How to filter FIM

[Emar Flix]

Hello,

I want to monitor only .docx and .txt files on all users' Desktop, Documents and Downloads directories. 

Now I can monitor all users' Desktop, Downloads and Documents folders but there is too many files that creates, modify, delete so on. But I want to monitor only docx and txt files

Thanks. 

[hasitha.u...@wazuh.com]

Hi Emar,

Please allow me some time; I’m currently looking into this and will get back to you with an update as soon as possible.

[hasitha.u...@wazuh.com]

Hi Emar,

I have tested and verified that you can use the restrict option to monitor a specific file type using sregex. Basically, you can use restrict=".docx$|.txt$" in your directory tag like below.

1. <directories realtime="yes" restrict=".docx$|.txt$">C:\Users\*\Desktop</directories>
2. <directories realtime="yes" restrict=".docx$|.txt$">C:\Users\*\Documents</directories>
3. <directories realtime="yes" restrict=".docx$|.txt$">C:\Users\*\Downloads</directories>

• sregex
  
• directories

This example monitors real-time file changes for all users (Used * mark to define any user).

You can add the above configuration to the ossec.conf file between the syscheck code block.

After configuring, make sure to restart the agent to apply changes.
Restart-Service -Name wazuh

For more details, you can refer to our official guide.

Let me know the update on this so we can assist further.

[Emar Flix]

Thank you very much, Hasita. İt helps me too much

hasitha.u...@wazuh.com yazdı, 15 mart 2026, bazar, 11:12:20 UTC+4: