No file integrity monitoring events after file change (windows)

[ALEX bockel]

Hi Everyone,

I've been setting up FIM succesfully on my linux hosts, now i am trying to do the same for my windows host but it's not working as expected.

I current have the following in my  syscheck portion of ossec.conf:

<directories check_all="yes" realtime="yes" report_changes="yes">D:\XXX</directories>

in here is one file "xxx.txt" this file also shows up in my wazuh dashboard in the integrity monitoring inventory. whenever i change my file i can see the checksum changing.

Why is the checksum change not being reported in my FIM: recent events?

As far as i can see the debugging does not show anything out of the ordinary, with my linux host this worked as soon as i configured the rule. 

Thanks!

[moosemaimer]

Try using "whodata" instead of "realtime." You will have to set the audit permissions:

https://documentation.wazuh.com/current/user-manual/capabilities/auditing-whodata/who-windows-policies.html

[alex.vanb...@idemia.com]

Thanks for replying, i'll have to see how to set these policies, i don't want huge volumes of data on the host itself :)

It's odd, i can see the md5sum changing almost realtime in wazuh but it doesn't report on this, so to have this functionailty it HAS to use windows SACL to identify this...

Interestingly, i've tried to use scheduled scans and this didn't seem to work either (i put the frequency on 300) so i am not completely sure that whodata is the answer.