File integrity monitoring
498 views
Skip to first unread message
Dai Nguyen
Oct 6, 2023, 11:10:43 PM10/6/23
to Wazuh | Mailing List
I have configured to monitor this folder (D:\workspace) in my ossec.conf file:
After restart Wazuh agent, I created new file, deleted file or modified the file in this folder, but no alert appears on the server.
Here my ossec.log file:
I am using the latest agent and manager version of Wazuh in github.
My OS is: Windows 10 Pro.
So, why alert don't appear on the server?
My OS is: Windows 10 Pro.
So, why alert don't appear on the server?
What is the limit on the number of files that wazuh can monitor?
Do I need to wait for FIM to scan all the folders that I'm monitoring before adding, editing or deleting files will generate an alert?
My English is not good, so let me know if you don't understand what I mean.
Thank you!!
Le Sok
Oct 6, 2023, 11:28:13 PM10/6/23
to Dai Nguyen, Wazuh | Mailing List
You need to set it as real-time like this
realtime="yes" report_changes="yes" check_all="yes">C:\(your directory you want to alert)
--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/8f13e935-35bc-416a-bbbb-7f7c4db225d5n%40googlegroups.com.
Olusegun Adenrele Oyebo
Oct 7, 2023, 9:39:01 AM10/7/23
to Wazuh | Mailing List
Hello Dai,
Thank you for using Wazuh.
By default Wazuh runs scans once every 12 hours which is equivalent to 43,200 seconds but since you have real-time monitoring enabled, you should see alerts at the time any change has been made in the monitored folder. Wazuh does not have any limit on the number of files it can handle. You can check this link for more information on it.
Have you checked on the dashboard in the "integrity monitoring" section to see if the events related to modified, added or deleted is showing there?
Will be expecting your feedback so as to assist you further.
Thank you for using Wazuh.
By default Wazuh runs scans once every 12 hours which is equivalent to 43,200 seconds but since you have real-time monitoring enabled, you should see alerts at the time any change has been made in the monitored folder. Wazuh does not have any limit on the number of files it can handle. You can check this link for more information on it.
Have you checked on the dashboard in the "integrity monitoring" section to see if the events related to modified, added or deleted is showing there?
Will be expecting your feedback so as to assist you further.
Best regards.
Dai Nguyen
Oct 8, 2023, 3:31:24 AM10/8/23
to Wazuh | Mailing List
Hi,
I checked in /var/ossec/log/alerts/alerts.json and I don't see anything in this file. After a while, adding, editing, and deleting new files creates alerts.
So, do I need to wait for FIM to scan all the folders that I'm monitoring before adding, editing or deleting files will generate an alert?
Thank you!
Vào lúc 20:39:01 UTC+7 ngày Thứ Bảy, 7 tháng 10, 2023, Olusegun Adenrele Oyebo đã viết:
Le Sok
Oct 8, 2023, 3:33:22 AM10/8/23
to Dai Nguyen, Wazuh | Mailing List
Chào anh,
Anh cũng đang sử dụng wazuh à.
Cho em xin zalo để mình trao đổi không
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/c97d072f-1fe0-46b8-9701-c1874478f7f3n%40googlegroups.com.
Olusegun Adenrele Oyebo
Oct 8, 2023, 9:40:12 AM10/8/23
to Wazuh | Mailing List
Hello Dai,
Thank for reaching out again.
The FIM module stores the files checksums and other attributes in a local FIM database. Upon a scan, the Wazuh agent reports any changes the FIM module finds in the monitored paths to the Wazuh server. The FIM module looks for the file modifications by comparing the checksums of a file to it's stored checksums and attribute values in which it generates an alert if it finds any discrepancies (reference link). So yes the FIM module has to run the scan, have the file/folder information before it's able to detect changes in the monitored file/folder.
I hope this provided clarity. Do not hesitate to reach out again if you need any other thing.
Thank for reaching out again.
The FIM module stores the files checksums and other attributes in a local FIM database. Upon a scan, the Wazuh agent reports any changes the FIM module finds in the monitored paths to the Wazuh server. The FIM module looks for the file modifications by comparing the checksums of a file to it's stored checksums and attribute values in which it generates an alert if it finds any discrepancies (reference link). So yes the FIM module has to run the scan, have the file/folder information before it's able to detect changes in the monitored file/folder.
I hope this provided clarity. Do not hesitate to reach out again if you need any other thing.
Best regards.
Dai Nguyen
Oct 9, 2023, 7:23:30 AM10/9/23
to Wazuh | Mailing List
Hi,
I waited a while for the FIM module to scan the entire folder and and it works quite well. So, when I perform some action like adding, editing, deleting files, does FIM rescan the entire monitored folder or only scan the file that has just been changed to update local FIM databases?
Thank you!
Vào lúc 20:40:12 UTC+7 ngày Chủ Nhật, 8 tháng 10, 2023, Olusegun Adenrele Oyebo đã viết:
Olusegun Adenrele Oyebo
Oct 16, 2023, 8:28:34 AM10/16/23
to Wazuh | Mailing List
Dear Dai,
Thanks for reaching out.
The Wazuh FIM does not rescan the entire monitored folder when a change is made instead it takes note of the exact change that is being made and reports such change accordingly. As mentioned earlier, It compares the change that is being made with it's stored checksums and if there is a discrepancy, an alert will be generated.
I hope this was helpful in answering your question. Do not hesitate to engage us further again if you need any other thing.
Thanks for reaching out.
The Wazuh FIM does not rescan the entire monitored folder when a change is made instead it takes note of the exact change that is being made and reports such change accordingly. As mentioned earlier, It compares the change that is being made with it's stored checksums and if there is a discrepancy, an alert will be generated.
I hope this was helpful in answering your question. Do not hesitate to engage us further again if you need any other thing.
Best regards.
Reply all
Reply to author
Forward
0 new messages