error integrity monitorinh

[Alessandro Musto]

Hello,

I have configured wazuh for integrity monitoring, but it does not load the folders I have entered to monitor.
looking at the ossec.log I find these errors:

2022/03/21 10:53:29 wazuh-agent: INFO: (6009): File integrity monitoring scan ended.
2022/03/21 10:53:29 wazuh-agent: INFO: (6036): Analyzing Windows volumes
2022/03/21 10:53:29 wazuh-agent: INFO: (6012): Real-time file integrity monitoring started.
2022/03/21 10:53:29 wazuh-agent: ERROR: (6650): GetNamedSecurityInfo() failed. Error '5'
2022/03/21 10:53:29 wazuh-agent: ERROR: (6619): Unable to add directory to whodata real time monitoring: 'e:\oneteam\amm'. It will be monitored in Realtime
2022/03/21 10:53:29 wazuh-agent: ERROR: (6650): GetNamedSecurityInfo() failed. Error '5'
2022/03/21 10:53:29 wazuh-agent: ERROR: (6619): Unable to add directory to whodata real time monitoring: 'e:\oneteam\bpm'. It will be monitored in Realtime
2022/03/21 10:53:29 wazuh-agent: ERROR: (6650): GetNamedSecurityInfo() failed. Error '5'
2022/03/21 10:53:29 wazuh-agent: ERROR: (6619): Unable to add directory to whodata real time monitoring: 'e:\oneteam\cad'. It will be monitored in Realtime
2022/03/21 10:53:29 wazuh-agent: ERROR: (6650): GetNamedSecurityInfo() failed. Error '5'
2022/03/21 10:53:29 wazuh-agent: ERROR: (6619): Unable to add directory to whodata real time monitoring: 'e:\oneteam\cda'. It will be monitored in Realtime
2022/03/21 10:53:29 wazuh-agent: ERROR: (6650): GetNamedSecurityInfo() failed. Error '5'
2022/03/21 10:53:29 wazuh-agent: ERROR: (6619): Unable to add directory to whodata real time monitoring: 'e:\oneteam\com'. It will be monitored in Realtime
2022/03/21 10:53:29 wazuh-agent: ERROR: (6650): GetNamedSecurityInfo() failed. Error '5'
2022/03/21 10:53:29 wazuh-agent: ERROR: (6619): Unable to add directory to whodata real time monitoring: 'e:\oneteam\gen'. It will be monitored in Realtime
2022/03/21 10:53:29 wazuh-agent: ERROR: (6650): GetNamedSecurityInfo() failed. Error '5'
2022/03/21 10:53:29 wazuh-agent: ERROR: (6619): Unable to add directory to whodata real time monitoring: 'e:\oneteam\gis'. It will be monitored in Realtime
2022/03/21 10:53:29 wazuh-agent: ERROR: (6650): GetNamedSecurityInfo() failed. Error '5'
2022/03/21 10:53:29 wazuh-agent: ERROR: (6619): Unable to add directory to whodata real time monitoring: 'e:\oneteam\gof'. It will be monitored in Realtime
2022/03/21 10:53:29 wazuh-agent: ERROR: (6650): GetNamedSecurityInfo() failed. Error '5'
2022/03/21 10:53:29 wazuh-agent: ERROR: (6619): Unable to add directory to whodata real time monitoring: 'e:\oneteam\mcs'. It will be monitored in Realtime
2022/03/21 10:53:29 wazuh-agent: ERROR: (6650): GetNamedSecurityInfo() failed. Error '5'
2022/03/21 10:53:29 wazuh-agent: ERROR: (6619): Unable to add directory to whodata real time monitoring: 'e:\oneteam\net'. It will be monitored in Realtime
2022/03/21 10:53:29 wazuh-agent: ERROR: (6650): GetNamedSecurityInfo() failed. Error '5'
2022/03/21 10:53:29 wazuh-agent: ERROR: (6619): Unable to add directory to whodata real time monitoring: 'e:\oneteam\svi'. It will be monitored in Realtime
2022/03/21 10:53:29 wazuh-agent: INFO: (6019): File integrity monitoring real-time Whodata engine started.
2022/03/21 10:53:30 wazuh-agent: ERROR: (6611): 'realtime_adddir' failed, the directory 'e:\oneteam\amm' couldn't be added to real time mode.
2022/03/21 10:53:30 wazuh-agent: ERROR: (6611): 'realtime_adddir' failed, the directory 'e:\oneteam\bpm' couldn't be added to real time mode.
2022/03/21 10:53:30 wazuh-agent: ERROR: (6611): 'realtime_adddir' failed, the directory 'e:\oneteam\cad' couldn't be added to real time mode.
2022/03/21 10:53:30 wazuh-agent: ERROR: (6611): 'realtime_adddir' failed, the directory 'e:\oneteam\cda' couldn't be added to real time mode.
2022/03/21 10:53:30 wazuh-agent: ERROR: (6611): 'realtime_adddir' failed, the directory 'e:\oneteam\com' couldn't be added to real time mode.
2022/03/21 10:53:30 wazuh-agent: ERROR: (6611): 'realtime_adddir' failed, the directory 'e:\oneteam\gen' couldn't be added to real time mode.
2022/03/21 10:53:30 wazuh-agent: ERROR: (6611): 'realtime_adddir' failed, the directory 'e:\oneteam\gis' couldn't be added to real time mode.
2022/03/21 10:53:30 wazuh-agent: ERROR: (6611): 'realtime_adddir' failed, the directory 'e:\oneteam\gof' couldn't be added to real time mode.
2022/03/21 10:53:30 wazuh-agent: ERROR: (6611): 'realtime_adddir' failed, the directory 'e:\oneteam\mcs' couldn't be added to real time mode.
2022/03/21 10:53:30 wazuh-agent: ERROR: (6611): 'realtime_adddir' failed, the directory 'e:\oneteam\net' couldn't be added to real time mode.
2022/03/21 10:53:30 wazuh-agent: ERROR: (6611): 'realtime_adddir' failed, the directory 'e:\oneteam\svi' couldn't be added to real time mode.
2022/03/21 10:53:33 wazuh-agent: ERROR: Could not get message for (Application)
2022/03/21 10:54:30 wazuh-agent: INFO: (6008): File integrity monitoring scan started.
2022/03/21 10:54:48 wazuh-agent: INFO: (6009): File integrity monitoring scan ended.

[Hanes Nahuel Sciarrone]

 Hi alessandromusto

I hope you are well and thank you for using Wazuh and sharing your question with the community. I have seen the log error and found that it is the Windows API access denied used by Wazuh when trying to add the directory to the SACL in Windows. I would like to know what are the directories you want to apply the option to them if you can tell me.

Best regards

Hanes

[Alessandro Musto]

hi Hannes,

Thanks for the reply.
the folders that I have to monitor under windows are those of the file server.
the folders to be monitored, with their subfolders and files, are:
e: \ oneteam \ amm
e: \ oneteam \ bpm
e: \ oneteam \ cda
e: \ oneteam \ cad
e: \ oneteam \ com
e: \ oneteam \ gen
e: \ oneteam \ gis
e: \ oneteam \ gof
e: \ oneteam \ mcs
e: \ oneteam \ net
e: \ oneteam \ svi
e: \ oeteam \ pln
e: \ oneteam \ mfg
e: \ oneteam \ reception
e: \ oneteam \ dss
e: \ oneteam \ ot-otc

maybe you can monitor the whole disk e:\ ?

thank you

[Hanes Nahuel Sciarrone]

Hi alessandromusto

Please can you share with me the ossec.conf file? I want to see the way that wrote the directories in the configuration. If you want to scan the disk e:\ you should write the configuration as:

<directories whodata="yes">E:</directories>

Removing the last backslash is necessary to monitor all directories in the drive letter.

Best regards

Hanes

[Hanes Nahuel Sciarrone]

Hi alessandromusto

Another question that I would like to ask is:

• amm
• bpm
• cda
• cad
• com
• gen
• gis
• gof
• mcs
• net
• svi
• pln
• mfg
• reception
• dss
• ot-otc

Are they directories or files?

[Alessandro Musto]

hi Hannes,

I am attaching the configuration file.

I had already tried to put all the disk, but I see that it was going to analyze only the folder e: \ oneteam \ mfg. all other folders were not scanned.

[Alessandro Musto]

those are folder

[Hanes Nahuel Sciarrone]

Hi alessandromusto

A can see that you are using one \ to separate the subfolder. Can you try to put \\ in the directories? I leave you the example:

 <directories recursion_level="20" check_all="yes" realtime="yes" report_changes="yes" whodata="yes">e:\\oneteam\\net</directories>
<directories recursion_level="20" check_all="yes" realtime="yes" report_changes="yes" whodata="yes">e:\\oneteam\\amm</directories>
<directories recursion_level="20" check_all="yes" realtime="yes" report_changes="yes" whodata="yes">e:\\oneteam\\bpm</directories>
<directories recursion_level="20" check_all="yes" realtime="yes" report_changes="yes" whodata="yes">e:\\oneteam\\cad</directories>
<directories recursion_level="20" check_all="yes" realtime="yes" report_changes="yes" whodata="yes">e:\\oneteam\\com</directories>
<directories recursion_level="20" check_all="yes" realtime="yes" report_changes="yes" whodata="yes">e:\\oneteam\\dss</directories>
<directories recursion_level="20" check_all="yes" realtime="yes" report_changes="yes" whodata="yes">e:\\oneteam\\gen</directories>
<directories recursion_level="20" check_all="yes" realtime="yes" report_changes="yes" whodata="yes">e:\\oneteam\\gis</directories>
<directories recursion_level="20" check_all="yes" realtime="yes" report_changes="yes" whodata="yes">e:\\oneteam\\gof</directories>
<directories recursion_level="20" check_all="yes" realtime="yes" report_changes="yes" whodata="yes">e:\\oneteam\\mcs</directories>
<directories recursion_level="20" check_all="yes" realtime="yes" report_changes="yes" whodata="yes">e:\\oneteam\\ot-otc</directories>
<directories recursion_level="20" check_all="yes" realtime="yes" report_changes="yes" whodata="yes">e:\\oneteam\\pln</directories>
<directories recursion_level="20" check_all="yes" realtime="yes" report_changes="yes" whodata="yes">e:\\oneteam\\reception</directories>

<directories recursion_level="20" check_all="yes" realtime="yes" report_changes="yes" whodata="yes">e:\\oneteam\\svi</directories>

The '\' character sometimes brings problems to the parser function. Please try this and let me know if you were able to monitor the folder.

Best regards

Hanes

[Alessandro Musto]

Hi Hanes,

I tried, for the moment with only one folder, but I keep daring this error in ossec.log

2022/03/21 16:18:26 wazuh-agent: INFO: (6009): File integrity monitoring scan ended.
2022/03/21 16:18:26 wazuh-agent: INFO: (6036): Analyzing Windows volumes
2022/03/21 16:18:26 wazuh-agent: ERROR: (6650): GetNamedSecurityInfo() failed. Error '5'
2022/03/21 16:18:26 wazuh-agent: ERROR: (6619): Unable to add directory to whodata real time monitoring: 'e:\oneteam\net'. It will be monitored in Realtime
2022/03/21 16:18:26 wazuh-agent: ERROR: (6611): 'realtime_adddir' failed, the directory 'e:\oneteam\net' couldn't be added to real time mode.
2022/03/21 16:18:26 wazuh-agent: INFO: (6012): Real-time file integrity monitoring started.
2022/03/21 16:18:27 wazuh-agent: INFO: (6019): File integrity monitoring real-time Whodata engine started.

if I put to monitor everything e: just check the folder e:\oneteam\mfg

[Hanes Nahuel Sciarrone]

Hi alessandromusto

It is very strange what happens when you try to monitor the whole E: disk. I would like to ask you to put syscheck in debug mode and send me the log. I would also like you to try to monitor the E: disk in debug mode with this configuration:

<directories whodata="yes">E:</directories>

And that you send me also the log.

The debug mode configuration is configured by writing in the local_internal_options.conf file the following line

syscheck.debug=2

Then restart the agent.

Best regards

Hanes

[Alessandro Musto]

I monitored with debugging with the configuration you suggested to me.

I am attaching the log

[Hanes Nahuel Sciarrone]

Hi alessandromusto

I would like to know which version of Wazuh you are using?

Best regards

Hanes

[Alessandro Musto]

Hoi Hanes,

the version of wazuh manger is 4.2.5 and also the windows agent

[Hanes Nahuel Sciarrone]

Hi alessandromusto

I'm trying to read the debug log but there are a lot of modules enabled. I would like to ask if you can use the first directory configuration you want to monitor and disable the modules except syscheck in the ossec.conf and then put the syscheck in debug mode and restart the agent. Then send me the log, please.

Also, I would like to know if the E: volume is a disk or partition and the format of the volume because syscheck has a problem with the NFS format.

Best regards

Hanes

[Alessandro Musto]

hi hanes,

I have disabled the unnecessary one. the disk is formatted in ntfs and the server is a vmware vm. the disk is created dynamically as we have added disk partitions for lack of space.

I am attaching the logs

[Hanes Nahuel Sciarrone]

Hi alessandromusto

I have seen the log you sent me and everything seems to be fine in Wazuh. In fact the last log says that some files on the E:/ volume will be ignored because Wazuh has some default rules to ignore certain files. I have talked to some Wazuh colleagues who develop the syscheck module and they told me that some disk formats have problems with permissions, for example NFS. We were looking for a reason about error 5 in the logs and we saw that it is a problem with disk access permissions, we found these particular links

• https://www.winability.com/take-ownership-files-access-denied-ntfs-permissions/
• https://github.com/certbot/certbot/issues/6356

where it explains a bit more in depth the access permissions in Windows with NTFS format. The problem you have seems not to be from Wazuh.  hope this information is useful and will help you with the disk access permission problem.

Best regards

Hanes

[Alessandro Musto]

hi hanes,

I solved it by putting the administrator group in security.

thanks for the support

alessandro