FIM alerts

[Jonathan kuruppu]

I have a case where FIM real time monitoring is sending events to archive logs as follows 

{ "_index": "wazuh-archives-4.x-2025.11.24", "_id": "in7ttJoBV9uItQE_2lqw", "_version": 1, "_score": null, "_source": { "cluster": { "node": "master-node", "name": "wazuh" }, "syscheck": { "uname_after": "root", "mtime_after": "2025-11-24T13:44:36", "size_after": "0", "gid_after": "0", "mode": "realtime", "path": "/etc/test123", "sha1_after": "da39a3ee5e6b4b0d3255bfef95601890afd80709", "gname_after": "root", "uid_after": "0", "perm_after": "rw-r--r--", "event": "added", "md5_after": "d41d8cd98f00b204e9800998ecf8427e", "sha256_after": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "inode_after": 1575853 }, "agent": { "ip": "***********", "name": "Kali-Jonathan", "id": "021" }, "manager": { "name": "wazuh-master" }, "decoder": { "name": "syscheck_new_entry" }, "full_log": "File '/etc/test123' added\nMode: realtime\n", "input": { "type": "log" }, "@timestamp": "2025-11-24T08:14:36.096Z", "location": "syscheck", "id": "1763972076.7463486", "timestamp": "2025-11-24T13:44:36.096+0530" }, "fields": { "syscheck.mtime_after": [ "2025-11-24T13:44:36.000Z" ], "timestamp": [ "2025-11-24T08:14:36.096Z" ], "@timestamp": [ "2025-11-24T08:14:36.096Z" ] }, "highlight": { "decoder.name": [ "@opensearch-dashboards-highlighted-field@syscheck_new_entry@/opensearch-dashboards-highlighted-field@" ], "agent.name": [ "@opensearch-dashboards-highlighted-field@Kali-Jonathan@/opensearch-dashboards-highlighted-field@" ], "syscheck.path": [ "@opensearch-dashboards-highlighted-field@/etc/test123@/opensearch-dashboards-highlighted-field@" ] }, "sort": [ 1763972076096 ] }
Issue is there is no events/alerts . I was under the impression that there will be default rules in place for file creation/modification/deletion for linux

[Chukwudalu Chisimdi Okonkwo]

Hello, 

Does this output seem to be from the Wazuh GUI under wazuh-archives-* index and not from the archives.json file? if yes, kindly run a grep against the alerts.json file and confirm if these logs also exist.

cat /var/ossec/logs/alerts/alerts.json | grep - i "/etc/test123"

You can also attempt making a change in another test directory and validate if there is a rule alert for it as it ought to trigger an alert by default

Do let me know what you find.

[Jonathan kuruppu]

Hi , 

Doesn't seem to be anything in the alerts.json 

root@wazuh-master:~# cat /var/ossec/logs/alerts/alerts.json | grep -i "/etc/test123"
root@wazuh-master:~#

 I've also tried different directories and files and there's still no such events .

[Matías Mercado]

Jonathan,

To archive the logs, you need to enable the archiving following this guide: https://documentation.wazuh.com/current/cloud-service/archive-data/configuration.html (logall_json yes)

The alert your are sharing, as the first lines indicates are being indexed on: wazuh-archives-4.x-2025.11.24

The default index to save alerts is wazuh-alerts-* not wazuh-archives-*. I think that index is custom made, since by default is not created by wazuh. If that is the case, then you will need to review your filebeat configuration (template to be precise).

Could you please share us which version of Wazuh are you running? You can get that information by clicking here:

Also, could you please share us your FIM configuration ?

Regards,
Matías.