FIM whodata not working

42 views
Skip to first unread message

Facu Basgall

unread,
Jul 14, 2026, 10:12:55 AM (5 days ago) Jul 14
to Wazuh | Mailing List

Hello! I’m having a problem with the FIM module.

I’ve configured a Windows directory for a group of agents, but when I view the agent details, the ‘whodata’ field doesn’t show as ‘yes’, and I need this to find out who the user is.

Can you help me? 

20260714_110925.jpeg
20260714_110758.jpeg

Ifeanyi Onyia Odike

unread,
Jul 14, 2026, 11:21:58 AM (5 days ago) Jul 14
to Wazuh | Mailing List
Hi Facu,

I performed this configuration in my lab environment, and my whodata is enabled.  
Your agent.conf entry looks correct, so the issue is likely on the Windows/auditing side or with how the config reaches the agents. Please confirm that:

  • The monitored path is a local NTFS path (no mapped drive or UNC share).
  • The affected agents are in this group and have received the updated agent.conf.
  • Windows object access auditing is enabled and applied to that directory so Wazuh can collect who‑data from the Security log.

If all three look good, send back one agent’s effective ossec.conf FIM block plus the relevant ossec.log lines after a restart so we can dig deeper.
Also, share with me what Wazuh version you are using.

Regards,
Untitled 2.png

Facu Basgall

unread,
Jul 14, 2026, 1:49:39 PM (5 days ago) Jul 14
to Wazuh | Mailing List

I can confirm that a local path is being monitored, and that the agents are receiving the configuration.

I am using Wazuh 4.14.x

Are these steps optional or mandatory for Windows Server 2022? https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/advanced-settings.html#manual-configuration-of-the-local-audit-policies-in-windows

Ifeanyi Onyia Odike

unread,
Jul 15, 2026, 5:21:04 AM (4 days ago) Jul 15
to Wazuh | Mailing List

For Windows Server 2022 with Wazuh 4.14.x, those audit‑policy steps are effectively mandatory if the agent cannot correctly auto‑configure local audit policies and SACLs for the whodata path.

Wazuh tries to set the required Windows audit settings automatically, but if whodata still does not show as ‘yes’, it usually means the underlying Security Audit Policy is not granting object‑access auditing for that directory.

I’d recommend following the manual configuration of the local audit policies in the Windows section you linked (enable object access auditing and set the SACL on the monitored folder), then restart the Wazuh agent and re‑check the whodata field.

If whodata is still not enabled after that, please share:

  • Any whodata/audit‑related lines from ossec.log right after the agent restart

Reply all
Reply to author
Forward
0 new messages