Wazuh centralized configuration - sysmonconfig.xml
14 views
Skip to first unread message
Stefan Penchev
Dec 23, 2025, 7:18:48 AM (2 days ago) Dec 23
to Wazuh | Mailing List
Hello everybody.
I have problem implementing centralized configuration of sysmonconfig.xml file. This is the configuration file of sysmon.
I want to modify the sysmonconfig.xml on the wazuh server - it is located in the /var/ossec/etc/shared/default folder.
Once i modify it, it is passed to windows endpoints in this folder:
C:\Program Files (x86)\ossec-agent\shared\sysmonconfig.xml
In order to check for modifications, i have added in agent.conf on manager:
<directories check_all="yes" realtime="yes" report_changes="yes">C:\Program Files (x86)\ossec-agent\shared\sysmonconfig.xml</directories>.
So when a modification is detected on the local computer by the fim module,
i have the rule:
<group name="conf_change,syscheck,sysmon,fim,">
<rule id="100099" level="5">
<if_sid>550</if_sid>
<match>sysmonconfig.xml</match>
<description>Changes made to the SYSMON configuration file - $(file)</description>
</rule>
</group>
<rule id="100099" level="5">
<if_sid>550</if_sid>
<match>sysmonconfig.xml</match>
<description>Changes made to the SYSMON configuration file - $(file)</description>
</rule>
</group>
My idea is when the rule fires an alert to have an active response restarting sysmon locally :
In manager ossec.conf:
<command>
<name>sysmon-restart</name>
<executable>sysmon-restart.cmd</executable> <!-- must be in acvive-response/bin directory on agent ! -->
<timeout_allowed>no</timeout_allowed>
</command>
<name>sysmon-restart</name>
<executable>sysmon-restart.cmd</executable> <!-- must be in acvive-response/bin directory on agent ! -->
<timeout_allowed>no</timeout_allowed>
</command>
<active-response>
<command>sysmon-restart</command>
<location>local</location>
<rules_id>100099</rules_id>
</active-response>
<command>sysmon-restart</command>
<location>local</location>
<rules_id>100099</rules_id>
</active-response>
Sysmon should restart locally at the endpoint loading the modified config xml file.
The problem is that FIM does not detect the change in sysmonconfig.xml file and does not fire rule 100099
Any ideas ? Do you see any mistakes in my logic ?
Thank you in advance for all your help.
Olamilekan Abdullateef Ajani
Dec 23, 2025, 8:14:38 AM (2 days ago) Dec 23
to Wazuh | Mailing List
Hello,
The issue I see here is the XML file drilldown you did with the syscheck directory block. The directory block is used to list the directories to be monitored, and all files will be captured. Not to be used to reference files.
You can make use of the block below, and if you would rather not capture changes in other files in the same directory, you can simply use the ignore option to filter them out.
<agent_config>
<!-- Shared agent configuration here -->
<syscheck>
<directories check_all="yes" realtime="yes" report_changes="yes">C:\Program Files (x86)\ossec-agent\shared</directories>
</syscheck>
</agent_config>
<!-- Shared agent configuration here -->
<syscheck>
<directories check_all="yes" realtime="yes" report_changes="yes">C:\Program Files (x86)\ossec-agent\shared</directories>
</syscheck>
</agent_config>
I was able to test this and captured changes, you can see the reference in the attached image.
From this, you can channel the outcome to your active response, and I believe everything should work fine.
Ref:
Please let me know if you have further questions on this.
Reply all
Reply to author
Forward
0 new messages