Agent with FIM enabled - not enough space
134 views
Skip to first unread message
Krzysztof Gmyr
Oct 4, 2023, 1:15:15 AM10/4/23
to Wazuh | Mailing List
I've problem with a Wazuh Agent (4.5.1) and FIM module enabled on Windows Server 2012R2.
After first file scan (about 10 hours), Agent works few hours and ends with error (Not enough space):
2023/10/03 21:18:42 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2023/10/03 21:18:50 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2023/10/03 21:41:57 wazuh-agent: CRITICAL: (1102): Could not acquire memory due to [(12)-(Not enough space)].
2023/10/03 21:41:57 wazuh-agent: INFO: Received exit signal. Starting exit process.
2023/10/03 21:41:57 wazuh-agent: INFO: Set pending exit signal.
2023/10/03 21:41:57 wazuh-modulesd:syscollector: INFO: Stop received for Syscollector.
2023/10/03 21:41:57 wazuh-modulesd:syscollector: INFO: Module finished.
2023/10/03 21:41:57 wazuh-agent: INFO: Exit completed successfully.
2023/10/03 21:41:57 wazuh-agent: INFO: (1314): Shutdown received. Deleting responses.
2023/10/03 21:18:50 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2023/10/03 21:41:57 wazuh-agent: CRITICAL: (1102): Could not acquire memory due to [(12)-(Not enough space)].
2023/10/03 21:41:57 wazuh-agent: INFO: Received exit signal. Starting exit process.
2023/10/03 21:41:57 wazuh-agent: INFO: Set pending exit signal.
2023/10/03 21:41:57 wazuh-modulesd:syscollector: INFO: Stop received for Syscollector.
2023/10/03 21:41:57 wazuh-modulesd:syscollector: INFO: Module finished.
2023/10/03 21:41:57 wazuh-agent: INFO: Exit completed successfully.
2023/10/03 21:41:57 wazuh-agent: INFO: (1314): Shutdown received. Deleting responses.
I've about 500GB of free space on the disk, about 10GB of free memory.
FIM.db is about 2GB. (250.000 files in monitored folder)
My .conf file related to the FIM:
<directories check_all="yes" whodata="yes">E:\common</directories>
  <file_limit>
    <enabled>no</enabled>
  </file_limit>
  </file_limit>
Is it a bug or something wrong in my Agent configuration?
Harshal Paliwal
Oct 4, 2023, 1:41:18 AM10/4/23
to Wazuh | Mailing List
Hi Team,
Thanks for using the Wazuh.
Can you please share the ossec.conf file for this Wazuh agent so I can review it and provide a solution accordingly.
Also can you please let me know if you are facing this issue for other agents also or only for this agent?
Waiting for your response soon.
Regards,
Krzysztof Gmyr
Oct 4, 2023, 2:10:12 AM10/4/23
to Wazuh | Mailing List
Hi!
  <directories check_all="yes" whodata="yes">E:\common</directories>
  <file_limit>
    <enabled>no</enabled>
  </file_limit>
 </syscheck>
 <!-- System inventory -->
 <wodle name="syscollector">
  <disabled>no</disabled>
  <interval>1h</interval>
  <scan_on_start>yes</scan_on_start>
  <hardware>yes</hardware>
  <os>yes</os>
  <network>yes</network>
  <packages>yes</packages>
  <ports all="no">yes</ports>
  <processes>yes</processes>
  <!-- Database synchronization settings -->
  <synchronization>
   <max_eps>10</max_eps>
  </synchronization>
 </wodle>
 <!-- CIS policies evaluation -->
 <wodle name="cis-cat">
  <disabled>yes</disabled>
  <timeout>1800</timeout>
  <interval>1d</interval>
  <scan-on-start>yes</scan-on-start>
  <java_path>\\server\jre\bin\java.exe</java_path>
  <ciscat_path>C:\cis-cat</ciscat_path>
 </wodle>
 <!-- Osquery integration -->
 <wodle name="osquery">
  <disabled>yes</disabled>
  <run_daemon>yes</run_daemon>
  <bin_path>C:\Program Files\osquery\osqueryd</bin_path>
  <log_path>C:\Program Files\osquery\log\osqueryd.results.log</log_path>
  <config_path>C:\Program Files\osquery\osquery.conf</config_path>
  <add_labels>yes</add_labels>
 </wodle>
 <!-- Active response -->
 <active-response>
  <disabled>no</disabled>
  <ca_store>wpk_root.pem</ca_store>
  <ca_verification>yes</ca_verification>
 </active-response>
 <!-- Choose between plain or json format (or both) for internal logs -->
 <logging>
  <log_format>plain</log_format>
 </logging>
</ossec_config>
<!-- END of Default Configuration. -->
My ossec.conf (in 99% is default - i bold my changes):
<!--
 Wazuh - Agent - Default configuration for Windows
 More info at: https://documentation.wazuh.com
 Mailing list: https://groups.google.com/forum/#!forum/wazuh
-->
<ossec_config>
 <client>
  <server>
   <address>xxx.xxx.xxx.xxx</address>
   <port>1514</port>
   <protocol>tcp</protocol>
  </server>
  <config-profile>windows, windows2012R2, windows-server, windows-server-2012R2</config-profile>
  <crypto_method>aes</crypto_method>
  <notify_time>10</notify_time>
  <time-reconnect>60</time-reconnect>
  <auto_restart>yes</auto_restart>
  <enrollment>
    <enabled>yes</enabled>
    <manager_address>xxx.xxx.xxx.xxx</manager_address>
    <agent_name>win20212dc</agent_name>
    <groups>windows-servers</groups>
  </enrollment>
 </client>
 <!-- Agent buffer options -->
 <client_buffer>
  <disabled>no</disabled>
  <queue_size>5000</queue_size>
  <events_per_second>500</events_per_second>
 </client_buffer>
 <!-- Log analysis -->
 <localfile>
  <location>Application</location>
  <log_format>eventchannel</log_format>
 </localfile>
 <localfile>
  <location>Security</location>
  <log_format>eventchannel</log_format>
  <query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
   EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and
   EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
   EventID != 5152 and EventID != 5157]</query>
 </localfile>
 <localfile>
  <location>System</location>
  <log_format>eventchannel</log_format>
 </localfile>
 <localfile>
  <location>active-response\active-responses.log</location>
  <log_format>syslog</log_format>
 </localfile>
 <!-- Policy monitoring -->
 <rootcheck>
  <disabled>no</disabled>
  <windows_apps>./shared/win_applications_rcl.txt</windows_apps>
  <windows_malware>./shared/win_malware_rcl.txt</windows_malware>
 </rootcheck>
 <!-- Security Configuration Assessment -->
 <sca>
  <enabled>yes</enabled>
  <scan_on_start>yes</scan_on_start>
  <interval>12h</interval>
  <skip_nfs>yes</skip_nfs>
 </sca>
 <!-- File integrity monitoring -->
 <syscheck>
  <disabled>no</disabled>
  <!-- Frequency that syscheck is executed default every 12 hours -->
  <!-- <frequency>86400</frequency>  ->
  <!-- SKANOWANIE RAZ W TYGODNIU -->
  <scan_time>10pm</scan_time>
  <scan_day>saturday</scan_day>
  <!-- Default files to be monitored. -->
  <directories recursion_level="0" restrict="regedit.exe$|system.ini$|win.ini$">%WINDIR%</directories>
  <directories recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$|net.exe$|net1.exe$|netsh.exe$|reg.exe$|regedt32.exe|regsvr32.exe|runas.exe|sc.exe|schtasks.exe|sethc.exe|subst.exe$">%WINDIR%\SysNative</directories>
  <directories recursion_level="0">%WINDIR%\SysNative\drivers\etc</directories>
  <directories recursion_level="0" restrict="WMIC.exe$">%WINDIR%\SysNative\wbem</directories>
  <directories recursion_level="0" restrict="powershell.exe$">%WINDIR%\SysNative\WindowsPowerShell\v1.0</directories>
  <directories recursion_level="0" restrict="winrm.vbs$">%WINDIR%\SysNative</directories>
  <!-- KATALOGI -->
 Wazuh - Agent - Default configuration for Windows
 More info at: https://documentation.wazuh.com
 Mailing list: https://groups.google.com/forum/#!forum/wazuh
-->
<ossec_config>
 <client>
  <server>
   <address>xxx.xxx.xxx.xxx</address>
   <port>1514</port>
   <protocol>tcp</protocol>
  </server>
  <config-profile>windows, windows2012R2, windows-server, windows-server-2012R2</config-profile>
  <crypto_method>aes</crypto_method>
  <notify_time>10</notify_time>
  <time-reconnect>60</time-reconnect>
  <auto_restart>yes</auto_restart>
  <enrollment>
    <enabled>yes</enabled>
    <manager_address>xxx.xxx.xxx.xxx</manager_address>
    <agent_name>win20212dc</agent_name>
    <groups>windows-servers</groups>
  </enrollment>
 </client>
 <!-- Agent buffer options -->
 <client_buffer>
  <disabled>no</disabled>
  <queue_size>5000</queue_size>
  <events_per_second>500</events_per_second>
 </client_buffer>
 <!-- Log analysis -->
 <localfile>
  <location>Application</location>
  <log_format>eventchannel</log_format>
 </localfile>
 <localfile>
  <location>Security</location>
  <log_format>eventchannel</log_format>
  <query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
   EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and
   EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
   EventID != 5152 and EventID != 5157]</query>
 </localfile>
 <localfile>
  <location>System</location>
  <log_format>eventchannel</log_format>
 </localfile>
 <localfile>
  <location>active-response\active-responses.log</location>
  <log_format>syslog</log_format>
 </localfile>
 <!-- Policy monitoring -->
 <rootcheck>
  <disabled>no</disabled>
  <windows_apps>./shared/win_applications_rcl.txt</windows_apps>
  <windows_malware>./shared/win_malware_rcl.txt</windows_malware>
 </rootcheck>
 <!-- Security Configuration Assessment -->
 <sca>
  <enabled>yes</enabled>
  <scan_on_start>yes</scan_on_start>
  <interval>12h</interval>
  <skip_nfs>yes</skip_nfs>
 </sca>
 <!-- File integrity monitoring -->
 <syscheck>
  <disabled>no</disabled>
  <!-- Frequency that syscheck is executed default every 12 hours -->
  <!-- <frequency>86400</frequency>  ->
  <!-- SKANOWANIE RAZ W TYGODNIU -->
  <scan_time>10pm</scan_time>
  <scan_day>saturday</scan_day>
  <!-- Default files to be monitored. -->
  <directories recursion_level="0" restrict="regedit.exe$|system.ini$|win.ini$">%WINDIR%</directories>
  <directories recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$|net.exe$|net1.exe$|netsh.exe$|reg.exe$|regedt32.exe|regsvr32.exe|runas.exe|sc.exe|schtasks.exe|sethc.exe|subst.exe$">%WINDIR%\SysNative</directories>
  <directories recursion_level="0">%WINDIR%\SysNative\drivers\etc</directories>
  <directories recursion_level="0" restrict="WMIC.exe$">%WINDIR%\SysNative\wbem</directories>
  <directories recursion_level="0" restrict="powershell.exe$">%WINDIR%\SysNative\WindowsPowerShell\v1.0</directories>
  <directories recursion_level="0" restrict="winrm.vbs$">%WINDIR%\SysNative</directories>
  <!-- KATALOGI -->
  <directories check_all="yes" whodata="yes">E:\common</directories>
  <!-- 32-bit programs. -->
  <directories recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$|net.exe$|net1.exe$|netsh.exe$|reg.exe$|regedit.exe$|regedt32.exe$|regsvr32.exe$|runas.exe$|sc.exe$|schtasks.exe$|sethc.exe$|subst.exe$">%WINDIR%\System32</directories>
  <directories recursion_level="0">%WINDIR%\System32\drivers\etc</directories>
  <directories recursion_level="0" restrict="WMIC.exe$">%WINDIR%\System32\wbem</directories>
  <directories recursion_level="0" restrict="powershell.exe$">%WINDIR%\System32\WindowsPowerShell\v1.0</directories>
  <directories recursion_level="0" restrict="winrm.vbs$">%WINDIR%\System32</directories>
  <directories realtime="yes">%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup</directories>
  <ignore>%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini</ignore>
  <ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ignore>
  <!-- Windows registry entries to monitor. -->
  <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry>
  <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</windows_registry>
  <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</windows_registry>
  <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</windows_registry>
  <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</windows_registry>
  <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects</windows_registry>
  <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</windows_registry>
  <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</windows_registry>
  <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Classes\Protocols</windows_registry>
  <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Policies</windows_registry>
  <windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>
  <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer</windows_registry>
  <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry>
  <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs</windows_registry>
  <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg</windows_registry>
  <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</windows_registry>
  <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</windows_registry>
  <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</windows_registry>
  <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL</windows_registry>
  <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies</windows_registry>
  <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows</windows_registry>
  <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon</windows_registry>
  <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components</windows_registry>
  <!-- Windows registry entries to ignore. -->
  <registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore>
  <registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users</registry_ignore>
  <registry_ignore type="sregex">\Enum$</registry_ignore>
  <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs</registry_ignore>
  <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP</registry_ignore>
  <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSIn</registry_ignore>
  <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSOut</registry_ignore>
  <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap</registry_ignore>
  <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo</registry_ignore>
  <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PolicyAgent\Parameters\Cache</registry_ignore>
  <registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</registry_ignore>
  <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ADOVMPPackage\Final</registry_ignore>
  <!-- Frequency for ACL checking (seconds) -->
  <windows_audit_interval>60</windows_audit_interval>
  <!-- Nice value for Syscheck module -->
  <process_priority>10</process_priority>
  <!-- Maximum output throughput -->
  <max_eps>100</max_eps>
  <!-- Database synchronization settings -->
  <synchronization>
   <enabled>yes</enabled>
   <interval>10m</interval>
   <max_interval>1h</max_interval>
   <max_eps>20</max_eps>
  </synchronization>
  <directories recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$|net.exe$|net1.exe$|netsh.exe$|reg.exe$|regedit.exe$|regedt32.exe$|regsvr32.exe$|runas.exe$|sc.exe$|schtasks.exe$|sethc.exe$|subst.exe$">%WINDIR%\System32</directories>
  <directories recursion_level="0">%WINDIR%\System32\drivers\etc</directories>
  <directories recursion_level="0" restrict="WMIC.exe$">%WINDIR%\System32\wbem</directories>
  <directories recursion_level="0" restrict="powershell.exe$">%WINDIR%\System32\WindowsPowerShell\v1.0</directories>
  <directories recursion_level="0" restrict="winrm.vbs$">%WINDIR%\System32</directories>
  <directories realtime="yes">%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup</directories>
  <ignore>%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini</ignore>
  <ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ignore>
  <!-- Windows registry entries to monitor. -->
  <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry>
  <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</windows_registry>
  <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</windows_registry>
  <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</windows_registry>
  <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</windows_registry>
  <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects</windows_registry>
  <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</windows_registry>
  <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</windows_registry>
  <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Classes\Protocols</windows_registry>
  <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Policies</windows_registry>
  <windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>
  <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer</windows_registry>
  <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry>
  <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs</windows_registry>
  <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg</windows_registry>
  <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</windows_registry>
  <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</windows_registry>
  <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</windows_registry>
  <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL</windows_registry>
  <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies</windows_registry>
  <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows</windows_registry>
  <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon</windows_registry>
  <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components</windows_registry>
  <!-- Windows registry entries to ignore. -->
  <registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore>
  <registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users</registry_ignore>
  <registry_ignore type="sregex">\Enum$</registry_ignore>
  <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs</registry_ignore>
  <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP</registry_ignore>
  <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSIn</registry_ignore>
  <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSOut</registry_ignore>
  <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap</registry_ignore>
  <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo</registry_ignore>
  <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PolicyAgent\Parameters\Cache</registry_ignore>
  <registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</registry_ignore>
  <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ADOVMPPackage\Final</registry_ignore>
  <!-- Frequency for ACL checking (seconds) -->
  <windows_audit_interval>60</windows_audit_interval>
  <!-- Nice value for Syscheck module -->
  <process_priority>10</process_priority>
  <!-- Maximum output throughput -->
  <max_eps>100</max_eps>
  <!-- Database synchronization settings -->
  <synchronization>
   <enabled>yes</enabled>
   <interval>10m</interval>
   <max_interval>1h</max_interval>
   <max_eps>20</max_eps>
  </synchronization>
  <file_limit>
    <enabled>no</enabled>
  </file_limit>
 </syscheck>
 <!-- System inventory -->
 <wodle name="syscollector">
  <disabled>no</disabled>
  <interval>1h</interval>
  <scan_on_start>yes</scan_on_start>
  <hardware>yes</hardware>
  <os>yes</os>
  <network>yes</network>
  <packages>yes</packages>
  <ports all="no">yes</ports>
  <processes>yes</processes>
  <!-- Database synchronization settings -->
  <synchronization>
   <max_eps>10</max_eps>
  </synchronization>
 </wodle>
 <!-- CIS policies evaluation -->
 <wodle name="cis-cat">
  <disabled>yes</disabled>
  <timeout>1800</timeout>
  <interval>1d</interval>
  <scan-on-start>yes</scan-on-start>
  <java_path>\\server\jre\bin\java.exe</java_path>
  <ciscat_path>C:\cis-cat</ciscat_path>
 </wodle>
 <!-- Osquery integration -->
 <wodle name="osquery">
  <disabled>yes</disabled>
  <run_daemon>yes</run_daemon>
  <bin_path>C:\Program Files\osquery\osqueryd</bin_path>
  <log_path>C:\Program Files\osquery\log\osqueryd.results.log</log_path>
  <config_path>C:\Program Files\osquery\osquery.conf</config_path>
  <add_labels>yes</add_labels>
 </wodle>
 <!-- Active response -->
 <active-response>
  <disabled>no</disabled>
  <ca_store>wpk_root.pem</ca_store>
  <ca_verification>yes</ca_verification>
 </active-response>
 <!-- Choose between plain or json format (or both) for internal logs -->
 <logging>
  <log_format>plain</log_format>
 </logging>
</ossec_config>
<!-- END of Default Configuration. -->
FIM is enabled only on one server, so I've no idea it is a typical issue, but other Agents on the Windows Servers work without any problems.
btw: my DB was 2MB not 2GB - my fault.
When I restarted Agent, database size grows to 40MB and slowly grows (but scan isn't finished yet).
best regards
K.Gmyr
Harshal Paliwal
Oct 4, 2023, 6:37:54 AM10/4/23
to Wazuh | Mailing List
Hi Team,
Can you please let me know the size of theÂ
E:\common directory also?
Krzysztof Gmyr
Oct 4, 2023, 8:02:44 AM10/4/23
to Wazuh | Mailing List
E:\common
Files: ~1.500.000
Folders: ~230.000
Krzysztof Gmyr
Oct 4, 2023, 1:28:31 PM10/4/23
to Wazuh | Mailing List
fim.db size after scanning - about 730MB.
Krzysztof Gmyr
Oct 23, 2023, 8:44:41 AM10/23/23
to Wazuh | Mailing List
I did some tests and probably this issue is related to the length of the file path.
When I set: recursion_level="5" - agent worked few minutes before crash
When I set:Â recursion_level="3" - agent worked hours
When I set:Â recursion_level="1" - agent works fine since Thursday.
I hope that you fix it in the next versions.
K.Gmyr
Reply all
Reply to author
Forward
0 new messages