Unable to monitor >100,000 files — <file_limit> appears ignored on Windows agent (FIM / syscheck)

38 views
Skip to first unread message

amjad...@gmail.com

unread,
Dec 1, 2025, 1:56:48 AM (yesterday) Dec 1
to wa...@googlegroups.com

Hello everyone 

I’m using Wazuh 4.14 with File Integrity Monitoring (FIM) / syscheck on a Windows file-server. I have the following setup:

  • Large data directories on the server (~ 350,000 files).

  • In my centralized agent configuration (pushed to the Windows agent) I defined:

  • <agent_config name="FileServer">
  <syscheck>
    ...
    <file_limit>
      <enabled>yes</enabled>
      <entries>500000</entries>
    </file_limit>
    ...
  </syscheck>
</agent_config>

  • However, despite this setting I receive alerts indicating that the “maximum limit of files monitored has been reached” at 100,000 — i.e. Wazuh seems to ignore or revert to the default limit.

What I observe

  • The agent’s FIM database never tracks beyond 100,000 files.

  • Any additional files — even though there are far more on disk — are not monitored and no further monitoring events are generated for them.

  • The behavior persists across configuration reloads / agent restarts.

What I tried

  • Defined a high entry value (500,000).

  • Ensured config is correctly applied to the manager and agent.

  • Verified that remote configuration is properly pushed.

My questions to the community

  1. Is <file_limit> still supported and functional for FIM / syscheck under Wazuh 4.14 on Windows agents?

  2. If yes — are there additional prerequisites or configuration parameters (beyond <file_limit>) to make large-scale monitoring work (e.g. disabling whodata, adjusting threads, database performance settings)?

  3. If not — what is the recommended approach with Wazuh to monitor very large Windows file-servers (hundreds of thousands or millions of files)?

  4. Are there known limitations or bugs in Wazuh’s FIM module that prevent scaling beyond ~100,000 files on Windows agents, even if configuration requests a higher limit?

  5. Are there any alternative modules, settings, or external tools suggested for robust monitoring under such scale, while still integrating with a Wazuh-based environment?

System details

  • Wazuh manager version: 4.14

  • Agent OS: Windows (file server)

  • Total number of files expected to monitor: ~ 350,000 (and potentially growing)

  • Current behavior: monitoring stops at 100,000 files, additional files ignored

Thank you in advance for any guidance, experience or recommendations.

Best regards,

here is the alert:

Nov 30, 2025 @ 11:21:23.844

input.type:
log
agent.ip:
172.16.0.26
agent.name:
FILESERVER
agent.id:
015
manager.name:
wazuh-server
data.file_limit:
100000
data.file_count:
100000
data.fim_db_table:
file_entry
data.alert_type:
full
rule.firedtimes:
1
rule.mail:
true
rule.level:
12
rule.description:
The maximum limit of files monitored has been reached. At this moment there are 100000 files and the limit is 100000. From this moment some events can be lost. You can modify this setting in the centralized configuration or locally in the agent.
rule.groups:
wazuh, syscheck, fim_db_state
rule.id:
233
rule.gdpr:
IV_35.7.d
location:
syscheck
decoder.parent:
wazuh
decoder.name:
wazuh
id:
1764494483.52242675
full_log:
wazuh: FIM DB: {"fim_db_table":"file_entry","file_limit":100000,"file_count":100000,"alert_type":"full"}
timestamp:
Nov 30, 2025 @ 11:21:23.844
_index:
wazuh-alerts-4.x-2025.11.30



Md. Nazmur Sakib

unread,
Dec 1, 2025, 3:37:08 AM (yesterday) Dec 1
to Wazuh | Mailing List
Hello,

Sorry for the delay. I am testing this from my end. I will get back to you soon.

Md. Nazmur Sakib

unread,
Dec 1, 2025, 4:00:05 AM (yesterday) Dec 1
to Wazuh | Mailing List

Can you check if the configuration was correctly forwarded to your agent?

I could not find any bugs related to file_limit

C:\Program Files (x86)\ossec-agent\shared\agent.conf

Once you confirm that the configuration is there. Restart the agent and check if that resolves the issue.

You can also restart the agent using PowerShell with administrator privileges

Restart-Service -Name wazuh

Let me know if the issue resolves after restarting the agent.

amjad...@gmail.com

unread,
Dec 1, 2025, 5:52:54 AM (yesterday) Dec 1
to Md. Nazmur Sakib, Wazuh | Mailing List

Dear Md. Nazmur Sakib,

As requested, I have checked the agent configuration and restarted the agent using PowerShell with administrator privileges.

Attached are the following files from the File Server for your reference:

    • C:\Program Files (x86)\ossec-agent\shared\agent.conf

    • C:\Program Files (x86)\ossec-agent\ossec.conf

    Additionally, here are the last 50 lines of ossec.log after the agent restart, showing that the agent is starting correctly, connecting to the manager, and monitoring all intended directories

    The previous warning about max_files no longer appears. The agent is monitoring the business directories (E:\departments, E:\shares, E:\users) and system directories (C:\Windows, C:\Windows\System32) as expected.

    Please advise if any further steps are needed to confirm that the <file_limit> is fully applied for monitoring all ~350,000 files.



    --
    You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
    To view this discussion visit https://groups.google.com/d/msgid/wazuh/2f346cca-fc18-4c51-a04c-ac4fc53b590bn%40googlegroups.com.
    tail50.txt
    ossec.conf
    agent.conf
    Message has been deleted

    Md. Nazmur Sakib

    unread,
    1:32 AM (15 hours ago) 1:32 AM
    to Wazuh | Mailing List

    In your agent.conf(agent group configuration), I can see this configuration.

      <alert_new_files>yes</alert_new_files>

    #  <file_limit>500000</file_limit>

        <file_limit>

      <enabled>yes</enabled>

      <entries>100000</entries>

      </file_limit>


    The <file_limit>500000</file_limit> is not a valid configuration.

    Ref: file_limit

    And # is not used for commenting out lines in XML. To comment out a line, you need to define it like this.


    <!-- bla bla bla -->


    Remove that line for that agent group configuration from your Wazuh manager.

    And restart the agent.

    It seems changing the file limit for FIM needs an agent restart. It’s not changing after the hot reload automatically happens when the agent group configuration is saved. I will discuss with the team about the agent restart requirement.


    Let me know if you still face any issues with the FIM file limit.

    amjad...@gmail.com

    unread,
    6:12 AM (10 hours ago) 6:12 AM
    to Md. Nazmur Sakib, Wazuh | Mailing List
    Hello,

    Thank you for the clarification and for pointing out the invalid configuration. I will make the changes, restart the agent as suggested, and let you know if I encounter any further issues with the FIM file limit.

    Appreciate the support!

    Best regards,
    Amjad

    --
    You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
    To view this discussion visit https://groups.google.com/d/msgid/wazuh/60e0ebc8-2ef3-403b-a3dc-dce2b9cd31d1n%40googlegroups.com.
    Reply all
    Reply to author
    Forward
    0 new messages