec/queue/diff/tmp/tmp-entry and /home/test/folder/d1e0553b8f4923e4bd8361b408daf6f5c47e140fcd98bb9fbca068b861a235c2.zip differ\n"}}
2021/07/14 13:17:49 ossec-syscheckd[38881] fim_diff_changes.c:432 at fim_file_diff(): DEBUG: (6351): The files are identical, don't compute differences
2021/07/14 13:17:49 ossec-syscheckd[38881] run_check.c:97 at send_syscheck_msg(): DEBUG: (6321): Sending FIM event: {"type":"event","data":{"path":"/home/test/folder/d1e0553b8f4923e4bd8361b408daf6f5c47e140fcd98bb9fbca068b861a235c2.zip","mode":"realtime","type":"modified","timestamp":1626265069,"attributes":{"type":"file","size":138899,"perm":"rw-rw-r--","uid":"1000","gid":"1000","user_name":"test","group_name":"test","inode":662656,"mtime":1626265069,"hash_md5":"20a46e37ba34c1704f76cbb849b4ca70","hash_sha1":"f958b7c1ac280d5c006446b885123af5b56d62a5","hash_sha256":"a57d03c3e95d70901ebb6994538e599e02bbb32ac1bf1b8bac5f5513712f1dd8","checksum":"2b37e39d8c4f307353771f6fe37a66e22d1a91c6"},"changed_attributes":["size","md5","sha1","sha256"],"old_attributes":{"type":"file","size":104083,"perm":"rw-rw-r--","uid":"1000","gid":"1000","user_name":"test","group_name":"test","inode":662656,"mtime":1626265069,"hash_md5":"6ecb4020abc43324be1550db6d323100","hash_sha1":"3b259e0928aeaf6ed57432d76c979ef25e9a5ee9","hash_sha256":"71cb5c020a9ef54ff6a4da8db5ca1611aa9d893d89d01de0d9e510bc0cfb7649","checksum":"1abfa106580fcba72717bb5b49bd8a3e0674c51b"},"content_changes":"Binary files /var/ossec/queue/diff/tmp/tmp-entry and /home/test/folder/d1e0553b8f4923e4bd8361b408daf6f5c47e140fcd98bb9fbca068b861a235c2.zip differ\n"}}
2021/07/14 13:17:49 ossec-syscheckd[38881] run_check.c:97 at send_syscheck_msg(): DEBUG: (6321): Sending FIM event: {"type":"event","data":{"path":"/home/test/folder/d1e0553b8f4923e4bd8361b408daf6f5c47e140fcd98bb9fbca068b861a235c2.zip","mode":"realtime","type":"modified","timestamp":1626265069,"attributes":{"type":"file","size":243347,"perm":"rw-rw-r--","uid":"1000","gid":"1000","user_name":"test","group_name":"test","inode":662656,"mtime":1626265069,"hash_md5":"279c8809a54d49eef5bb1073babc0284","hash_sha1":"4f7551f573812e823ab419a8d0b8e4f97f20f3de","hash_sha256":"fe9d37659244e2b0018c9ce24a25427be9f55ef56883a3c8dec7f1728e19d907","checksum":"c4361adf8bcaf068a472ded3ddacd17aa6e3768d"},"changed_attributes":["size","md5","sha1","sha256"],"old_attributes":{"type":"file","size":138899,"perm":"rw-rw-r--","uid":"1000","gid":"1000","user_name":"test","group_name":"test","inode":662656,"mtime":1626265069,"hash_md5":"20a46e37ba34c1704f76cbb849b4ca70","hash_sha1":"f958b7c1ac280d5c006446b885123af5b56d62a5","hash_sha256":"a57d03c3e95d70901ebb6994538e599e02bbb32ac1bf1b8bac5f5513712f1dd8","checksum":"2b37e39d8c4f307353771f6fe37a66e22d1a91c6"},"content_changes":"Binary files /var/ossec/queue/diff/tmp/tmp-entry and /home/test/folder/d1e0553b8f4923e4bd8361b408daf6f5c47e140fcd98bb9fbca068b861a235c2.zip differ\n"}}
2021/07/14 13:17:49 ossec-syscheckd[38881] run_check.c:97 at send_syscheck_msg(): DEBUG: (6321): Sending FIM event: {"type":"event","data":{"path":"/home/test/folder/d1e0553b8f4923e4bd8361b408daf6f5c47e140fcd98bb9fbca068b861a235c2.zip","mode":"realtime","type":"modified","timestamp":1626265069,"attributes":{"type":"file","size":260755,"perm":"rw-rw-r--","uid":"1000","gid":"1000","user_name":"test","group_name":"test","inode":662656,"mtime":1626265069,"hash_md5":"ef5a592a273981462ec6cbbd95cf665b","hash_sha1":"2ee378d0e57cf1e115a8878be24db69f3ba38097","hash_sha256":"fe67603888c2cc08f030f1c6b2c6db06817a44a300af05270aac3b4bea3ffb1c","checksum":"b217abac75cd49290b131ea996f56165f89d4c09"},"changed_attributes":["size","md5","sha1","sha256"],"old_attributes":{"type":"file","size":243347,"perm":"rw-rw-r--","uid":"1000","gid":"1000","user_name":"test","group_name":"test","inode":662656,"mtime":1626265069,"hash_md5":"279c8809a54d49eef5bb1073babc0284","hash_sha1":"4f7551f573812e823ab419a8d0b8e4f97f20f3de","hash_sha256":"fe9d37659244e2b0018c9ce24a25427be9f55ef56883a3c8dec7f1728e19d907","checksum":"c4361adf8bcaf068a472ded3ddacd17aa6e3768d"},"content_changes":"Binary files /var/ossec/queue/diff/tmp/tmp-entry and /home/test/folder/d1e0553b8f4923e4bd8361b408daf6f5c47e140fcd98bb9fbca068b861a235c2.zip differ\n"}}
2021/07/14 13:17:49 ossec-syscheckd[38881] run_check.c:97 at send_syscheck_msg(): DEBUG: (6321): Sending FIM event: {"type":"event","data":{"path":"/home/test/folder/d1e0553b8f4923e4bd8361b408daf6f5c47e140fcd98bb9fbca068b861a235c2.zip","mode":"realtime","type":"modified","timestamp":1626265069,"attributes":{"type":"file","size":365203,"perm":"rw-rw-r--","uid":"1000","gid":"1000","user_name":"test","group_name":"test","inode":662656,"mtime":1626265069,"hash_md5":"1029f3bfd1c12d05a8c755187b1e21ed","hash_sha1":"38fb64327160ba9381d465589ffd0e7d28807b37","hash_sha256":"7ef2a8affd1662987a1570e76beaa1d90159d3ea62bffdfc0334c7c222c4498f","checksum":"194db177c5a1da05cdcca6c28abac93179eaf4b9"},"changed_attributes":["size","md5","sha1","sha256"],"old_attributes":{"type":"file","size":260755,"perm":"rw-rw-r--","uid":"1000","gid":"1000","user_name":"test","group_name":"test","inode":662656,"mtime":1626265069,"hash_md5":"ef5a592a273981462ec6cbbd95cf665b","hash_sha1":"2ee378d0e57cf1e115a8878be24db69f3ba38097","hash_sha256":"fe67603888c2cc08f030f1c6b2c6db06817a44a300af05270aac3b4bea3ffb1c","checksum":"b217abac75cd49290b131ea996f56165f89d4c09"},"content_changes":"Binary files /var/ossec/queue/diff/tmp/tmp-entry and /home/test/folder/d1e0553b8f4923e4bd8361b408daf6f5c47e140fcd98bb9fbca068b861a235c2.zip differ\n"}}
2021/07/14 13:17:49 ossec-syscheckd[38881] run_check.c:97 at send_syscheck_msg(): DEBUG: (6321): Sending FIM event: {"type":"event","data":{"path":"/home/test/folder/d1e0553b8f4923e4bd8361b408daf6f5c47e140fcd98bb9fbca068b861a235c2.zip","mode":"realtime","type":"modified","timestamp":1626265069,"attributes":{"type":"file","size":400019,"perm":"rw-rw-r--","uid":"1000","gid":"1000","user_name":"test","group_name":"test","inode":662656,"mtime":1626265069,"hash_md5":"6d19c655e583cd532943b054b88de218","hash_sha1":"195b5736dff2c6615f83692d195da9ac62249324","hash_sha256":"9b0904f63b1273a0f57390c640183fefb5cb376b3c8e486124fef87332ed4bcf","checksum":"f3cc95a12c7726959a9b114bd06ca6bfe0f028df"},"changed_attributes":["size","md5","sha1","sha256"],"old_attributes":{"type":"file","size":365203,"perm":"rw-rw-r--","uid":"1000","gid":"1000","user_name":"test","group_name":"test","inode":662656,"mtime":1626265069,"hash_md5":"1029f3bfd1c12d05a8c755187b1e21ed","hash_sha1":"38fb64327160ba9381d465589ffd0e7d28807b37","hash_sha256":"7ef2a8affd1662987a1570e76beaa1d90159d3ea62bffdfc0334c7c222c4498f","checksum":"194db177c5a1da05cdcca6c28abac93179eaf4b9"},"content_changes":"Binary files /var/ossec/queue/diff/tmp/tmp-entry and /home/test/folder/d1e0553b8f4923e4bd8361b408daf6f5c47e140fcd98bb9fbca068b861a235c2.zip differ\n"}}
2021/07/14 13:17:49 ossec-syscheckd[38881] run_realtime.c:191 at realtime_process(): DEBUG: Duplicate event in real-time buffer: /home/test/folder/d1e0553b8f4923e4bd8361b408daf6f5c47e140fcd98bb9fbca068b861a235c2.zip
2021/07/14 13:17:49 ossec-syscheckd[38881] run_check.c:97 at send_syscheck_msg(): DEBUG: (6321): Sending FIM event: {"type":"event","data":{"path":"/home/test/folder/d1e0553b8f4923e4bd8361b408daf6f5c47e140fcd98bb9fbca068b861a235c2.zip","mode":"realtime","type":"modified","timestamp":1626265069,"attributes":{"type":"file","size":448139,"perm":"rw-rw-r--","uid":"1000","gid":"1000","user_name":"test","group_name":"test","inode":662656,"mtime":1554368940,"hash_md5":"d088c258751048f3feefbf4e9a688a6a","hash_sha1":"c9692d614c8b79191ecc4ff8375fb5bdbdaaa601","hash_sha256":"2c76f3e55a276f5a79270412d0920ee358668eec906955fc79478c1aa9a647d2","checksum":"38edf13082a228eba9afd7f42a1504a2d3dafcf0"},"changed_attributes":["size","mtime","md5","sha1","sha256"],"old_attributes":{"type":"file","size":400019,"perm":"rw-rw-r--","uid":"1000","gid":"1000","user_name":"test","group_name":"test","inode":662656,"mtime":1626265069,"hash_md5":"6d19c655e583cd532943b054b88de218","hash_sha1":"195b5736dff2c6615f83692d195da9ac62249324","hash_sha256":"9b0904f63b1273a0f57390c640183fefb5cb376b3c8e486124fef87332ed4bcf","checksum":"f3cc95a12c7726959a9b114bd06ca6bfe0f028df"},"content_changes":"Binary files /var/ossec/queue/diff/tmp/tmp-entry and /home/test/folder/d1e0553b8f4923e4bd8361b408daf6f5c47e140fcd98bb9fbca068b861a235c2.zip differ\n"}}

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/8e3da1a5-f2f0-45cf-8be3-37f2646ebeben%40googlegroups.com.

mauro.e...@wazuh.com

unread,

Jul 14, 2021, 9:11:43 AM7/14/21

to Wazuh mailing list

Ok, from those logs I can tell that there should be 7 alerts generated on /home/test/folder/d1e0553b8f4923e4bd8361b408daf6f5c47e140fcd98bb9fbca068b861a235c2.zip, which means the agent is properly sending the information to the manager. If no alert is showing up for this file under alerts.json, then it might be that you have a custom rule that is silencing the alert. If you already know which rule could be doing this, great! Otherwise, I recommend setting the <logall_json> option to yes in your manager, restarting it and trying to download the file one more time in the agent. The events being forwarded will show up under /var/ossec/logs/archives/archives.json and should give us more insight on why they are not triggering alerts. As soon as you are done with this last test you should set <logall_json> back to no if you are in a production environment, this option is quite verbose and could potentially cause your manager to fill the hard drive.

Victoria Babasanmi

unread,

Jul 15, 2021, 3:21:34 AM7/15/21

to mauro.e...@wazuh.com, Wazuh mailing list

Hello Mauro,

Kindly find attached the archive.json file

Best Regards,

Victoria

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/1d6f6b00-fa63-47d5-9346-174d40113733n%40googlegroups.com.

archives.json

mauro.e...@wazuh.com

unread,

Jul 15, 2021, 4:13:28 AM7/15/21

to Wazuh mailing list

Hi,

I can see the events being processed by the manager and the rules being correctly matched, I've attached a file with them. The events properly show the rules 550 and 554 being matched with levels 5 and 7 respectively, for the following files:

/home/test/folder/c487ddbe93f098818949bb9c45e3708c5673579c08cbe9ee7fffa1c08a15edb7.zip

/home/test/folder/c487ddbe93f098818949bb9c45e3708c5673579c08cbe9ee7fffa1c08a15edb7

/home/test/folder/48fd524f066695b87ab0aae7b9def7d122cf5937fa995babd533f7c89729d9d0.zip

/home/test/folder/48fd524f066695b87ab0aae7b9def7d122cf5937fa995babd533f7c89729d9d0

Those events should be translated to alerts directly unless the <log_alert_level> is set to something higher that 5 or 7 in your manager, are those not generating alerts?

Best regards,

Mauro.

archives-filtered.json

Victoria Babasanmi

unread,

Jul 15, 2021, 7:05:57 AM7/15/21

to Wazuh mailing list

Hello Mauro,

Thanks for your help. I reduced the alert level to 3 . It is reporting properly on the dashboard.