Integrity monitoring

[360 ALLROUND]

Hi Team,

Hope you are doing well. 

Recently I added the below lines on ossec.conf for integrity monitoring 

<!-- Custom Directory to check -->

    <directories check_all="yes" realtime="yes" report_changes="yes" whodata="yes"> /home/soc/Documents/thetesting</directories>

However after adding the below file path and restarting the manager, I couldn't see any alerts triggered on wazuh. I tested it by modifying, creating and deleting the file on the respective directory. 

This following file path is on different Linux server /home/soc/Documents/thetesting and the wazuh manager where I made changes on ossec.conf file is on different linux server. 

Please let me know, how I can work around on the detection issue. 

-Regards 

 Ruben 

[elw...@wazuh.com]

Hello Ruben,

If the file you are trying to monitor is on the agent side, then the FIM configuration should be added to the group's (by default all agents belong to the default group https://documentation.wazuh.com/current/user-manual/reference/centralized-configuration.html?highlight=group#agent-conf )configuration file located in the manager `/var/ossec/etc/shared/default/agent.conf or using the WUI  (https://wazuh.com/blog/agent-groups-and-centralized-configuration/#Using%20the%20Kibana%20app).

Note also that you can not mix realtime and whodata options as whodata = realtime + audit, thus the syscheck configuration should be

    <directories check_all="yes" realtime="yes" report_changes="yes" >/home/soc/Documents/thetesting</directories> . You can find all the syscheck/FIM configurations here https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/fim-configuration.html.

I hope this helps.

Regards,
Wali

[360 ALLROUND]

Hi Mr. Wali, 

Thanks for the reply. 

The file I am trying to monitor is one of wazuh agent (ie:Linux server). Since it's connected to manager, can't the changes be made from here?

I also added the changes that you mentioned on ossec.conf but still no alerts have triggered after modifying. 

-Regards 

Ruben. 

[elw...@wazuh.com]

Hello Ruben,

It seems that you still changing the ossec.conf of the manager while it should be in the agent's side if you still want to perform it through the ossec.conf file. However, the easiest and user friendly way would be going through the groups and pushing to the agent. I am assuming that the agent belongs to the default group, following the is the procedure:

Navigate to the groups' configuration:


then add the sycheck configuation and save the changes:



That should suffice to push the configuration and monitor the path.

I highly recommend going through the provided documentation to understand the mechanism.

I hope this helps.

Regards,
Wali

[360 ALLROUND]

Hi Mr. Wali,

Hope you are doing well. 

I did the changes to the location that you have sent and it worked well. 

However this is working only on Windows c drive and not finding alerts on E Drive which is a VM storage. 

Please let me know how to workaround this? 

-Regards 

Ruben

[elw...@wazuh.com]

Hello Ruben,

For the E drive, I assume it is an NFS and Wazuh might lack permission to monitor it. You can try implementing the solutions described at the end of this thread https://groups.google.com/g/wazuh/c/4Q__vvz20L4/m/H6W5adx9AwAJ.

Suppose it does not look for you. Please share the logs file ossec.log and the configuration file ossec.conf.

Regards,
Wali