Update of FIM Baseline

107 views
Skip to first unread message

fumiya yagi

unread,
May 10, 2023, 4:18:55 AM5/10/23
to Wazuh mailing list
I am using Wazuh version 4.3.

Is there a way to update the FIM baseline?
I am aware that it is updated when wazuh-agent is restarted, but I would like to know if there is a way to update only the baseline without leaving wazuh-agent running.

Gonzalo Jimeno Fernandez

unread,
May 10, 2023, 11:25:06 AM5/10/23
to Wazuh mailing list
Hello fumiya yagi, Yes, there is a way to update the FIM baseline. Firstly open your wazuh-dasboard and click the arrow on the left side of wazuh, click on Tools and inside Tools, click on API Console and you will be in the API Console. Now, in order run a FIM scan in all wazuh-agents, you should write and run this: PUT /syscheck Here you will find more information about running syscheck scans using the API: - https://documentation.wazuh.com/current/user-manual/api/reference.html#tag/Syscheck Regarding updating the FIM database without leaving wazuh-agent running, it is not possible. FIM can only work on agents that are running and connected. I hope this answers your question. Let me know otherwise. Regards, Gonzalo.

fumiya yagi

unread,
May 16, 2023, 2:45:07 AM5/16/23
to Wazuh mailing list
Thank you for your response.
It is helpful to know that the baseline can be updated by using the Wazuh-API.

You mentioned that it cannot be updated with the agent running, does this API internally restart the agent or the syscheck process?
In other words, does it work almost the same as restarting the agent?

2023年5月11日木曜日 0:25:06 UTC+9 Gonzalo Jimeno Fernandez:

Gonzalo Jimeno Fernandez

unread,
May 16, 2023, 8:33:08 AM5/16/23
to Wazuh mailing list
Hello Fumiya Yagi, Indeed, what I meant is that the wazuh agent FIM database can only be updated if it is connected and running (since the FIM scan cannot be run while the agent is disconnected). And no, the API does not restart the agent or the syscheckd process (which manages FIM), it simply sends a command to the corresponding socket to start the task.

fumiya yagi

unread,
May 17, 2023, 11:36:06 PM5/17/23
to Wazuh mailing list
Thanks for the answer.

I understood it to mean that it only works when the agent is running. That is helpful.


This is a different question, but when using real-time monitoring, does it also update the baseline of newly added or changed files in real-time?
I was wondering about the specs because when I tested the behavior, it was detecting changes in newly created files without having to re-scan, etc.

Since we are using real-time monitoring in our project, we are investigating the need to manually update the baseline.

2023年5月16日火曜日 21:33:08 UTC+9 Gonzalo Jimeno Fernandez:
Reply all
Reply to author
Forward
0 new messages