Hello! I’m having a problem with the FIM module.
I’ve configured a Windows directory for a group of agents, but when I view the agent details, the ‘whodata’ field doesn’t show as ‘yes’, and I need this to find out who the user is.
Can you help me?
I can confirm that a local path is being monitored, and that the agents are receiving the configuration.
I am using Wazuh 4.14.x
Are these steps optional or mandatory for Windows Server 2022? https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/advanced-settings.html#manual-configuration-of-the-local-audit-policies-in-windows
For Windows Server 2022 with Wazuh 4.14.x, those audit‑policy steps are effectively mandatory if the agent cannot correctly auto‑configure local audit policies and SACLs for the whodata path.
Wazuh tries to set the required Windows audit settings automatically, but if whodata still does not show as ‘yes’, it usually means the underlying Security Audit Policy is not granting object‑access auditing for that directory.
I’d recommend following the manual configuration of the local audit policies in the Windows section you linked (enable object access auditing and set the SACL on the monitored folder), then restart the Wazuh agent and re‑check the whodata field.
If whodata is still not enabled after that, please share:
Any whodata/audit‑related lines from ossec.log right after the agent restart