~$ sudo touch /etc/test:
{"timestamp":"2024-05-13T08:30:48.769-0300","rule":{"level":5,"description":"File added to the system.","id":"554","firedtimes":1,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"jellyfish"},"manager":{"name":"jellyfish"},"id":"1715599848.30447","full_log":"File '/etc/test' added\nMode: whodata\n","syscheck":{"path":"/etc/test","mode":"whodata","size_after":"0","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_after":"d41d8cd98f00b204e9800998ecf8427e","sha1_after":"da39a3ee5e6b4b0d3255bfef95601890afd80709","sha256_after":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","uname_after":"root","gname_after":"root","mtime_after":"2024-05-13T08:30:48","inode_after":131887,"event":"added","audit":{"user":{"id":"0","name":"root"},"process":{"id":"313330","name":"/usr/bin/touch","cwd":"/home/vagrant","parent_cwd":"/home/vagrant","ppid":"313329"},"group":{"id":"0","name":"root"},"login_user":{"id":"1000","name":"vagrant"},"effective_user":{"id":"0","name":"root"}}},"decoder":{"name":"syscheck_new_entry"},"location":"syscheck"}
~$ sudo touch /etc/tests.txt:
{"timestamp":"2024-05-13T08:31:13.234-0300","rule":{"level":5,"description":"File added to the system.","id":"554","firedtimes":2,"mail":false,"groups":["ossec","syscheck","syscheck_entry_added","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"jellyfish"},"manager":{"name":"jellyfish"},"id":"1715599873.32749","full_log":"File '/etc/tests.txt' added\nMode: whodata\n","syscheck":{"path":"/etc/tests.txt","mode":"whodata","size_after":"0","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_after":"d41d8cd98f00b204e9800998ecf8427e","sha1_after":"da39a3ee5e6b4b0d3255bfef95601890afd80709","sha256_after":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","uname_after":"root","gname_after":"root","mtime_after":"2024-05-13T08:31:13","inode_after":132801,"event":"added","audit":{"user":{"id":"0","name":"root"},"process":{"id":"313404","name":"/usr/bin/touch","cwd":"/home/vagrant","ppid":"313403"},"group":{"id":"0","name":"root"},"login_user":{"id":"1000","name":"vagrant"},"effective_user":{"id":"0","name":"root"}}},"decoder":{"name":"syscheck_new_entry"},"location":"syscheck"}
~$ echo "1" >> /etc/tests.txt:
{"timestamp":"2024-05-13T08:34:39.359-0300","rule":{"level":7,"description":"Integrity checksum changed.","id":"550","mitre":{"id":["T1565.001"],"tactic":["Impact"],"technique":["Stored Data Manipulation"]},"firedtimes":1,"mail":false,"groups":["ossec","syscheck","syscheck_entry_modified","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"jellyfish"},"manager":{"name":"jellyfish"},"id":"1715600079.36381","full_log":"File '/etc/tests.txt' modified\nMode: whodata\nChanged attributes: size,mtime,md5,sha1,sha256\nSize changed from '0' to '2'\nOld modification time was: '1715599873', now it is '1715600079'\nOld md5sum was: 'd41d8cd98f00b204e9800998ecf8427e'\nNew md5sum is : 'b026324c6904b2a9cb4b88d6d61c81d1'\nOld sha1sum was: 'da39a3ee5e6b4b0d3255bfef95601890afd80709'\nNew sha1sum is : 'e5fa44f2b31c1fb553b6021e7360d07d5d91ff5e'\nOld sha256sum was: 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'\nNew sha256sum is : '4355a46b19d348dc2f57c046f8ef63d4538ebb936000f3c9ee954a27460dd865'\n","syscheck":{"path":"/etc/tests.txt","mode":"whodata","size_before":"0","size_after":"2","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_before":"d41d8cd98f00b204e9800998ecf8427e","md5_after":"b026324c6904b2a9cb4b88d6d61c81d1","sha1_before":"da39a3ee5e6b4b0d3255bfef95601890afd80709","sha1_after":"e5fa44f2b31c1fb553b6021e7360d07d5d91ff5e","sha256_before":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855","sha256_after":"4355a46b19d348dc2f57c046f8ef63d4538ebb936000f3c9ee954a27460dd865","uname_after":"root","gname_after":"root","mtime_before":"2024-05-13T08:31:13","mtime_after":"2024-05-13T08:34:39","inode_after":132801,"diff":"0a1\n> 1\n","changed_attributes":["size","mtime","md5","sha1","sha256"],"event":"modified","audit":{"user":{"id":"0","name":"root"},"process":{"id":"313566","name":"/usr/bin/bash","cwd":"/home/vagrant","parent_name":"/usr/bin/su","parent_cwd":"/","ppid":"313565"},"group":{"id":"0","name":"root"},"login_user":{"id":"1000","name":"vagrant"},"effective_user":{"id":"0","name":"root"}}},"decoder":{"name":"syscheck_integrity_changed"},"location":"syscheck"}
Have you checked the alerts in /var/ossec/logs/alerts/alerts.json? Can you set debug=2 to the wazuh-syscheckd daemon? Please share these logs and I will continue to help you.