Hi,
After reviewing the configuration and the Wazuh File Integrity Monitoring (FIM) documentation, the behavior requires some additional verification.
The `/home` directory is currently configured as:
<directories check_all="yes" recursion_level="2">/home/</directories>
This configuration enables scheduled file integrity monitoring with a recursion level of 2. According to the Wazuh documentation
#recursion-level, Syscheck will monitor the specified directory and its subdirectories up to two levels deep. Therefore, a file created under `
/home/myhome/` falls within the configured monitoring scope.
It is important to note that `
/home` is not configured with `
realtime="yes"`. As a result, Wazuh is not expected to generate an immediate alert when a file is created in this location. Detection would occur when the next scheduled Syscheck scan runs and identifies the new or modified file. Refer to this doc
#real-time-monitoring #scheduled-scansExample:
<directories check_all="yes" realtime="yes" recursion_level="2">/home</directories>Based on the configuration provided, the path itself appears to be correctly included within the monitored scope. Since the same configuration is reportedly working on Ubuntu 22 but not on the RHEL 6 system, additional investigation is required to determine whether the issue is related to Syscheck execution, the endpoint environment, or the workflow that triggers the YARA scan.
As an initial troubleshooting step, we recommend verifying whether a File Integrity Monitoring event is generated for the test file independently of the YARA integration. If no Syscheck event is generated, the YARA active response would not be triggered.
Could you please provide the following information from the RHEL 6 host?
* Wazuh agent version.
* Syscheck scan frequency configuration.
* Relevant Syscheck-related entries from `
/var/ossec/logs/ossec.log` after creating the test file.
* Confirmation of how long the test file remained in place before validation.
* Whether the file is created directly under `/home/myhome/` or within additional nested subdirectories.
Once we review this information, we can determine whether the issue is related to Syscheck monitoring, scan execution, platform-specific behavior on RHEL 6, or the custom YARA workflow.
Additionally, it is worth noting that the affected system is running RHEL 6, which is an end-of-life operating system and uses a significantly older kernel compared to Ubuntu 22. While we have not identified a documented Wazuh issue specifically stating that Syscheck monitoring under `/home` fails on RHEL 6, older operating systems can exhibit differences in filesystem monitoring behavior, kernel event handling, and File Integrity Monitoring capabilities compared to newer platforms. Since the same configuration is functioning as expected on Ubuntu 22, it would be helpful to review the Syscheck logs and agent details from the RHEL 6 host to determine whether the behavior is related to the operating system environment, the Wazuh agent, or the monitoring workflow itself.
I hope it helps. Please let us know if you have any further questions or concerns.
Regards