About Reformating Syscheck Fields
93 views
Skip to first unread message
하프사
Sep 9, 2025, 10:37:43 AM (12 days ago) Sep 9
to Wazuh | Mailing List
Hello community,Â
 I noticed that the allowed permissions for this user are duplicated in the syscheck.win_perm_after.allowed field. Could you please explain why this happens and if there is a way to prevent it? Â
"win_perm_after": [
{
"allowed": [
"READ_CONTROL",
"SYNCHRONIZE",
"READ_DATA",
"READ_EA",
"READ_ATTRIBUTES",
[
"DELETE",
"READ_CONTROL",
"WRITE_DAC",
"WRITE_OWNER",
"SYNCHRONIZE",
"READ_DATA",
"WRITE_DATA",
"APPEND_DATA",
"READ_EA",
"WRITE_EA",
"EXECUTE",
"READ_ATTRIBUTES",
"WRITE_ATTRIBUTES"
],
[
"DELETE",
"READ_CONTROL",
"WRITE_DAC",
"WRITE_OWNER",
"SYNCHRONIZE",
"READ_DATA",
"WRITE_DATA",
"APPEND_DATA",
"READ_EA",
"WRITE_EA",
"EXECUTE",
"READ_ATTRIBUTES",
"WRITE_ATTRIBUTES"
],
[
"DELETE",
"READ_CONTROL",
"WRITE_DAC",
"WRITE_OWNER",
"SYNCHRONIZE",
"READ_DATA",
"WRITE_DATA",
"APPEND_DATA",
"READ_EA",
"WRITE_EA",
"EXECUTE",
"READ_ATTRIBUTES",
"WRITE_ATTRIBUTES"
]
],
"name": "user-test"
},
thank you in advance
Federico Rodriguez
Sep 10, 2025, 7:08:44 AM (11 days ago) Sep 10
to Wazuh | Mailing List
Hi!
I'm looking into this, I'll be back soon. Can you give an example of what you would like to achieve in a json formatted alert?
Federico Rodriguez
Sep 10, 2025, 1:24:12 PM (11 days ago) Sep 10
to Wazuh | Mailing List
I spoke to my teammates and we believe there could be a potential bug on how the alert registers the user permissions.
We will dive into this, but I would like to ask you about:
- The Wazuh version you are using.
- A full alert of permission modification in JSON format.
Example:
We will dive into this, but I would like to ask you about:
- The Wazuh version you are using.
- A full alert of permission modification in JSON format.
Example:
Also, please enable debug mode on the agent by modifying the /var/ossec/etc/local_internal_options.conf file on the agent and setting the agent.debug to 2.
Restart the agent and generate an alert again.
Once a FIM alert was generated, please share the logs found in the ossec.log file.
Please remember to turn this back to 0 after generating the logs, as the debug mode may generate lots of logs.
Once a FIM alert was generated, please share the logs found in the ossec.log file.
Please remember to turn this back to 0 after generating the logs, as the debug mode may generate lots of logs.
하프사
Sep 12, 2025, 8:16:19 AM (9 days ago) Sep 12
to Wazuh | Mailing List
HelloÂ
Federico,
Thank you for your return,
2025/09/11 03:08:37 wazuh-agent[1412] receiver.c:96 at receive_msg(): DEBUG: Received message: '#!-agent ack '
2025/09/11 03:08:38 wazuh-agent[1412] win_whodata.c:832 at whodata_callback(): DEBUG: (6298): Removed folder event received for 'c:\users\administrator\desktop\test.txt'
2025/09/11 03:08:38 wazuh-agent[1412] win_whodata.c:940 at whodata_callback(): DEBUG: (6244): New files have been detected in the 'c:\users\administrator\desktop' directory and will be scanned.
2025/09/11 03:08:38 wazuh-agent[1412] win_whodata.c:411 at set_privilege(): DEBUG: (6268): The 'SeSecurityPrivilege' privilege has been added.
2025/09/11 03:08:38 wazuh-agent[1412] win_whodata.c:413 at set_privilege(): DEBUG: (6269): The 'SeSecurityPrivilege' privilege has been removed.
2025/09/11 03:08:38 wazuh-agent[1412] win_whodata.c:411 at set_privilege(): DEBUG: (6268): The 'SeSecurityPrivilege' privilege has been added.
2025/09/11 03:08:38 wazuh-agent[1412] win_whodata.c:413 at set_privilege(): DEBUG: (6269): The 'SeSecurityPrivilege' privilege has been removed.
2025/09/11 03:08:38 wazuh-agent[1412] win_whodata.c:411 at set_privilege(): DEBUG: (6268): The 'SeSecurityPrivilege' privilege has been added.
2025/09/11 03:08:38 wazuh-agent[1412] win_whodata.c:413 at set_privilege(): DEBUG: (6269): The 'SeSecurityPrivilege' privilege has been removed.
2025/09/11 03:08:38 wazuh-agent[1412] win_whodata.c:411 at set_privilege(): DEBUG: (6268): The 'SeSecurityPrivilege' privilege has been added.
2025/09/11 03:08:38 wazuh-agent[1412] win_whodata.c:413 at set_privilege(): DEBUG: (6269): The 'SeSecurityPrivilege' privilege has been removed.
2025/09/11 03:08:38 wazuh-agent[1412] win_whodata.c:411 at set_privilege(): DEBUG: (6268): The 'SeSecurityPrivilege' privilege has been added.
2025/09/11 03:08:38 wazuh-agent[1412] win_whodata.c:413 at set_privilege(): DEBUG: (6269): The 'SeSecurityPrivilege' privilege has been removed.
2025/09/11 03:08:38 wazuh-agent[1412] win_whodata.c:411 at set_privilege(): DEBUG: (6268): The 'SeSecurityPrivilege' privilege has been added.
2025/09/11 03:08:38 wazuh-agent[1412] win_whodata.c:413 at set_privilege(): DEBUG: (6269): The 'SeSecurityPrivilege' privilege has been removed.
2025/09/11 03:08:38 wazuh-agent[1412] win_whodata.c:411 at set_privilege(): DEBUG: (6268): The 'SeSecurityPrivilege' privilege has been added.
2025/09/11 03:08:38 wazuh-agent[1412] win_whodata.c:413 at set_privilege(): DEBUG: (6269): The 'SeSecurityPrivilege' privilege has been removed.
2025/09/11 03:08:38 wazuh-agent[1412] win_whodata.c:411 at set_privilege(): DEBUG: (6268): The 'SeSecurityPrivilege' privilege has been added.
2025/09/11 03:08:38 wazuh-agent[1412] win_whodata.c:413 at set_privilege(): DEBUG: (6269): The 'SeSecurityPrivilege' privilege has been removed.
2025/09/11 03:08:38 wazuh-agent[1412] run_check.c:125 at send_syscheck_msg(): DEBUG: (6321): Sending FIM event: {"data":{"attributes":{"attributes":"ARCHIVE","checksum":"f3c7d354778a0f30b15d3f51d6bfa37128f4bb87","hash_md5":"3ae51f459ec69d492692c56c797df027","hash_sha1":"2d4197a35c57a41ebed52a0edd5773f2b8f300f2","hash_sha256":"3797af368df7d41082fea13b729815aaaa4c8da7ca9b134cdf39f95db7ff9273","inode":0,"mtime":1757585048,"perm":{"S-1-5-18":{"name":"SYSTEM","allowed":["delete","read_control","write_dac","write_owner","synchronize","read_data","write_data","append_data","read_ea","write_ea","execute","read_attributes","write_attributes"]},"S-1-5-32-544":{"name":"Administrators","allowed":["delete","read_control","write_dac","write_owner","synchronize","read_data","write_data","append_data","read_ea","write_ea","execute","read_attributes","write_attributes"]},"S-1-5-21-47912114-2391029712-7688282-500":{"name":"Administrator","allowed":["delete","read_control","write_dac","write_owner","synchronize","read_data","write_data","append_data","read_ea","write_ea","execute","read_attributes","write_attributes"]}},"size":18,"type":"file","uid":"S-1-5-32-544","user_name":"Administrators"},"mode":"whodata","path":"c:\\users\\administrator\\desktop\\test_fim.txt","timestamp":1757585318,"type":"added","version":"2.0","audit":{"user_id":"S-1-5-21-47912114-2391029712-7688282-500","user_name":"Administrator","process_name":"C:\\Windows\\explorer.exe","process_id":6136}},"type":"event"}
2025/09/11 03:08:38 wazuh-agent[1412] run_check.c:125 at send_syscheck_msg(): DEBUG: (6321): Sending FIM event: {"type":"event","data":{"path":"c:\\users\\administrator\\desktop\\test.txt","version":2,"mode":"whodata","type":"deleted","timestamp":1757585292,"attributes":{"type":"file","size":18,"perm":{"S-1-5-18":{"name":"SYSTEM","allowed":["delete","read_control","write_dac","write_owner","synchronize","read_data","write_data","append_data","read_ea","write_ea","execute","read_attributes","write_attributes"]},"S-1-5-32-544":{"name":"Administrators","allowed":["delete","read_control","write_dac","write_owner","synchronize","read_data","write_data","append_data","read_ea","write_ea","execute","read_attributes","write_attributes"]},"S-1-5-21-47912114-2391029712-7688282-500":{"name":"Administrator","allowed":["delete","read_control","write_dac","write_owner","synchronize","read_data","write_data","append_data","read_ea","write_ea","execute","read_attributes","write_attributes"]}},"uid":"S-1-5-32-544","user_name":"Administrators","inode":0,"mtime":1757585048,"hash_md5":"3ae51f459ec69d492692c56c797df027","hash_sha1":"2d4197a35c57a41ebed52a0edd5773f2b8f300f2","hash_sha256":"3797af368df7d41082fea13b729815aaaa4c8da7ca9b134cdf39f95db7ff9273","attributes":"ARCHIVE","checksum":"f3c7d354778a0f30b15d3f51d6bfa37128f4bb87"},"audit":{"user_id":"S-1-5-21-47912114-2391029712-7688282-500","user_name":"Administrator","process_name":"C:\\Windows\\explorer.exe","process_id":6136}}}
2025/09/11 03:08:39 wazuh-agent[1412] fim_diff_changes.c:603 at fim_diff_delete_compress_folder(): DEBUG: (6358): Folder 'queue/diff/file/396c9bb0b9d7fb3ce1f7ce19f5c489b6e589344c' has been deleted.
2025/09/11 03:08:42 wazuh-agent[1412] state.c:78 at write_state(): DEBUG: Updating state file.
2025/09/11 03:08:47 wazuh-agent[1412] state.c:78 at write_state(): DEBUG: Updating state file.
2025/09/11 03:08:47 wazuh-agent[1412] notify.c:129 at run_notify(): DEBUG: Sending agent notification.
2025/09/11 03:08:47 wazuh-agent[1412] notify.c:198 at run_notify(): DEBUG: Sending keep alive: #!-Microsoft Windows Server 2022 Standard Evaluation [Ver: 10.0.20348.4052] - Wazuh v4.12.0 / 94d68163f7db46f33150711225c5b33a
- Our wazuh version: 4.12.0
- And this is a full permision alert:
{
"_index": "wazuh-alerts-4.x-2025.09.11",
"_id": "Tv4_OJkB5DJa8l8gq1Vy",
"_score": null,
"_source": {
"syscheck": {
"uname_after": "Administrators",
"mtime_after": "2025-09-11T10:04:08",
"size_after": "18",
"win_perm_after": [
{
"allowed": [
"DELETE",
"READ_CONTROL",
"WRITE_DAC",
"WRITE_OWNER",
"SYNCHRONIZE",
"READ_DATA",
"WRITE_DATA",
"APPEND_DATA",
"READ_EA",
"WRITE_EA",
"EXECUTE",
"READ_ATTRIBUTES",
"WRITE_ATTRIBUTES",
[
"DELETE",
"READ_CONTROL",
"WRITE_DAC",
"WRITE_OWNER",
"SYNCHRONIZE",
"READ_DATA",
"WRITE_DATA",
"APPEND_DATA",
"READ_EA",
"WRITE_EA",
"EXECUTE",
"READ_ATTRIBUTES",
"WRITE_ATTRIBUTES"
],
[
"DELETE",
"READ_CONTROL",
"WRITE_DAC",
"WRITE_OWNER",
"SYNCHRONIZE",
"READ_DATA",
"WRITE_DATA",
"APPEND_DATA",
"READ_EA",
"WRITE_EA",
"EXECUTE",
"READ_ATTRIBUTES",
"WRITE_ATTRIBUTES"
]
],
"name": "SYSTEM"
},
{
"allowed": [
"DELETE",
"READ_CONTROL",
"WRITE_DAC",
"WRITE_OWNER",
"SYNCHRONIZE",
"READ_DATA",
"WRITE_DATA",
"APPEND_DATA",
"READ_EA",
"WRITE_EA",
"EXECUTE",
"READ_ATTRIBUTES",
"WRITE_ATTRIBUTES"
],
"name": "Administrators"
},
{
"allowed": [
"DELETE",
"READ_CONTROL",
"WRITE_DAC",
"WRITE_OWNER",
"SYNCHRONIZE",
"READ_DATA",
"WRITE_DATA",
"APPEND_DATA",
"READ_EA",
"WRITE_EA",
"EXECUTE",
"READ_ATTRIBUTES",
"WRITE_ATTRIBUTES"
],
"name": "Administrator"
}
],
"mode": "whodata",
"path": "c:\\users\\administrator\\desktop\\test.txt",
"sha1_after": "2d4197a35c57a41ebed52a0edd5773f2b8f300f2",
"audit": {
"process": {
"name": "C:\\Windows\\explorer.exe",
"id": "6136"
},
"user": {
"name": "Administrator",
"id": "S-1-5-21-47912114-2391029712-7688282-500"
}
},
"attrs_after": [
"ARCHIVE"
],
"uid_after": "S-1-5-32-544",
"event": "deleted",
"md5_after": "3ae51f459ec69d492692c56c797df027",
"sha256_after": "3797af368df7d41082fea13b729815aaaa4c8da7ca9b134cdf39f95db7ff9273"
},
"input": {
"type": "log"
},
"agent": {
..............
},
"location": "syscheck",
"decoder": {
"name": "syscheck_deleted"
},
"id": "1757585319.112128",
"full_log": "File 'c:\\users\\administrator\\desktop\\test.txt' deleted\nMode: whodata\n",
"timestamp": "2025-09-11T10:08:39.060+0000"
},
"fields": {
"syscheck.mtime_after": [
"2025-09-11T10:04:08.000Z"
],
"timestamp": [
"2025-09-11T10:08:39.060Z"
]
},
"sort": [
1757585319060
]
}
- The alerts generated on debuging mode stage:
2025/09/11 03:08:37 wazuh-agent[1412] receiver.c:96 at receive_msg(): DEBUG: Received message: '#!-agent ack '
2025/09/11 03:08:38 wazuh-agent[1412] win_whodata.c:832 at whodata_callback(): DEBUG: (6298): Removed folder event received for 'c:\users\administrator\desktop\test.txt'
2025/09/11 03:08:38 wazuh-agent[1412] win_whodata.c:940 at whodata_callback(): DEBUG: (6244): New files have been detected in the 'c:\users\administrator\desktop' directory and will be scanned.
2025/09/11 03:08:38 wazuh-agent[1412] win_whodata.c:411 at set_privilege(): DEBUG: (6268): The 'SeSecurityPrivilege' privilege has been added.
2025/09/11 03:08:38 wazuh-agent[1412] win_whodata.c:413 at set_privilege(): DEBUG: (6269): The 'SeSecurityPrivilege' privilege has been removed.
2025/09/11 03:08:38 wazuh-agent[1412] win_whodata.c:411 at set_privilege(): DEBUG: (6268): The 'SeSecurityPrivilege' privilege has been added.
2025/09/11 03:08:38 wazuh-agent[1412] win_whodata.c:413 at set_privilege(): DEBUG: (6269): The 'SeSecurityPrivilege' privilege has been removed.
2025/09/11 03:08:38 wazuh-agent[1412] win_whodata.c:411 at set_privilege(): DEBUG: (6268): The 'SeSecurityPrivilege' privilege has been added.
2025/09/11 03:08:38 wazuh-agent[1412] win_whodata.c:413 at set_privilege(): DEBUG: (6269): The 'SeSecurityPrivilege' privilege has been removed.
2025/09/11 03:08:38 wazuh-agent[1412] win_whodata.c:411 at set_privilege(): DEBUG: (6268): The 'SeSecurityPrivilege' privilege has been added.
2025/09/11 03:08:38 wazuh-agent[1412] win_whodata.c:413 at set_privilege(): DEBUG: (6269): The 'SeSecurityPrivilege' privilege has been removed.
2025/09/11 03:08:38 wazuh-agent[1412] win_whodata.c:411 at set_privilege(): DEBUG: (6268): The 'SeSecurityPrivilege' privilege has been added.
2025/09/11 03:08:38 wazuh-agent[1412] win_whodata.c:413 at set_privilege(): DEBUG: (6269): The 'SeSecurityPrivilege' privilege has been removed.
2025/09/11 03:08:38 wazuh-agent[1412] win_whodata.c:411 at set_privilege(): DEBUG: (6268): The 'SeSecurityPrivilege' privilege has been added.
2025/09/11 03:08:38 wazuh-agent[1412] win_whodata.c:413 at set_privilege(): DEBUG: (6269): The 'SeSecurityPrivilege' privilege has been removed.
2025/09/11 03:08:38 wazuh-agent[1412] win_whodata.c:411 at set_privilege(): DEBUG: (6268): The 'SeSecurityPrivilege' privilege has been added.
2025/09/11 03:08:38 wazuh-agent[1412] win_whodata.c:413 at set_privilege(): DEBUG: (6269): The 'SeSecurityPrivilege' privilege has been removed.
2025/09/11 03:08:38 wazuh-agent[1412] win_whodata.c:411 at set_privilege(): DEBUG: (6268): The 'SeSecurityPrivilege' privilege has been added.
2025/09/11 03:08:38 wazuh-agent[1412] win_whodata.c:413 at set_privilege(): DEBUG: (6269): The 'SeSecurityPrivilege' privilege has been removed.
2025/09/11 03:08:38 wazuh-agent[1412] run_check.c:125 at send_syscheck_msg(): DEBUG: (6321): Sending FIM event: {"data":{"attributes":{"attributes":"ARCHIVE","checksum":"f3c7d354778a0f30b15d3f51d6bfa37128f4bb87","hash_md5":"3ae51f459ec69d492692c56c797df027","hash_sha1":"2d4197a35c57a41ebed52a0edd5773f2b8f300f2","hash_sha256":"3797af368df7d41082fea13b729815aaaa4c8da7ca9b134cdf39f95db7ff9273","inode":0,"mtime":1757585048,"perm":{"S-1-5-18":{"name":"SYSTEM","allowed":["delete","read_control","write_dac","write_owner","synchronize","read_data","write_data","append_data","read_ea","write_ea","execute","read_attributes","write_attributes"]},"S-1-5-32-544":{"name":"Administrators","allowed":["delete","read_control","write_dac","write_owner","synchronize","read_data","write_data","append_data","read_ea","write_ea","execute","read_attributes","write_attributes"]},"S-1-5-21-47912114-2391029712-7688282-500":{"name":"Administrator","allowed":["delete","read_control","write_dac","write_owner","synchronize","read_data","write_data","append_data","read_ea","write_ea","execute","read_attributes","write_attributes"]}},"size":18,"type":"file","uid":"S-1-5-32-544","user_name":"Administrators"},"mode":"whodata","path":"c:\\users\\administrator\\desktop\\test_fim.txt","timestamp":1757585318,"type":"added","version":"2.0","audit":{"user_id":"S-1-5-21-47912114-2391029712-7688282-500","user_name":"Administrator","process_name":"C:\\Windows\\explorer.exe","process_id":6136}},"type":"event"}
2025/09/11 03:08:38 wazuh-agent[1412] run_check.c:125 at send_syscheck_msg(): DEBUG: (6321): Sending FIM event: {"type":"event","data":{"path":"c:\\users\\administrator\\desktop\\test.txt","version":2,"mode":"whodata","type":"deleted","timestamp":1757585292,"attributes":{"type":"file","size":18,"perm":{"S-1-5-18":{"name":"SYSTEM","allowed":["delete","read_control","write_dac","write_owner","synchronize","read_data","write_data","append_data","read_ea","write_ea","execute","read_attributes","write_attributes"]},"S-1-5-32-544":{"name":"Administrators","allowed":["delete","read_control","write_dac","write_owner","synchronize","read_data","write_data","append_data","read_ea","write_ea","execute","read_attributes","write_attributes"]},"S-1-5-21-47912114-2391029712-7688282-500":{"name":"Administrator","allowed":["delete","read_control","write_dac","write_owner","synchronize","read_data","write_data","append_data","read_ea","write_ea","execute","read_attributes","write_attributes"]}},"uid":"S-1-5-32-544","user_name":"Administrators","inode":0,"mtime":1757585048,"hash_md5":"3ae51f459ec69d492692c56c797df027","hash_sha1":"2d4197a35c57a41ebed52a0edd5773f2b8f300f2","hash_sha256":"3797af368df7d41082fea13b729815aaaa4c8da7ca9b134cdf39f95db7ff9273","attributes":"ARCHIVE","checksum":"f3c7d354778a0f30b15d3f51d6bfa37128f4bb87"},"audit":{"user_id":"S-1-5-21-47912114-2391029712-7688282-500","user_name":"Administrator","process_name":"C:\\Windows\\explorer.exe","process_id":6136}}}
2025/09/11 03:08:39 wazuh-agent[1412] fim_diff_changes.c:603 at fim_diff_delete_compress_folder(): DEBUG: (6358): Folder 'queue/diff/file/396c9bb0b9d7fb3ce1f7ce19f5c489b6e589344c' has been deleted.
2025/09/11 03:08:42 wazuh-agent[1412] state.c:78 at write_state(): DEBUG: Updating state file.
2025/09/11 03:08:47 wazuh-agent[1412] state.c:78 at write_state(): DEBUG: Updating state file.
2025/09/11 03:08:47 wazuh-agent[1412] notify.c:129 at run_notify(): DEBUG: Sending agent notification.
2025/09/11 03:08:47 wazuh-agent[1412] notify.c:198 at run_notify(): DEBUG: Sending keep alive: #!-Microsoft Windows Server 2022 Standard Evaluation [Ver: 10.0.20348.4052] - Wazuh v4.12.0 / 94d68163f7db46f33150711225c5b33a
Federico Rodriguez
Sep 12, 2025, 12:21:17 PM (9 days ago) Sep 12
to Wazuh | Mailing List
Thanks a lot for sharing the information. I'll share it with my colleagues and be back as soon as I have news.
Federico Rodriguez
Sep 16, 2025, 7:30:04 AM (5 days ago) Sep 16
to Wazuh | Mailing List
I created an issue to fix the duplicate entries. You can track the process here:
https://github.com/wazuh/wazuh/issues/31983
Thank you for reporting this.
https://github.com/wazuh/wazuh/issues/31983
Thank you for reporting this.
Reply all
Reply to author
Forward
0 new messages