FIM no syscheck.diff field

[kenlee]

Hi

I monitor the file /etc/passwd,  enabling the report_change , When I add an user on my machine, but the alert log is no syscheck.diff field. I modified another file test.txt, which have  syscheck.diff field. I don't know what something error in my care.Please guide me to fix this problem, thank you !

 

 

[victor....@wazuh.com]

Hello kenlee,

I have tested this in my environment and it seems to work correctly. The field syscheck.diff is gathered well. Have you followed this documentation page about the whodata capability?

My syscheck configuration is the following:

<syscheck>
    <disabled>no</disabled>
    <scan_on_start>yes</scan_on_start>
    <frequency>10</frequency>
    <directories check_all="yes" whodata="yes" report_changes="yes">/etc</directories>
  </syscheck>

Please in order to troubleshoot this issue:

- Send back your Wazuh version and your OS
- Activate the logall_json option in your ossec.conf

    <logall_json>yes</logall_json>

- Restart the Wazuh manager

- Add a new user and check the generated json event in the /var/ossec/logs/archives/archives.jsonfile. The generated event should be something like the following:

{"timestamp":"2022-04-06T09:50:07.729+0000","rule":{"level":7,"description":"Integrity checksum changed.","id":"550","mitre":{"id":["T1492"],"tactic":["Impact"],"technique":["Stored Data Manipulation"]},"firedtimes":40,"mail":false,"groups":["ossec","syscheck","syscheck_entry_modified","syscheck_file"],"pci_dss":["11.5"],"gpg13":["4.11"],"gdpr":["II_5.1.f"],"hipaa":["164.312.c.1","164.312.c.2"],"nist_800_53":["SI.7"],"tsc":["PI1.4","PI1.5","CC6.1","CC6.8","CC7.2","CC7.3"]},"agent":{"id":"000","name":"wazuh-manager"},"manager":{"name":"wazuh-manager"},"id":"1649238607.194026","full_log":"File '/etc/passwd' modified\nMode: whodata\nChanged attributes: size,mtime,inode,md5,sha1,sha256\nSize changed from '1860' to '1909'\nOld modification time was: '1649238583', now it is '1649238607'\nOld inode was: '93938', now it is '6506'\nOld md5sum was: 'fb6340a8fa92668d7f5fbcef7167f735'\nNew md5sum is : 'ec0c635f987314acadd446dcbe1a7dfe'\nOld sha1sum was: '6a3d32145fd875d913265a5e85d4809640898711'\nNew sha1sum is : '7e5d327477761a29b5f288f0a864aee23582fdf0'\nOld sha256sum was: '1ebff13242c91c4358a42eca5839ca77a9ce68b4a86ff1c16798cf8ee01ec551'\nNew sha256sum is : 'dc8820018266776f8c6f398e805a2ae3939ab0de21686eeda8a22d65854a1476'\n","syscheck":{"path":"/etc/passwd","mode":"whodata","size_before":"1860","size_after":"1909","perm_after":"rw-r--r--","uid_after":"0","gid_after":"0","md5_before":"fb6340a8fa92668d7f5fbcef7167f735","md5_after":"ec0c635f987314acadd446dcbe1a7dfe","sha1_before":"6a3d32145fd875d913265a5e85d4809640898711","sha1_after":"7e5d327477761a29b5f288f0a864aee23582fdf0","sha256_before":"1ebff13242c91c4358a42eca5839ca77a9ce68b4a86ff1c16798cf8ee01ec551","sha256_after":"dc8820018266776f8c6f398e805a2ae3939ab0de21686eeda8a22d65854a1476","uname_after":"root","gname_after":"root","mtime_before":"2022-04-06T09:49:43","mtime_after":"2022-04-06T09:50:07","inode_before":93938,"inode_after":6506,"diff":"38a39\n> example12:x:1009:1009::/home/example12:/bin/bash\n","changed_attributes":["size","mtime","inode","md5","sha1","sha256"],"event":"modified","audit":{"user":{"id":"0","name":"root"},"process":{"id":"15809","name":"/usr/sbin/useradd","cwd":"/home/wazuh","parent_name":"/usr/bin/bash","parent_cwd":"/home/wazuh","ppid":"2794"},"group":{"id":"0","name":"root"},"login_user":{"id":"1000","name":"wazuh"},"effective_user":{"id":"0","name":"root"}}},"decoder":{"name":"syscheck_integrity_changed"},"location":"syscheck"}

Ensure the diff field is in the json event.

- Send back the generated event
- Disable the logall option in order to not take up all your disk space

With all this information we can help you to solve this problem.

If you have any doubt do not hesitate to ask.

​