Configuration of File Integration Monitoring - Wazuh - Windows Server 2022

[DPCVCU]

Hi,

I'm trying to configure my server to send logs to wazuh ( add files, change, and delete files logs), i put this code on ossec.config but doesn't work

<syscheck> <directories check_all="yes" whodata="yes" report_changes="yes">\\192.168.1.15\DATOS\*</directories> </syscheck>

When i go to integrity monitoring, nothing happens when i create files on the server, wazuh doesn't alert me, any help please?

[Jose Luis Carreras Marin]

Hello DPCVCU

What type of hard drive are you using or what file system do you want to monitor the files through?

FIM has some problems setting up file systems on the network or similar. The directories tag configuration needs a path to the file system itself. Link to docu: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#directories
Tell me more in depth about what kind of installation you have and what systems you want to monitor, and I can analyze it more in depth to see the possible options.
It is also a good idea to always check the Wazuh agent log file:

• Windows: C:\Program Files (x86)\ossec-agent\ossec.log
• Linux: /var/ossec/logs/ossec.log

You can increase the debug level of these logs to see if they give us some information about the problem:

• Add this line syscheck.debug=2 to:
  
  • Windows: C:\Program Files (x86)\ossec-agent\local_internal_options.conf
  • Linux: /var/ossec/etc/local_internal_options.conf

I hope I can help as much as possible.
Best regards
Jose