FIM not detecting realtime of new directories and file creation
134 views
Skip to first unread message
wazuh
May 27, 2024, 3:24:42 AM5/27/24
to Wazuh | Mailing List
Hi,
I've enabled realtime detection for any changes in /var/ossec/etc/shared/*/agent.conf changes. It detects as it should be for the agent.conf files that already exist. However, whenever i create a new shared directory with a new agent.conf FIM does not recognize it in real time. It only finds it during the regular FIM checks. Is my ossec.conf incorrectly configured or is there another way to enable so it so I could detect in real time whenever a new agent.conf is added?
My current configuration:
<directories realtime="yes" report_changes="yes">/var/ossec/etc/shared/*/agent.conf</directories>
Jeremiah Kolawole
May 27, 2024, 3:56:38 AM5/27/24
to Wazuh | Mailing List
Hello,
- Instead of monitoring /var/ossec/etc/shared/*/agent.conf, monitor the parent directory /var/ossec/etc/shared/ with real-time changes enabled. This will ensure that any changes within this directory structure, including new subdirectories and new agent.conf files, are detected in real-time.
or
- Use recursive monitoring to ensure that changes in subdirectories are also picked up.
Here’s how you can modify your ossec.conf:
<directories realtime="yes" report_changes="yes" recursion_level="3">/var/ossec/etc/shared/</directories>
You can find more information here on how to achieve this.
Your current configuration is correct if you want to monitor realtime changes to the ossec.conf file, however the issue lies in how the real-time monitoring is set up for new directories and files.
Here’s how you can adjust your configuration to ensure that new agent.conf files in newly created directories are detected in real-time.
Here’s how you can adjust your configuration to ensure that new agent.conf files in newly created directories are detected in real-time.
- Instead of monitoring /var/ossec/etc/shared/*/agent.conf, monitor the parent directory /var/ossec/etc/shared/ with real-time changes enabled. This will ensure that any changes within this directory structure, including new subdirectories and new agent.conf files, are detected in real-time.
or
- Use recursive monitoring to ensure that changes in subdirectories are also picked up.
Here’s how you can modify your ossec.conf:
<directories realtime="yes" report_changes="yes" recursion_level="3">/var/ossec/etc/shared/</directories>
You can find more information here on how to achieve this.
I hope this helps
wazuh
May 28, 2024, 7:23:02 AM5/28/24
to Wazuh | Mailing List
Thanks, with this configuration (
<directories realtime="yes" report_changes="yes" recursion_level="3">/var/ossec/etc/shared/</directories> ) it worked perfectly.
Jeremiah Kolawole
May 28, 2024, 7:49:51 AM5/28/24
to wazuh, Wazuh | Mailing List
Hello,
Thank you for your feedback.
I'm glad to learn the issue has now been resolved.
Regards
> --
> You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/83f06646-42a9-4b31-acb1-91c1099c91c5n%40googlegroups.com.
Thank you for your feedback.
I'm glad to learn the issue has now been resolved.
Regards
> You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/83f06646-42a9-4b31-acb1-91c1099c91c5n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages