Real Time Monitoring - User Profile Directories
286 views
Skip to first unread message
Logan Simmons
Jan 13, 2022, 2:33:50 PM1/13/22
to Wazuh mailing list
Hey all!
I wanted to configure Real Time Monitoring for user directories. I have a test environment of about 70 or so devices all with different users. Windows machines.
Is there a way to specify C:\Users\(username)\Desktop without specifying each user in the agent.conf file?
I know it does not support wildcard entries, but was just wondering if there was another way.
New to Wazuh so I apologize for any incompetency in my discussions. Can provide any configs if it will help.
Thanks!
I wanted to configure Real Time Monitoring for user directories. I have a test environment of about 70 or so devices all with different users. Windows machines.
Is there a way to specify C:\Users\(username)\Desktop without specifying each user in the agent.conf file?
I know it does not support wildcard entries, but was just wondering if there was another way.
New to Wazuh so I apologize for any incompetency in my discussions. Can provide any configs if it will help.
Thanks!
Camila Salome Romero
Jan 14, 2022, 10:07:57 AM1/14/22
to Wazuh mailing list
HI Isimmo! I hope you are well!
Yes, you can do it. Check this Example:
I created one folder called test that contains 3 folders called testdir1, testdir2, and testdir3.
And in the configuration file:
<syscheck>
<disabled>no</disabled>
<directories>c:\test\*</directories>
</syscheck>
<disabled>no</disabled>
<directories>c:\test\*</directories>
</syscheck>
so, if you can note in the logs, with this way all the folders inside the test will be monitored by FIM
So, in your case maybe you can try to use C:\Users\*(username)\Desktop
I hope this helps you!
Regards, Camila!
Logan Simmons
Jan 14, 2022, 10:59:30 AM1/14/22
to Wazuh mailing list
Thank you for the reply!
Just to confirm, if I use "*" in my config, it will read it as an "anything within that directory"?
(ex C:\Users\*\Desktop) With "*" being any directory within Users that also has "Desktop" within that * directory?
I hope that makes sense. Thank you again!
(ex C:\Users\*\Desktop) With "*" being any directory within Users that also has "Desktop" within that * directory?
I hope that makes sense. Thank you again!
Camila Salome Romero
Jan 14, 2022, 8:12:39 PM1/14/22
to Wazuh mailing list
Hi Isimmo!
I apologize, the answer I gave you works as of Wazuh 4.3.
I'm going to investigate the subject and I'll come back to give you a valid answer for previous versions.
I'm going to investigate the subject and I'll come back to give you a valid answer for previous versions.
Regards, Camila!
Camila Salome Romero
Jan 17, 2022, 2:40:28 PM1/17/22
to Wazuh mailing list
Hi Isimmo!
After some research, it seems that Wazuh currently does not support wildcards on FIM. However, this will be available starting with version 4.3.0. You can see more about it here:
Meanwhile, you can write the directories comma-separated or in multiple lines as seen here. I hope this has been helpful and thanks for using Wazuh!
Regards, Camila!
Reply all
Reply to author
Forward
0 new messages