syscheck for non-volatile directories

15 views
Skip to first unread message

Veera

unread,
Jun 30, 2026, 1:25:01 AM (3 days ago) Jun 30
to Wazuh | Mailing List

Attached is my syscheck configuration, which has both real-time monitoring and scheduled scans enabled. The expectation is that an alert should be generated when a test malware file is placed in either the first- or second-level directories.

However, no event is being triggered when the file is placed under /home/myhome.

Is this the expected behavior?

I have been using the Wazuh + YARA + custom_active-response.sh setup for quite some time, and it has been working as expected.

The same configuration successfully detects the file on Ubuntu 22 (for example, /home/myhome/mytestfile), but the same test fails on RHEL 6.  both the same group in wazuh+agent conf

ossec_syscheck.txt

ismail....@wazuh.com

unread,
Jun 30, 2026, 2:12:50 AM (3 days ago) Jun 30
to Wazuh | Mailing List
Hi,

After reviewing the configuration and the Wazuh File Integrity Monitoring (FIM) documentation, the behavior requires some additional verification.

The `/home` directory is currently configured as:

<directories check_all="yes" recursion_level="2">/home/</directories>

This configuration enables scheduled file integrity monitoring with a recursion level of 2. According to the Wazuh documentation #recursion-level, Syscheck will monitor the specified directory and its subdirectories up to two levels deep. Therefore, a file created under `/home/myhome/` falls within the configured monitoring scope.

It is important to note that `/home` is not configured with `realtime="yes"`. As a result, Wazuh is not expected to generate an immediate alert when a file is created in this location. Detection would occur when the next scheduled Syscheck scan runs and identifies the new or modified file. Refer to this doc #real-time-monitoring #scheduled-scans

Example:
<directories check_all="yes" realtime="yes" recursion_level="2">/home</directories>

Based on the configuration provided, the path itself appears to be correctly included within the monitored scope. Since the same configuration is reportedly working on Ubuntu 22 but not on the RHEL 6 system, additional investigation is required to determine whether the issue is related to Syscheck execution, the endpoint environment, or the workflow that triggers the YARA scan.

As an initial troubleshooting step, we recommend verifying whether a File Integrity Monitoring event is generated for the test file independently of the YARA integration. If no Syscheck event is generated, the YARA active response would not be triggered.

Could you please provide the following information from the RHEL 6 host?

* Wazuh agent version.
* Syscheck scan frequency configuration.
* Relevant Syscheck-related entries from `/var/ossec/logs/ossec.log` after creating the test file.
* Confirmation of how long the test file remained in place before validation.
* Whether the file is created directly under `/home/myhome/` or within additional nested subdirectories.

Once we review this information, we can determine whether the issue is related to Syscheck monitoring, scan execution, platform-specific behavior on RHEL 6, or the custom YARA workflow.

Additionally, it is worth noting that the affected system is running RHEL 6, which is an end-of-life operating system and uses a significantly older kernel compared to Ubuntu 22. While we have not identified a documented Wazuh issue specifically stating that Syscheck monitoring under `/home` fails on RHEL 6, older operating systems can exhibit differences in filesystem monitoring behavior, kernel event handling, and File Integrity Monitoring capabilities compared to newer platforms. Since the same configuration is functioning as expected on Ubuntu 22, it would be helpful to review the Syscheck logs and agent details from the RHEL 6 host to determine whether the behavior is related to the operating system environment, the Wazuh agent, or the monitoring workflow itself.

I hope it helps. Please let us know if you have any further questions or concerns.

Regards
Reply all
Reply to author
Forward
0 new messages