Wazuh FIM not capturing changes
69 views
Skip to first unread message
alankrit shrivastava
May 6, 2024, 8:27:59 AM5/6/24
to Wazuh | Mailing List
Hello,
I'm encountering an issue with Wazuh not detecting file changes within the C:\program files (x86) directory and its subfolders. Additionally, Wazuh seems to be generating alerts for unchanged files from 2013. Can you help in finetuning wazuh FIM
Gabriel Emanuel Valenzuela
May 6, 2024, 11:06:33 AM5/6/24
to Wazuh | Mailing List
Hi alankrit! How are you?
What version of Wazuh do you have installed? The scan of 32-bit folders, such as system32 or program files (x86) was added in version 4.6.x, before this version the scan was not possible.
Please could you explain to me what is the issue with `Wazuh seems to be generating alerts for unchanged files from 2013`? I apologize but don't fully understand
Please could you explain to me what is the issue with `Wazuh seems to be generating alerts for unchanged files from 2013`? I apologize but don't fully understand
Nice day and a good week start!
alankrit shrivastava
May 23, 2024, 6:37:15 AM5/23/24
to Wazuh | Mailing List
Hello Gabriel,
I have installed Wazuh 4.7.2, and there is one file which was created in 2013, but wazuh is continuously showing that a user is changing that file on a daily basis, but when i logged in onto the system and went to that path where the file was present I saw that the files has not been changed since 2013.
Regrads,
Alankrit
Gabriel Emanuel Valenzuela
May 23, 2024, 11:54:40 AM5/23/24
to Wazuh | Mailing List
Let me do a little research and I'll be back as soon as possible!
Nice day!
Nice day!
Gabriel Emanuel Valenzuela
May 28, 2024, 8:31:54 PM5/28/24
to Wazuh | Mailing List
Hi Alankrit! How are you?
I recently got back from my PTO, so apologize for the delay.
We might want to consider either discarding the error messages or performing a cleanup in the database located at `C:\Program Files (x86)\ossec-agent\queue\fim\db`. Here's what you need to do:
1. Stop the agent service.
2. Delete or move the files located in the above directory.
3. Start the agent service.
The agent will recreate those files when it starts. Please note that on the first execution after this cleanup, the agent might not report any FIM alerts (because you cleared the database where it stored previous data). However, it will start reporting on the next syscheck execution.
I hope this helps! Let me know if you need further assistance.
Best regards,
Gabriel
I recently got back from my PTO, so apologize for the delay.
We might want to consider either discarding the error messages or performing a cleanup in the database located at `C:\Program Files (x86)\ossec-agent\queue\fim\db`. Here's what you need to do:
1. Stop the agent service.
2. Delete or move the files located in the above directory.
3. Start the agent service.
The agent will recreate those files when it starts. Please note that on the first execution after this cleanup, the agent might not report any FIM alerts (because you cleared the database where it stored previous data). However, it will start reporting on the next syscheck execution.
I hope this helps! Let me know if you need further assistance.
Best regards,
Gabriel
Reply all
Reply to author
Forward
0 new messages