FIM Ignore configuration
236 views
Skip to first unread message
Axel Tunning
Oct 23, 2023, 1:25:03 PM10/23/23
to Wazuh | Mailing List
Hello everyone,
I need help with the ignore configuration in the Wazuh FIM, currently we have the following configuration:
<ignore type="sregex">.log$|.tmp$|~\$.*</ignore>
It turns out that the directories we monitor with the FIM contain Excels files (.xlsx), which when edited create a temporary file called ~$archive_name.xlsx, with the symbols ~$ at the beginning.
As you can see in the configuration of our ignore we have the exclusion, but since it is sregex and not regex we believe that it does not work.
The ideal would be to be able to ignore those temporary files since they create 3 extra logs.
I need help with the ignore configuration in the Wazuh FIM, currently we have the following configuration:
<ignore type="sregex">.log$|.tmp$|~\$.*</ignore>
It turns out that the directories we monitor with the FIM contain Excels files (.xlsx), which when edited create a temporary file called ~$archive_name.xlsx, with the symbols ~$ at the beginning.
As you can see in the configuration of our ignore we have the exclusion, but since it is sregex and not regex we believe that it does not work.
The ideal would be to be able to ignore those temporary files since they create 3 extra logs.
Gabriel Emanuel Valenzuela
Oct 23, 2023, 1:45:25 PM10/23/23
to Wazuh | Mailing List
Hi Axel! How are you?
This updated configuration should work for your specific use case, as it will match any file that starts with "~$" and ends with ".xlsx". Be sure to restart the Wazuh manager and agents or reload the configuration for the changes to take effect.
If you have any further questions or need additional assistance with your Wazuh configuration, please feel free to ask.
Nice day! =)
I agree witht you that the error could be the "sregex" because it's a simple regex and not a "sregex" (substring regex) that can match within file names.
To achieve your goal of ignoring these temporary files, you can modify your configuration as follows:
<ignore type="sregex">.log$|.tmp$|\~\$\w+\.xlsx</ignore>To achieve your goal of ignoring these temporary files, you can modify your configuration as follows:
This updated configuration should work for your specific use case, as it will match any file that starts with "~$" and ends with ".xlsx". Be sure to restart the Wazuh manager and agents or reload the configuration for the changes to take effect.
If you have any further questions or need additional assistance with your Wazuh configuration, please feel free to ask.
Nice day! =)
Axel Tunning
Oct 23, 2023, 3:16:11 PM10/23/23
to Wazuh | Mailing List
Thanks for the reply Gabriel,
It still doesn't work despite setting that configuration,
This is the testing flow:
1. An Excel file is created
2. The name is changed
3. Edit so that the temporary file is generated
4. Closes so that the temporary file is deleted
It still doesn't work despite setting that configuration,
This is the testing flow:
1. An Excel file is created
2. The name is changed
3. Edit so that the temporary file is generated
4. Closes so that the temporary file is deleted
Gabriel Emanuel Valenzuela
Oct 23, 2023, 3:34:14 PM10/23/23
to Wazuh | Mailing List
Hi Axel, please my pleasure. Let me make a little research and I'll back with you as soon I can =)
Gabriel Emanuel Valenzuela
Oct 24, 2023, 8:17:47 AM10/24/23
to Wazuh | Mailing List
Hi Axel! How are you?
I talk with some co-workers and among the options that come to mind, one would be to use an ignore like this:<ignore type="sregex">~</ignore>
However, this would cover more cases than you probably want. The issue is that you can't add more complexity to it.
Another option is to try to silence unwanted alerts through rules. If you create child rules for the events generated by syscheck, you could use a more useful regex and set their level to 0.
If you have any further questions or need additional assistance with your Wazuh configuration, please feel free to ask.
Nice day! =)
Reply all
Reply to author
Forward
0 new messages