Wazuh FIM
105 views
Skip to first unread message
Maxim Parpaley
Mar 16, 2023, 5:13:12 AM3/16/23
to Wazuh mailing list
Hi,
I can detect when i add file .doc or .png to diectory using FIM.
What type of file that Wazuh FIM support?
How can i solve my situation?
Best regards,
Anthony Faruna
Mar 16, 2023, 6:36:23 AM3/16/23
to Maxim Parpaley, Wazuh mailing list
Hello Maxim
Thank you for your using Wazuh
Thank you for your using Wazuh
To answer your question, Wazuh monitors directories for changes to all types of files.
Just to clarify, are you saying you cannot detect .png and .doc files?
Hope to hear from you soon
Best Regards.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/0af03a72-6605-440f-a8a6-b557c00ceddbn%40googlegroups.com.
Maxim Parpaley
Mar 16, 2023, 7:17:37 AM3/16/23
to Wazuh mailing list
Yes, I can't detect those types file .png and .doc .docx.
I don't test all of file type but i tried with .png and .doc, FIM detect false and no alert trigger.
Best Regards,
Anthony Faruna
Mar 16, 2023, 7:27:32 AM3/16/23
to Maxim Parpaley, Wazuh mailing list
Hello Maxim
Please can you share the FIM configuration you are using ?
Best Regards
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/500d485e-62b8-415c-96b3-9f142e08538en%40googlegroups.com.
Maxim Parpaley
Mar 16, 2023, 7:42:26 AM3/16/23
to Wazuh mailing list
Hi,
It's my configuration in my ossec.conf
Best Regards,
Anthony Faruna
Mar 16, 2023, 9:04:16 AM3/16/23
to Maxim Parpaley, Wazuh mailing list
Hello Maxim
I noticed there is error in your configuration
From what you have, this is showing as <directories check all ="yes" whodata="yes" report_changes="yes"> however it should be <directories check_all ="yes" whodata="yes" report_changes="yes">
Please effect the changes, restart the agent and manager.
I will be expecting your feedback.
Best Regards
Best Regards
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/820618ca-10eb-4255-ad33-665ab7adb794n%40googlegroups.com.
Maxim Parpaley
Mar 16, 2023, 12:43:57 PM3/16/23
to Wazuh mailing list
Hi,
I fixed it but not work. I add new image file to folder use FIM and no alert trigger.
Best Regards,
Anthony Faruna
Mar 16, 2023, 7:25:59 PM3/16/23
to Maxim Parpaley, Wazuh mailing list
Hello Maxim
Please can you try <directories check_all="yes" realtime="yes"> and provide feedback
Best Regards
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/80454236-d08d-4ebf-8ade-c654612acac6n%40googlegroups.com.
Maxim Parpaley
Mar 16, 2023, 9:46:42 PM3/16/23
to Wazuh mailing list
Hi,
I changed file config as you recommended but it's still not work.
I added some image file and doc file, no alert trigger.
Best Regards,
Anthony Faruna
Mar 17, 2023, 9:35:34 AM3/17/23
to Maxim Parpaley, Wazuh mailing list
Hello Maxim
My sincere apologies for the delayed response
I am currently investigating internally why you cannot detect .jpg files on your endpoint
I will provide feedback once I have further information.
Best regards
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/7540cdbd-14b4-4b63-ac40-645e3cab7d46n%40googlegroups.com.
Anthony Faruna
Mar 17, 2023, 12:45:07 PM3/17/23
to Maxim Parpaley, Wazuh mailing list
Hello Maxim
Thank you for your patience
To resolve the issue of FIM, not detecting jpg files as you noted, you have to remove it from the list of files ignored in the ossec.conf configuration on the endpoint. The default configuration within the syscheck block is <ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ignore>
However to enable FIM detect the jpg file, edit the configuration to look like <ignore type="sregex">.log$|.htm$|.png$|.chm$|.pnf$|.evtx$</ignore>
As you can see below, after removing jpg, FIM could detect the jpeg image
Please let me know if you have further query
Best Regards
Maxim Parpaley
Mar 17, 2023, 10:56:04 PM3/17/23
to Wazuh mailing list
Hi,
Thanks, it work with image but still not work with file .doc.
Best Regards,
Anthony Faruna
Mar 24, 2023, 7:16:13 AM3/24/23
to Maxim Parpaley, Wazuh mailing list
Hello Maxim
My sincere apologies for the delayed response
I tried monitoring a .doc file in my lab and FIM detected it as shown in the screenshot
Please can you let me know which type of .doc you are trying to monitor that it\s not working
Best Regards
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/ff2566ff-e3f8-441f-b00f-e996b5768e02n%40googlegroups.com.
Anthony Faruna
Mar 29, 2023, 5:06:32 AM3/29/23
to Maxim Parpaley, Wazuh mailing list
Hello Maxim
Did you have time to check this out and confirm if you can monitor .doc files in your environment now ?
I will be expecting your feedback
Best Regards
Message has been deleted
Anthony Faruna
Mar 30, 2023, 6:15:54 AM3/30/23
to Maxim Parpaley, Wazuh mailing list
Hello Maxim
Thank you for the feedback
Please can you send me the syscheck configuration block within you ossec.conf
Best Regards
On Thu, Mar 30, 2023 at 10:26 AM Maxim Parpaley <demai...@gmail.com> wrote:
Hi,I installed wazuh-agent on other Windows computer and it's work but on my computer it's not work.Both computer with the same version of Windows OS.Best Regrads,
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/e9609509-65cb-42d3-8c1d-dd2235f025dcn%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages