FIM Issue

36 views
Skip to first unread message

DIWAHAR RAHAWID

unread,
Mar 3, 2026, 4:27:17 AMMar 3
to Wazuh | Mailing List
Hi Team, 

I have configured Realtime monitoring for some folders on the server but it is not working as expected, I found some errors in the agent log as given below, 

2026/03/03 03:39:11 wazuh-agent: ERROR: Could not move (C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz) to (C:\Program Files (x86)\ossec-agent\queue\diff/file/d7fa17e882a7e3e9a0328553065d5615baf57812/last-entry.gz) which returned (32)
2026/03/03 03:39:11 wazuh-agent: ERROR: (1124): Could not rename file 'C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz' to 'C:\Program Files (x86)\ossec-agent\queue\diff/file/d7fa17e882a7e3e9a0328553065d5615baf57812/last-entry.gz' due to [(17)-(File exists)].

Is there any way to rectify this or any configuration need to be changed. 

Regards
Diwahar

Md. Nazmur Sakib

unread,
Mar 3, 2026, 5:37:13 AMMar 3
to Wazuh | Mailing List

Hello Diwahar,

We have encountered similar errors in versions prior to 4.14.0 when real-time FIM was configured using agent group configuration.

We have added the fix in 4.14.0. So if you upgrade your agents to 4.14.0  or above, this should resolve the issue. If you decide to upgrade, keep in mind that the agent version should be the same or lower than the manager version.

You can read more about this in this GitHub issue.
https://github.com/wazuh/wazuh/issues/32614

If you have an older version of the agent, you can configure the FIM configuration in the endpoint’s ossec.conf

Let me know if you need any further information on this.

DIWAHAR RAHAWID

unread,
May 7, 2026, 8:07:16 AM (3 days ago) May 7
to Wazuh | Mailing List
Hi Nazmur Sakib, 

I have upgraded to the latest version of Wazuh and would like to monitor the entire empty D: drive on the server in real time.

However, when I add any of the following configurations:

<directories realtime="yes">W:\</directories>

or

<directories realtime="yes">W:\*</directories>

or

<directories realtime="yes">W</directories>

the Wazuh agent service fails to start.

Is there a supported way to monitor an entire drive or directory recursively in real time using Wazuh?


regards

Diwahar


Md. Nazmur Sakib

unread,
May 7, 2026, 9:49:45 AM (3 days ago) May 7
to Wazuh | Mailing List

Follow these steps to configure the FIM for the W drive in real time.
Run PowerShell as an administrator.

Open the ossec.conf with Notepad with this command.

notepad.exe 'C:\Program Files (x86)\ossec-agent\ossec.conf'


Now, add this configuration


<directories realtime="yes">W:\*</directories>

Inside  <syscheck> block.

Save the ossec.conf file with Ctl +S

And restart the agent service

Restart-Service -Name wazuh

Wait for a few sec and check the agent’s ossec.log with this command.
notepad.exe 'C:\Program Files (x86)\ossec-agent\ossec.log'


If your agent fails to restart, share the ossec.log file with me as a mail attachment.

It is not recommended to monitor lots of files in real-time that are continuously changing. It will result in extra load and resource consumption.

Let me know if this works for you.

Reply all
Reply to author
Forward
0 new messages