FIM Monitoring
42 views
Skip to first unread message
DIWAHAR RAHAWID
Feb 5, 2026, 5:22:06 AM (7 days ago) Feb 5
to Wazuh | Mailing List
Hi Team,
I have configured FIM to monitor the File in C: Drive but When I configure as given below wazuh agent service is not starting.
<directories realtime="yes" check_all="yes" report_changes="yes">D:\</directories>
Now i want to monitor full multiple Drive like D:\, E:\ ....... it will be more helpful if we have any other option to configure those setting.
Regards
Diwahar
Stuti Gupta
Feb 5, 2026, 6:08:03 AM (7 days ago) Feb 5
to Wazuh | Mailing List
Hi,
Your configuration looks fine. To identify the exact issue and troubleshoot further, please check the agent’s ossec.log file. You can find it here:
C:\Program Files (x86)\ossec-agent\ossec.logMake sure the agent is active and running.
When you review the log, you may see an error saying that the file monitoring limit of 100000 has been reached. This happens because the File Integrity Monitoring (FIM) module can only monitor up to 100000 files by default. If you try to monitor an entire drive, the number of files becomes much higher, which can impact performance.
If this is the case, you need to either extend or disable the file limit using the <file_limit> option:https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#file-limit
<!-- Maximum number of files to be monitored --><file_limit> <enabled>yes</enabled>
<entries>100000</entries>
</file_limit>
Note: The value for <entries> can range from 1 to 2147483647.
If you see an error like: file limit has been reached (200)Then check this file:
C:\Program Files (x86)\ossec-agent\internal_options.conf
Look for:
# Logcollector - Maximum number of files to be monitored [1..100000]
logcollector.max_files=1000
If the value on your system is 200, that is what is limiting the agent.
You can override it by creating or editing:
Add the correct value there, then restart the agent.
If there is no error related to file limits, please share the ossec.log from the Windows agent and the agent version so I can review it.
Also, while monitoring an entire drive is technically possible, it is better to monitor only specific folders instead of watching the whole C: drive in real-time or who-data mode, as this can consume significant resources.
Let me know once you check the log.
DIWAHAR RAHAWID
Feb 6, 2026, 3:16:43 AM (6 days ago) Feb 6
to Wazuh | Mailing List
Hi Stuti,
please find the attached log from the server where i am trying to configure the FIM for D and E drive.
2026/02/04 22:13:31 wazuh-agent: INFO: Using notify time: 20 and max time to reconnect: 60
2026/02/04 22:13:31 wazuh-agent: INFO: Started (pid: 4252).
2026/02/04 22:13:31 wazuh-agent: INFO: Using AES as encryption method.
2026/02/04 22:13:31 wazuh-agent: INFO: Trying to connect to server ([10.103.1.122]:1514/tcp).
2026/02/04 22:13:31 wazuh-agent: INFO: (4102): Connected to the server ([10.103.1.122]:1514/tcp).
2026/02/04 22:13:31 wazuh-agent: WARNING: (6701): Unknown attribute 'checkall' for directory option.
2026/02/04 22:13:31 rootcheck: INFO: Started (pid: 4252).
2026/02/04 22:13:31 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256 | reg_value_type'
2026/02/04 22:13:31 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\cmdfile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256 | reg_value_type'
2026/02/04 22:13:31 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\comfile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256 | reg_value_type'
2026/02/04 22:13:31 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\exefile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256 | reg_value_type'
2026/02/04 22:13:31 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\piffile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256 | reg_value_type'
2026/02/04 22:13:31 sca: INFO: Module started.
2026/02/04 22:13:31 wazuh-modulesd:agent-upgrade: INFO: (8153): Module Agent Upgrade started.
2026/02/04 22:13:31 wazuh-modulesd:ciscat: INFO: Module disabled. Exiting...
2026/02/04 22:13:31 wazuh-agent: INFO: Windows version is 6.0 or newer. (Microsoft Windows Server 2022 Standard [Ver: 10.0.20348.4529] - Wazuh v4.14.0).
2026/02/04 22:13:31 sca: INFO: Loaded policy 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win2022.yml'
2026/02/04 22:13:31 sca: INFO: Loaded policy 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win2025.yml'
2026/02/04 22:13:31 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256 | reg_value_type'
2026/02/04 22:13:31 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Directory', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256 | reg_value_type'
2026/02/04 22:13:31 sca: INFO: Starting Security Configuration Assessment scan.
2026/02/04 22:13:31 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256 | reg_value_type'
2026/02/04 22:13:31 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256 | reg_value_type'
2026/02/04 22:13:31 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256 | reg_value_type'
2026/02/04 22:13:31 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Policies [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256 | reg_value_type'
2026/02/04 22:13:31 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Policies', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256 | reg_value_type'
2026/02/04 22:13:31 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Security', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256 | reg_value_type'
2026/02/04 22:13:31 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256 | reg_value_type'
2026/02/04 22:13:31 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256 | reg_value_type'
2026/02/04 22:13:31 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256 | reg_value_type'
2026/02/04 22:13:31 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256 | reg_value_type'
2026/02/04 22:13:31 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256 | reg_value_type'
2026/02/04 22:13:31 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256 | reg_value_type'
2026/02/04 22:13:31 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256 | reg_value_type'
2026/02/04 22:13:31 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256 | reg_value_type'
2026/02/04 22:13:31 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256 | reg_value_type'
2026/02/04 22:13:31 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256 | reg_value_type'
2026/02/04 22:13:31 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256 | reg_value_type'
2026/02/04 22:13:31 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256 | reg_value_type'
2026/02/04 22:13:31 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256 | reg_value_type'
2026/02/04 22:13:31 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256 | reg_value_type'
2026/02/04 22:13:31 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256 | reg_value_type'
2026/02/04 22:13:31 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256 | reg_value_type'
2026/02/04 22:13:31 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256 | reg_value_type'
2026/02/04 22:13:31 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256 | reg_value_type'
2026/02/04 22:13:31 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256 | reg_value_type'
2026/02/04 22:13:31 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256 | reg_value_type'
2026/02/04 22:13:31 wazuh-agent: INFO: (6003): Monitoring path: 'c:\program files (x86)', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | report_changes | whodata'.
2026/02/04 22:13:31 wazuh-agent: INFO: (6003): Monitoring path: 'c:\programdata\microsoft\windows\start menu\programs\startup', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | realtime'.
2026/02/04 22:13:31 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2026/02/04 22:13:31 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\system32', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2026/02/04 22:13:31 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\system32\drivers\etc', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2026/02/04 22:13:31 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\system32\wbem', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2026/02/04 22:13:31 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\system32\windowspowershell\v1.0', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2026/02/04 22:13:31 wazuh-agent: INFO: (6206): Ignore 'file' entry 'c:\programdata\microsoft\windows\start menu\programs\startup\desktop.ini'
2026/02/04 22:13:31 wazuh-agent: INFO: (6207): Ignore 'file' sregex '.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$'
2026/02/04 22:13:31 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\Security\Policy\Secrets'
2026/02/04 22:13:31 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users'
2026/02/04 22:13:31 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs'
2026/02/04 22:13:31 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP'
2026/02/04 22:13:31 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSIn'
2026/02/04 22:13:31 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSOut'
2026/02/04 22:13:31 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap'
2026/02/04 22:13:31 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo'
2026/02/04 22:13:31 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PolicyAgent\Parameters\Cache'
2026/02/04 22:13:31 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx'
2026/02/04 22:13:31 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ADOVMPPackage\Final'
2026/02/04 22:13:31 wazuh-agent: INFO: (6207): Ignore 'registry' sregex '\Enum$'
2026/02/04 22:13:31 wazuh-agent: INFO: Started (pid: 4252).
2026/02/04 22:13:31 wazuh-agent: INFO: (1951): Analyzing event log: 'Application'.
2026/02/04 22:13:31 wazuh-agent: INFO: (1951): Analyzing event log: 'Security'.
2026/02/04 22:13:32 sca: INFO: Starting evaluation of policy: 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win2022.yml'
2026/02/04 22:13:32 wazuh-agent: INFO: (1951): Analyzing event log: 'System'.
2026/02/04 22:13:32 wazuh-agent: INFO: (1951): Analyzing event log: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'.
2026/02/04 22:13:32 wazuh-agent: INFO: (1950): Analyzing file: 'active-response\active-responses.log'.
2026/02/04 22:13:32 wazuh-modulesd:osquery: INFO: Module disabled. Exiting...
2026/02/04 22:13:32 wazuh-modulesd:syscollector: INFO: Module started.
2026/02/04 22:13:32 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2026/02/04 22:13:32 wazuh-agent: INFO: Started (pid: 4252).
2026/02/04 22:13:37 rootcheck: INFO: Starting rootcheck scan.
2026/02/04 22:13:43 rootcheck: INFO: Ending rootcheck scan.
2026/02/04 22:13:50 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2026/02/04 22:14:13 wazuh-agent: INFO: (6000): Starting daemon...
2026/02/04 22:14:13 wazuh-agent: INFO: (6010): File integrity monitoring scan frequency: 60 seconds
2026/02/04 22:14:13 wazuh-agent: INFO: (6008): File integrity monitoring scan started.
2026/02/04 22:14:16 wazuh-agent: ERROR: Could not move (C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz) to (C:\Program Files (x86)\ossec-agent\queue\diff/file/78c5df7f0241ee8080bf03db70f98e848c3e86bb/last-entry.gz) which returned (32)
2026/02/04 22:14:16 wazuh-agent: ERROR: (1124): Could not rename file 'C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz' to 'C:\Program Files (x86)\ossec-agent\queue\diff/file/78c5df7f0241ee8080bf03db70f98e848c3e86bb/last-entry.gz' due to [(17)-(File exists)].
2026/02/04 22:14:16 wazuh-agent: ERROR: Could not move (C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz) to (C:\Program Files (x86)\ossec-agent\queue\diff/file/c179cc943c76dbadabae2e21d67b2a00368563ee/last-entry.gz) which returned (32)
2026/02/04 22:14:16 wazuh-agent: ERROR: (1124): Could not rename file 'C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz' to 'C:\Program Files (x86)\ossec-agent\queue\diff/file/c179cc943c76dbadabae2e21d67b2a00368563ee/last-entry.gz' due to [(17)-(File exists)].
2026/02/04 22:14:17 wazuh-agent: ERROR: Could not move (C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz) to (C:\Program Files (x86)\ossec-agent\queue\diff/file/4e3c31d0d4fb7319410775c022f31ebf9a2bffb4/last-entry.gz) which returned (32)
2026/02/04 22:14:17 wazuh-agent: ERROR: (1124): Could not rename file 'C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz' to 'C:\Program Files (x86)\ossec-agent\queue\diff/file/4e3c31d0d4fb7319410775c022f31ebf9a2bffb4/last-entry.gz' due to [(17)-(File exists)].
2026/02/04 22:14:17 wazuh-agent: ERROR: Could not move (C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz) to (C:\Program Files (x86)\ossec-agent\queue\diff/file/e4cb89f750169d69c68d9f769ad1fca06783326d/last-entry.gz) which returned (32)
2026/02/04 22:14:17 wazuh-agent: ERROR: (1124): Could not rename file 'C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz' to 'C:\Program Files (x86)\ossec-agent\queue\diff/file/e4cb89f750169d69c68d9f769ad1fca06783326d/last-entry.gz' due to [(17)-(File exists)].
2026/02/04 22:14:17 wazuh-agent: ERROR: Could not move (C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz) to (C:\Program Files (x86)\ossec-agent\queue\diff/file/c7d7d9d7b193d17dab6a6821ed6365fdb964d39b/last-entry.gz) which returned (32)
2026/02/04 22:14:17 wazuh-agent: ERROR: (1124): Could not rename file 'C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz' to 'C:\Program Files (x86)\ossec-agent\queue\diff/file/c7d7d9d7b193d17dab6a6821ed6365fdb964d39b/last-entry.gz' due to [(17)-(File exists)].
2026/02/04 22:14:19 wazuh-agent: ERROR: Could not move (C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz) to (C:\Program Files (x86)\ossec-agent\queue\diff/file/d65177b2f6a55ef10d5c18627c94ad83ff502cc2/last-entry.gz) which returned (32)
2026/02/04 22:14:19 wazuh-agent: ERROR: (1124): Could not rename file 'C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz' to 'C:\Program Files (x86)\ossec-agent\queue\diff/file/d65177b2f6a55ef10d5c18627c94ad83ff502cc2/last-entry.gz' due to [(17)-(File exists)].
2026/02/04 22:14:19 wazuh-agent: ERROR: Could not move (C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz) to (C:\Program Files (x86)\ossec-agent\queue\diff/file/0bfe0a13415895417ed6770e42f4a8e595e916cd/last-entry.gz) which returned (32)
2026/02/04 22:14:19 wazuh-agent: ERROR: (1124): Could not rename file 'C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz' to 'C:\Program Files (x86)\ossec-agent\queue\diff/file/0bfe0a13415895417ed6770e42f4a8e595e916cd/last-entry.gz' due to [(17)-(File exists)].
2026/02/04 22:14:23 sca: INFO: Evaluation finished for policy 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win2022.yml'
2026/02/04 22:14:23 sca: INFO: Skipping policy 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win2025.yml': 'Check that the Windows platform is Windows Server 2025'
2026/02/04 22:14:23 sca: INFO: Security Configuration Assessment scan finished. Duration: 52 seconds.
2026/02/04 22:14:38 sca: INFO: Integration checksum failed for policy 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win2022.yml'. Resending scan results in 298 seconds.
2026/02/04 22:19:50 sca: INFO: Integration checksum failed for policy 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win2022.yml'. Resending scan results in 179 seconds.
2026/02/04 22:23:01 sca: INFO: Integration checksum failed for policy 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win2022.yml'. Resending scan results in 206 seconds.
2026/02/04 22:24:32 wazuh-agent: INFO: (6035): Analyzing Windows volumes
2026/02/04 22:25:04 wazuh-agent: INFO: (6009): File integrity monitoring scan ended.
2026/02/04 22:25:04 wazuh-agent: INFO: FIM sync module started.
2026/02/04 22:25:08 wazuh-agent: INFO: (6012): Real-time file integrity monitoring started.
2026/02/04 22:25:08 wazuh-agent: INFO: (6019): File integrity monitoring real-time Whodata engine started.
2026/02/04 22:26:09 wazuh-agent: INFO: (6008): File integrity monitoring scan started.
2026/02/04 22:31:42 wazuh-agent: INFO: (6009): File integrity monitoring scan ended.
2026/02/04 22:32:43 wazuh-agent: INFO: (6008): File integrity monitoring scan started.
2026/02/04 22:37:51 wazuh-agent: INFO: (6009): File integrity monitoring scan ended.
2026/02/04 22:38:52 wazuh-agent: INFO: (6008): File integrity monitoring scan started.
2026/02/04 22:43:48 wazuh-agent: INFO: (6009): File integrity monitoring scan ended.
2026/02/04 22:44:49 wazuh-agent: INFO: (6008): File integrity monitoring scan started.
2026/02/04 22:49:34 wazuh-agent: INFO: (6009): File integrity monitoring scan ended.
2026/02/04 22:50:35 wazuh-agent: INFO: (6008): File integrity monitoring scan started.
2026/02/04 22:55:07 wazuh-agent: INFO: (6009): File integrity monitoring scan ended.
2026/02/04 22:56:08 wazuh-agent: INFO: (6008): File integrity monitoring scan started.
2026/02/04 23:00:18 wazuh-agent: INFO: (6009): File integrity monitoring scan ended.
2026/02/04 23:01:19 wazuh-agent: INFO: (6008): File integrity monitoring scan started.
2026/02/04 23:05:27 wazuh-agent: INFO: (6009): File integrity monitoring scan ended.
2026/02/04 23:06:28 wazuh-agent: INFO: (6008): File integrity monitoring scan started.
2026/02/04 23:10:51 wazuh-agent: INFO: (6009): File integrity monitoring scan ended.
2026/02/04 23:11:52 wazuh-agent: INFO: (6008): File integrity monitoring scan started.
2026/02/04 23:13:51 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2026/02/04 23:14:39 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2026/02/04 23:16:14 wazuh-agent: INFO: (6009): File integrity monitoring scan ended.
2026/02/04 23:17:15 wazuh-agent: INFO: (6008): File integrity monitoring scan started.
2026/02/04 23:21:26 wazuh-agent: INFO: (6009): File integrity monitoring scan ended.
2026/02/04 23:22:27 wazuh-agent: INFO: (6008): File integrity monitoring scan started.
2026/02/04 23:26:29 wazuh-agent: INFO: (6009): File integrity monitoring scan ended.
2026/02/04 23:27:30 wazuh-agent: INFO: (6008): File integrity monitoring scan started.
2026/02/04 23:31:19 wazuh-agent: INFO: (6009): File integrity monitoring scan ended.
2026/02/04 23:32:20 wazuh-agent: INFO: (6008): File integrity monitoring scan started.
2026/02/04 23:36:43 wazuh-agent: INFO: (6009): File integrity monitoring scan ended.
2026/02/04 23:37:44 wazuh-agent: INFO: (6008): File integrity monitoring scan started.
2026/02/04 23:41:56 wazuh-agent: INFO: (6009): File integrity monitoring scan ended.
2026/02/04 23:42:57 wazuh-agent: INFO: (6008): File integrity monitoring scan started.
2026/02/04 23:45:16 wazuh-agent: INFO: (6009): File integrity monitoring scan ended.
2026/02/04 23:46:17 wazuh-agent: INFO: (6008): File integrity monitoring scan started.
2026/02/04 23:48:21 wazuh-agent: INFO: (6009): File integrity monitoring scan ended.
2026/02/04 23:49:22 wazuh-agent: INFO: (6008): File integrity monitoring scan started.
2026/02/04 23:51:24 wazuh-agent: INFO: (6009): File integrity monitoring scan ended.
2026/02/04 23:52:25 wazuh-agent: INFO: (6008): File integrity monitoring scan started.
2026/02/04 23:54:33 wazuh-agent: INFO: (6009): File integrity monitoring scan ended.
2026/02/04 23:55:34 wazuh-agent: INFO: (6008): File integrity monitoring scan started.
2026/02/04 23:57:43 wazuh-agent: INFO: (6009): File integrity monitoring scan ended.
2026/02/04 23:58:44 wazuh-agent: INFO: (6008): File integrity monitoring scan started.
2026/02/05 00:00:10 wazuh-agent: INFO: Running daily rotation of log files.
2026/02/04 22:13:31 wazuh-agent: INFO: Started (pid: 4252).
2026/02/04 22:13:31 wazuh-agent: INFO: Using AES as encryption method.
2026/02/04 22:13:31 wazuh-agent: INFO: Trying to connect to server ([10.103.1.122]:1514/tcp).
2026/02/04 22:13:31 wazuh-agent: INFO: (4102): Connected to the server ([10.103.1.122]:1514/tcp).
2026/02/04 22:13:31 wazuh-agent: WARNING: (6701): Unknown attribute 'checkall' for directory option.
2026/02/04 22:13:31 rootcheck: INFO: Started (pid: 4252).
2026/02/04 22:13:31 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256 | reg_value_type'
2026/02/04 22:13:31 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\cmdfile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256 | reg_value_type'
2026/02/04 22:13:31 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\comfile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256 | reg_value_type'
2026/02/04 22:13:31 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\exefile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256 | reg_value_type'
2026/02/04 22:13:31 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\piffile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256 | reg_value_type'
2026/02/04 22:13:31 sca: INFO: Module started.
2026/02/04 22:13:31 wazuh-modulesd:agent-upgrade: INFO: (8153): Module Agent Upgrade started.
2026/02/04 22:13:31 wazuh-modulesd:ciscat: INFO: Module disabled. Exiting...
2026/02/04 22:13:31 wazuh-agent: INFO: Windows version is 6.0 or newer. (Microsoft Windows Server 2022 Standard [Ver: 10.0.20348.4529] - Wazuh v4.14.0).
2026/02/04 22:13:31 sca: INFO: Loaded policy 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win2022.yml'
2026/02/04 22:13:31 sca: INFO: Loaded policy 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win2025.yml'
2026/02/04 22:13:31 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256 | reg_value_type'
2026/02/04 22:13:31 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Directory', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256 | reg_value_type'
2026/02/04 22:13:31 sca: INFO: Starting Security Configuration Assessment scan.
2026/02/04 22:13:31 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256 | reg_value_type'
2026/02/04 22:13:31 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256 | reg_value_type'
2026/02/04 22:13:31 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256 | reg_value_type'
2026/02/04 22:13:31 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Policies [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256 | reg_value_type'
2026/02/04 22:13:31 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Policies', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256 | reg_value_type'
2026/02/04 22:13:31 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Security', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256 | reg_value_type'
2026/02/04 22:13:31 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256 | reg_value_type'
2026/02/04 22:13:31 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256 | reg_value_type'
2026/02/04 22:13:31 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256 | reg_value_type'
2026/02/04 22:13:31 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256 | reg_value_type'
2026/02/04 22:13:31 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256 | reg_value_type'
2026/02/04 22:13:31 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256 | reg_value_type'
2026/02/04 22:13:31 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256 | reg_value_type'
2026/02/04 22:13:31 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256 | reg_value_type'
2026/02/04 22:13:31 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256 | reg_value_type'
2026/02/04 22:13:31 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256 | reg_value_type'
2026/02/04 22:13:31 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256 | reg_value_type'
2026/02/04 22:13:31 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256 | reg_value_type'
2026/02/04 22:13:31 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256 | reg_value_type'
2026/02/04 22:13:31 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256 | reg_value_type'
2026/02/04 22:13:31 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256 | reg_value_type'
2026/02/04 22:13:31 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256 | reg_value_type'
2026/02/04 22:13:31 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256 | reg_value_type'
2026/02/04 22:13:31 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256 | reg_value_type'
2026/02/04 22:13:31 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256 | reg_value_type'
2026/02/04 22:13:31 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256 | reg_value_type'
2026/02/04 22:13:31 wazuh-agent: INFO: (6003): Monitoring path: 'c:\program files (x86)', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | report_changes | whodata'.
2026/02/04 22:13:31 wazuh-agent: INFO: (6003): Monitoring path: 'c:\programdata\microsoft\windows\start menu\programs\startup', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | realtime'.
2026/02/04 22:13:31 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2026/02/04 22:13:31 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\system32', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2026/02/04 22:13:31 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\system32\drivers\etc', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2026/02/04 22:13:31 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\system32\wbem', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2026/02/04 22:13:31 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\system32\windowspowershell\v1.0', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2026/02/04 22:13:31 wazuh-agent: INFO: (6206): Ignore 'file' entry 'c:\programdata\microsoft\windows\start menu\programs\startup\desktop.ini'
2026/02/04 22:13:31 wazuh-agent: INFO: (6207): Ignore 'file' sregex '.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$'
2026/02/04 22:13:31 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\Security\Policy\Secrets'
2026/02/04 22:13:31 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users'
2026/02/04 22:13:31 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs'
2026/02/04 22:13:31 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP'
2026/02/04 22:13:31 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSIn'
2026/02/04 22:13:31 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSOut'
2026/02/04 22:13:31 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap'
2026/02/04 22:13:31 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo'
2026/02/04 22:13:31 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PolicyAgent\Parameters\Cache'
2026/02/04 22:13:31 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx'
2026/02/04 22:13:31 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ADOVMPPackage\Final'
2026/02/04 22:13:31 wazuh-agent: INFO: (6207): Ignore 'registry' sregex '\Enum$'
2026/02/04 22:13:31 wazuh-agent: INFO: Started (pid: 4252).
2026/02/04 22:13:31 wazuh-agent: INFO: (1951): Analyzing event log: 'Application'.
2026/02/04 22:13:31 wazuh-agent: INFO: (1951): Analyzing event log: 'Security'.
2026/02/04 22:13:32 sca: INFO: Starting evaluation of policy: 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win2022.yml'
2026/02/04 22:13:32 wazuh-agent: INFO: (1951): Analyzing event log: 'System'.
2026/02/04 22:13:32 wazuh-agent: INFO: (1951): Analyzing event log: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'.
2026/02/04 22:13:32 wazuh-agent: INFO: (1950): Analyzing file: 'active-response\active-responses.log'.
2026/02/04 22:13:32 wazuh-modulesd:osquery: INFO: Module disabled. Exiting...
2026/02/04 22:13:32 wazuh-modulesd:syscollector: INFO: Module started.
2026/02/04 22:13:32 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2026/02/04 22:13:32 wazuh-agent: INFO: Started (pid: 4252).
2026/02/04 22:13:37 rootcheck: INFO: Starting rootcheck scan.
2026/02/04 22:13:43 rootcheck: INFO: Ending rootcheck scan.
2026/02/04 22:13:50 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2026/02/04 22:14:13 wazuh-agent: INFO: (6000): Starting daemon...
2026/02/04 22:14:13 wazuh-agent: INFO: (6010): File integrity monitoring scan frequency: 60 seconds
2026/02/04 22:14:13 wazuh-agent: INFO: (6008): File integrity monitoring scan started.
2026/02/04 22:14:16 wazuh-agent: ERROR: Could not move (C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz) to (C:\Program Files (x86)\ossec-agent\queue\diff/file/78c5df7f0241ee8080bf03db70f98e848c3e86bb/last-entry.gz) which returned (32)
2026/02/04 22:14:16 wazuh-agent: ERROR: (1124): Could not rename file 'C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz' to 'C:\Program Files (x86)\ossec-agent\queue\diff/file/78c5df7f0241ee8080bf03db70f98e848c3e86bb/last-entry.gz' due to [(17)-(File exists)].
2026/02/04 22:14:16 wazuh-agent: ERROR: Could not move (C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz) to (C:\Program Files (x86)\ossec-agent\queue\diff/file/c179cc943c76dbadabae2e21d67b2a00368563ee/last-entry.gz) which returned (32)
2026/02/04 22:14:16 wazuh-agent: ERROR: (1124): Could not rename file 'C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz' to 'C:\Program Files (x86)\ossec-agent\queue\diff/file/c179cc943c76dbadabae2e21d67b2a00368563ee/last-entry.gz' due to [(17)-(File exists)].
2026/02/04 22:14:17 wazuh-agent: ERROR: Could not move (C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz) to (C:\Program Files (x86)\ossec-agent\queue\diff/file/4e3c31d0d4fb7319410775c022f31ebf9a2bffb4/last-entry.gz) which returned (32)
2026/02/04 22:14:17 wazuh-agent: ERROR: (1124): Could not rename file 'C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz' to 'C:\Program Files (x86)\ossec-agent\queue\diff/file/4e3c31d0d4fb7319410775c022f31ebf9a2bffb4/last-entry.gz' due to [(17)-(File exists)].
2026/02/04 22:14:17 wazuh-agent: ERROR: Could not move (C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz) to (C:\Program Files (x86)\ossec-agent\queue\diff/file/e4cb89f750169d69c68d9f769ad1fca06783326d/last-entry.gz) which returned (32)
2026/02/04 22:14:17 wazuh-agent: ERROR: (1124): Could not rename file 'C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz' to 'C:\Program Files (x86)\ossec-agent\queue\diff/file/e4cb89f750169d69c68d9f769ad1fca06783326d/last-entry.gz' due to [(17)-(File exists)].
2026/02/04 22:14:17 wazuh-agent: ERROR: Could not move (C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz) to (C:\Program Files (x86)\ossec-agent\queue\diff/file/c7d7d9d7b193d17dab6a6821ed6365fdb964d39b/last-entry.gz) which returned (32)
2026/02/04 22:14:17 wazuh-agent: ERROR: (1124): Could not rename file 'C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz' to 'C:\Program Files (x86)\ossec-agent\queue\diff/file/c7d7d9d7b193d17dab6a6821ed6365fdb964d39b/last-entry.gz' due to [(17)-(File exists)].
2026/02/04 22:14:19 wazuh-agent: ERROR: Could not move (C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz) to (C:\Program Files (x86)\ossec-agent\queue\diff/file/d65177b2f6a55ef10d5c18627c94ad83ff502cc2/last-entry.gz) which returned (32)
2026/02/04 22:14:19 wazuh-agent: ERROR: (1124): Could not rename file 'C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz' to 'C:\Program Files (x86)\ossec-agent\queue\diff/file/d65177b2f6a55ef10d5c18627c94ad83ff502cc2/last-entry.gz' due to [(17)-(File exists)].
2026/02/04 22:14:19 wazuh-agent: ERROR: Could not move (C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz) to (C:\Program Files (x86)\ossec-agent\queue\diff/file/0bfe0a13415895417ed6770e42f4a8e595e916cd/last-entry.gz) which returned (32)
2026/02/04 22:14:19 wazuh-agent: ERROR: (1124): Could not rename file 'C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz' to 'C:\Program Files (x86)\ossec-agent\queue\diff/file/0bfe0a13415895417ed6770e42f4a8e595e916cd/last-entry.gz' due to [(17)-(File exists)].
2026/02/04 22:14:23 sca: INFO: Evaluation finished for policy 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win2022.yml'
2026/02/04 22:14:23 sca: INFO: Skipping policy 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win2025.yml': 'Check that the Windows platform is Windows Server 2025'
2026/02/04 22:14:23 sca: INFO: Security Configuration Assessment scan finished. Duration: 52 seconds.
2026/02/04 22:14:38 sca: INFO: Integration checksum failed for policy 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win2022.yml'. Resending scan results in 298 seconds.
2026/02/04 22:19:50 sca: INFO: Integration checksum failed for policy 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win2022.yml'. Resending scan results in 179 seconds.
2026/02/04 22:23:01 sca: INFO: Integration checksum failed for policy 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win2022.yml'. Resending scan results in 206 seconds.
2026/02/04 22:24:32 wazuh-agent: INFO: (6035): Analyzing Windows volumes
2026/02/04 22:25:04 wazuh-agent: INFO: (6009): File integrity monitoring scan ended.
2026/02/04 22:25:04 wazuh-agent: INFO: FIM sync module started.
2026/02/04 22:25:08 wazuh-agent: INFO: (6012): Real-time file integrity monitoring started.
2026/02/04 22:25:08 wazuh-agent: INFO: (6019): File integrity monitoring real-time Whodata engine started.
2026/02/04 22:26:09 wazuh-agent: INFO: (6008): File integrity monitoring scan started.
2026/02/04 22:31:42 wazuh-agent: INFO: (6009): File integrity monitoring scan ended.
2026/02/04 22:32:43 wazuh-agent: INFO: (6008): File integrity monitoring scan started.
2026/02/04 22:37:51 wazuh-agent: INFO: (6009): File integrity monitoring scan ended.
2026/02/04 22:38:52 wazuh-agent: INFO: (6008): File integrity monitoring scan started.
2026/02/04 22:43:48 wazuh-agent: INFO: (6009): File integrity monitoring scan ended.
2026/02/04 22:44:49 wazuh-agent: INFO: (6008): File integrity monitoring scan started.
2026/02/04 22:49:34 wazuh-agent: INFO: (6009): File integrity monitoring scan ended.
2026/02/04 22:50:35 wazuh-agent: INFO: (6008): File integrity monitoring scan started.
2026/02/04 22:55:07 wazuh-agent: INFO: (6009): File integrity monitoring scan ended.
2026/02/04 22:56:08 wazuh-agent: INFO: (6008): File integrity monitoring scan started.
2026/02/04 23:00:18 wazuh-agent: INFO: (6009): File integrity monitoring scan ended.
2026/02/04 23:01:19 wazuh-agent: INFO: (6008): File integrity monitoring scan started.
2026/02/04 23:05:27 wazuh-agent: INFO: (6009): File integrity monitoring scan ended.
2026/02/04 23:06:28 wazuh-agent: INFO: (6008): File integrity monitoring scan started.
2026/02/04 23:10:51 wazuh-agent: INFO: (6009): File integrity monitoring scan ended.
2026/02/04 23:11:52 wazuh-agent: INFO: (6008): File integrity monitoring scan started.
2026/02/04 23:13:51 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2026/02/04 23:14:39 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2026/02/04 23:16:14 wazuh-agent: INFO: (6009): File integrity monitoring scan ended.
2026/02/04 23:17:15 wazuh-agent: INFO: (6008): File integrity monitoring scan started.
2026/02/04 23:21:26 wazuh-agent: INFO: (6009): File integrity monitoring scan ended.
2026/02/04 23:22:27 wazuh-agent: INFO: (6008): File integrity monitoring scan started.
2026/02/04 23:26:29 wazuh-agent: INFO: (6009): File integrity monitoring scan ended.
2026/02/04 23:27:30 wazuh-agent: INFO: (6008): File integrity monitoring scan started.
2026/02/04 23:31:19 wazuh-agent: INFO: (6009): File integrity monitoring scan ended.
2026/02/04 23:32:20 wazuh-agent: INFO: (6008): File integrity monitoring scan started.
2026/02/04 23:36:43 wazuh-agent: INFO: (6009): File integrity monitoring scan ended.
2026/02/04 23:37:44 wazuh-agent: INFO: (6008): File integrity monitoring scan started.
2026/02/04 23:41:56 wazuh-agent: INFO: (6009): File integrity monitoring scan ended.
2026/02/04 23:42:57 wazuh-agent: INFO: (6008): File integrity monitoring scan started.
2026/02/04 23:45:16 wazuh-agent: INFO: (6009): File integrity monitoring scan ended.
2026/02/04 23:46:17 wazuh-agent: INFO: (6008): File integrity monitoring scan started.
2026/02/04 23:48:21 wazuh-agent: INFO: (6009): File integrity monitoring scan ended.
2026/02/04 23:49:22 wazuh-agent: INFO: (6008): File integrity monitoring scan started.
2026/02/04 23:51:24 wazuh-agent: INFO: (6009): File integrity monitoring scan ended.
2026/02/04 23:52:25 wazuh-agent: INFO: (6008): File integrity monitoring scan started.
2026/02/04 23:54:33 wazuh-agent: INFO: (6009): File integrity monitoring scan ended.
2026/02/04 23:55:34 wazuh-agent: INFO: (6008): File integrity monitoring scan started.
2026/02/04 23:57:43 wazuh-agent: INFO: (6009): File integrity monitoring scan ended.
2026/02/04 23:58:44 wazuh-agent: INFO: (6008): File integrity monitoring scan started.
2026/02/05 00:00:10 wazuh-agent: INFO: Running daily rotation of log files.
Regards
Diwahar
Stuti Gupta
Feb 9, 2026, 1:55:33 AM (3 days ago) Feb 9
to Wazuh | Mailing List
As expected, the issue is because the agent is processing a very large number of files when an entire drive is monitored with report_changes enabled. This results in high diff output and repeated file operation failures during diff rotation.
Monitoring smaller directories or disabling report_changes for large paths avoids this condition. If the diff queue becomes stuck, stop the agent service, clear the :
C:\Program Files (x86)\ossec-agent\queue\diff\tmp\
C:\Program Files (x86)\ossec-agent\queue\diff\file\
and restart the service.
Monitoring entire drives with real-time and report_changes produces a very large scan output. It is recommended to monitor specific folders instead of full partitions. Example configuration:
<directories realtime="yes" check_all="yes" report_changes="yes">D:\data</directories>
Additionaly there is a warning "Unknown attribute 'checkall'", make sure it is check_all="yes" (and in case you have changed this, make sure to restart the agent)
Monitoring smaller directories or disabling report_changes for large paths avoids this condition. If the diff queue becomes stuck, stop the agent service, clear the :
C:\Program Files (x86)\ossec-agent\queue\diff\tmp\
C:\Program Files (x86)\ossec-agent\queue\diff\file\
and restart the service.
Monitoring entire drives with real-time and report_changes produces a very large scan output. It is recommended to monitor specific folders instead of full partitions. Example configuration:
<directories realtime="yes" check_all="yes" report_changes="yes">D:\data</directories>
Additionaly there is a warning "Unknown attribute 'checkall'", make sure it is check_all="yes" (and in case you have changed this, make sure to restart the agent)
Reply all
Reply to author
Forward
0 new messages