Issue with FIM Configuration Not Reflecting on Agents for Custom Groups

[Chandra pal singh Chauhan]

Hello Team,

I hope you are doing well.

Recently, I configured several FIM (File Integrity Monitoring) settings on the server side by creating custom groups. Initially, everything was working as expected. However, I am now observing that no events are being generated from the configured FIM monitoring directories.

I also noticed that when I add configurations to the default group, they are correctly reflected on the agent side (agent.conf)  . However, configurations applied through custom groups are not being reflected on the agents.

Could you please assist me in identifying the root cause of this issue and guide me on how to resolve it?

Regards

Chandra

[Samson Olugbenga Idowu]

Hello Chandra,

If an agent belongs to multiple groups, Wazuh will merge the agent.conf files from all of them. You should check for agents in multiple groups with conflicting configurations.
You can validate the agent.conf configuration using the following command:

/var/ossec/bin/verify-agent-conf -f /var/ossec/etc/shared/<CUSTOM_GROUP>/agent.conf

Also, check the /var/ossec/logs/ossec.log for Wazuh manager error logs.

Do share the output of the command with me, and let me know if this provides insights to find the issue.

[Chandra pal singh Chauhan]

Hello  Samson,

Thank you for the response

1. output for /var/ossec/bin/verify-agent-conf -f /var/ossec/etc/shared/<CUSTOM_GROUP>/agent.conf

2.  /var/ossec/logs/ossec.log

Attached txt doc.

if you need anything please ask me.

regards,

chandra

[Samson Olugbenga Idowu]

Hello Chandra,

I do not see anything related to the shared configuration in your ossec.log file.
Please share your agent.conf file.

[Chandra pal singh Chauhan]

Hello Samson

Now i have attached the default agent.conf file and custom agent.conf file also.

Regards,

Chandra

[Samson Olugbenga Idowu]

Hello,

Your configuration appears to be just fine.

To further troubleshoot the issue, please confirm that the Wazuh Manager correctly recognizes the agent as part of the custom group and that it is synchronized:
Run  /var/ossec/bin/agent_groups -S -i <AGENT_ID>  on the Wazuh manager node.

Also, check the merged.md files on the agent nodes, as Wazuh merges local configs with centralized configs from the manager.  If this file is missing or has not been updated recently, then the agent is not recieving group updates from the manager.  

• Linux: /var/ossec/etc/shared/merged.mg
• Windows: C:\Program Files (x86)\ossec-agent\shared\merged.mg

You should also restart the Wazuh manager server to force the shared configuration ot the agent nodes. Also, restart the Wazuh agent nodes.

Do let me know if this helps or if you need further assistance.

[Chandra pal singh Chauhan]

Hello Samson,

I have attached the required screenshots—please review them.

Additionally, I configured FIM manually on the agent side. Initially, the events were visible on the dashboard, but after two days, the FIM events stopped appearing in Wazuh.

Could you please guide me on whether any further troubleshooting is required?