FIM - realtime, files

46 views
Skip to first unread message

M G

unread,
Apr 21, 2026, 10:11:58 AM (6 days ago) Apr 21
to Wazuh | Mailing List
Hi

I would like to enable monitoring of several files (their changes) in real-time mode. Is it possible to do this?  
My current configuration:
   <syscheck>
      <directories realtime="yes">^/etc/test1.bak|^/etc/test2|^/usr/lib/.system/</directories>
    </syscheck>

If I added <frequency>10</frequency>, it works globally, but I want real-time monitoring only of a few files

Is it possible to enforce such a configuration? How can it be done?

Regards
Mateusz

Henadence Anyam

unread,
Apr 21, 2026, 10:35:26 AM (6 days ago) Apr 21
to Wazuh | Mailing List
Hi M G,

You can configure real-time file integrity monitoring for specific files by adding the following configuration within the <syscheck> block of the ossec.conf file:

<directories realtime="yes"><FILEPATH_OF_MONITORED_DIRECTORY></directories>

Replace  <FILEPATH_OF_MONITORED_DIRECTORY> with the file path you want to monitor.  Use a comma-separated list of paths when specifying multiple paths.

You can also specify multiple directories option when defining multiple paths to monitor.

M G

unread,
Apr 22, 2026, 3:01:27 PM (5 days ago) Apr 22
to Wazuh | Mailing List
Hi Henadence Anyam,

Unfortunately, it doesn't work. I'm testing on one file.

 <syscheck>
      <directories realtime="yes">^/etc/file.bak</directories>
 </syscheck>

If I add <frequency>10</frequency>, it works quite well, but I don't want to scan the whole system that often.

Henadence Anyam

unread,
Apr 23, 2026, 1:55:23 PM (4 days ago) Apr 23
to Wazuh | Mailing List
Hi M G,

The directories option in the Wazuh FIM module accepts only literal paths e.g. /etc, /var/log and so on.

It does not parse input as regex, so anchors like ^ (which mean "start of string" in regex) are treated as invalid characters rather than pattern operators.

So replace <directories realtime="yes">^/etc/file.bak</directories> with <directories realtime="yes">/etc/file.bak</directories>

M G

unread,
Apr 23, 2026, 4:48:40 PM (4 days ago) Apr 23
to Wazuh | Mailing List
Hello,

In the documentation, I found the following entry:
"o monitor files in real time, configure the FIM module with the realtime attribute of the directories option. The allowed values for the realtime attribute are yes and no, and it only works with directories, not individual files. Real-time change detection is paused during scheduled FIM module scans and reactivates as soon as these scans are complete."

but I do this with "restrict"
<directories realtime="yes" restrict="file.bak">/etc</directories>
this idea looks fine for now :)

Regards
Mateusz

Henadence Anyam

unread,
4:21 AM (6 hours ago) 4:21 AM
to Wazuh | Mailing List
Hi M G,

Realtime monitoring applies to both directories and files.

For directories, it monitors all files within the specified directory, including creation, modification, and deletion events. However, it does not detect the creation of the directory itself, as the directory already existed prior to enabling monitoring.

The same principle applies to individual files. Only modification and deletion events are monitored because the file was created before the FIM configuration was applied.

The configuration you applied above monitors the entire /etc directory but limits event detection to the file.bak file.

Reply all
Reply to author
Forward
0 new messages