Maximum File Size Issue
354 views
Skip to first unread message
Prajapati Hitesh
Jan 9, 2023, 7:04:18 AM1/9/23
to Wazuh mailing list
Hi,
I am getting maximum file size error as below in agent log file. I am using wazuh 4.0 server and installed 4.0.0 agent version for client machine. I have enable shared agent and monitoring below files in real time.
<!-- Custom files to be monitored. -->
<directories check_all="yes" realtime="yes" whodata="yes">C:\temp</directories>
<directories check_all="yes" realtime="yes" whodata="yes">%windir%</directories>
<directories check_all="yes" realtime="yes" whodata="yes">%ProgramFiles%</directories>
<directories check_all="yes" realtime="yes" whodata="yes">%ProgramFiles(x86)%</directories>
<directories check_all="yes" realtime="yes" whodata="yes">C:\temp</directories>
<directories check_all="yes" realtime="yes" whodata="yes">%windir%</directories>
<directories check_all="yes" realtime="yes" whodata="yes">%ProgramFiles%</directories>
<directories check_all="yes" realtime="yes" whodata="yes">%ProgramFiles(x86)%</directories>
Error log in Client log File:-
2023/01/09 05:26:34 ossec-agent: INFO: (6003): Monitoring directory/file: 'c:\program files (x86)', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | whodata'.
2023/01/09 05:26:34 ossec-agent: INFO: (6040): Maximum file size limit to generate diff information configured to '51200 KB' for 'c:\program files (x86)'.
2023/01/09 05:26:34 ossec-agent: INFO: (6003): Monitoring directory/file: 'c:\programdata\microsoft\windows\start menu\programs\startup', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | realtime'.
2023/01/09 05:26:34 ossec-agent: INFO: (6040): Maximum file size limit to generate diff information configured to '51200 KB' for 'c:\programdata\microsoft\windows\start menu\programs\startup'.
2023/01/09 05:26:34 ossec-agent: INFO: (6003): Monitoring directory/file: 'c:\temp', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | whodata'.
2023/01/09 05:26:34 ossec-agent: INFO: (6040): Maximum file size limit to generate diff information configured to '51200 KB' for 'c:\temp'.
2023/01/09 05:26:34 ossec-agent: INFO: (6003): Monitoring directory/file: 'c:\windows', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | whodata'.
2023/01/09 05:26:34 ossec-agent: INFO: (6040): Maximum file size limit to generate diff information configured to '51200 KB' for 'c:\windows'.
2023/01/09 05:26:34 ossec-agent: INFO: (6003): Monitoring directory/file: 'c:\windows\sysnative', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2023/01/09 05:26:34 ossec-agent: INFO: Started (pid: 1580).
2023/01/09 05:26:35 ossec-agent: INFO: (6040): Maximum file size limit to generate diff information configured to '51200 KB' for 'c:\windows\sysnative'.
2023/01/09 05:26:35 ossec-agent: INFO: (6003): Monitoring directory/file: 'c:\windows\sysnative\drivers\etc', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2023/01/09 05:26:35 ossec-agent: INFO: (6040): Maximum file size limit to generate diff information configured to '51200 KB' for 'c:\windows\sysnative\drivers\etc'.
2023/01/09 05:26:35 ossec-agent: INFO: (6003): Monitoring directory/file: 'c:\windows\sysnative\wbem', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2023/01/09 05:26:35 ossec-agent: INFO: (6040): Maximum file size limit to generate diff information configured to '51200 KB' for 'c:\windows\sysnative\wbem'.
2023/01/09 05:26:35 ossec-agent: INFO: (6003): Monitoring directory/file: 'c:\windows\sysnative\windowspowershell\v1.0', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2023/01/09 05:26:35 ossec-agent: INFO: (6040): Maximum file size limit to generate diff information configured to '51200 KB' for 'c:\windows\sysnative\windowspowershell\v1.0'.
2023/01/09 05:26:35 ossec-agent: INFO: (6003): Monitoring directory/file: 'c:\windows\system32', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2023/01/09 05:26:35 ossec-agent: INFO: (6040): Maximum file size limit to generate diff information configured to '51200 KB' for 'c:\windows\system32'.
2023/01/09 05:26:35 ossec-agent: INFO: (6003): Monitoring directory/file: 'c:\windows\system32\drivers\etc', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2023/01/09 05:26:35 ossec-agent: INFO: (6040): Maximum file size limit to generate diff information configured to '51200 KB' for 'c:\windows\system32\drivers\etc'.
2023/01/09 05:26:35 ossec-agent: INFO: (6003): Monitoring directory/file: 'c:\windows\system32\wbem', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2023/01/09 05:26:35 ossec-agent: INFO: (6040): Maximum file size limit to generate diff information configured to '51200 KB' for 'c:\windows\system32\wbem'.
2023/01/09 05:26:35 ossec-agent: INFO: (6003): Monitoring directory/file: 'c:\windows\system32\windowspowershell\v1.0', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2023/01/09 05:26:35 ossec-agent: INFO: (6040): Maximum file size limit to generate diff information configured to '51200 KB' for 'c:\windows\system32\windowspowershell\v1.0'.
2023/01/09 05:26:35 ossec-agent: INFO: (6041): Maximum disk quota size limit configured to '1048576 KB'.
2023/01/09 05:26:34 ossec-agent: INFO: (6040): Maximum file size limit to generate diff information configured to '51200 KB' for 'c:\program files (x86)'.
2023/01/09 05:26:34 ossec-agent: INFO: (6003): Monitoring directory/file: 'c:\programdata\microsoft\windows\start menu\programs\startup', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | realtime'.
2023/01/09 05:26:34 ossec-agent: INFO: (6040): Maximum file size limit to generate diff information configured to '51200 KB' for 'c:\programdata\microsoft\windows\start menu\programs\startup'.
2023/01/09 05:26:34 ossec-agent: INFO: (6003): Monitoring directory/file: 'c:\temp', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | whodata'.
2023/01/09 05:26:34 ossec-agent: INFO: (6040): Maximum file size limit to generate diff information configured to '51200 KB' for 'c:\temp'.
2023/01/09 05:26:34 ossec-agent: INFO: (6003): Monitoring directory/file: 'c:\windows', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | whodata'.
2023/01/09 05:26:34 ossec-agent: INFO: (6040): Maximum file size limit to generate diff information configured to '51200 KB' for 'c:\windows'.
2023/01/09 05:26:34 ossec-agent: INFO: (6003): Monitoring directory/file: 'c:\windows\sysnative', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2023/01/09 05:26:34 ossec-agent: INFO: Started (pid: 1580).
2023/01/09 05:26:35 ossec-agent: INFO: (6040): Maximum file size limit to generate diff information configured to '51200 KB' for 'c:\windows\sysnative'.
2023/01/09 05:26:35 ossec-agent: INFO: (6003): Monitoring directory/file: 'c:\windows\sysnative\drivers\etc', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2023/01/09 05:26:35 ossec-agent: INFO: (6040): Maximum file size limit to generate diff information configured to '51200 KB' for 'c:\windows\sysnative\drivers\etc'.
2023/01/09 05:26:35 ossec-agent: INFO: (6003): Monitoring directory/file: 'c:\windows\sysnative\wbem', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2023/01/09 05:26:35 ossec-agent: INFO: (6040): Maximum file size limit to generate diff information configured to '51200 KB' for 'c:\windows\sysnative\wbem'.
2023/01/09 05:26:35 ossec-agent: INFO: (6003): Monitoring directory/file: 'c:\windows\sysnative\windowspowershell\v1.0', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2023/01/09 05:26:35 ossec-agent: INFO: (6040): Maximum file size limit to generate diff information configured to '51200 KB' for 'c:\windows\sysnative\windowspowershell\v1.0'.
2023/01/09 05:26:35 ossec-agent: INFO: (6003): Monitoring directory/file: 'c:\windows\system32', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2023/01/09 05:26:35 ossec-agent: INFO: (6040): Maximum file size limit to generate diff information configured to '51200 KB' for 'c:\windows\system32'.
2023/01/09 05:26:35 ossec-agent: INFO: (6003): Monitoring directory/file: 'c:\windows\system32\drivers\etc', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2023/01/09 05:26:35 ossec-agent: INFO: (6040): Maximum file size limit to generate diff information configured to '51200 KB' for 'c:\windows\system32\drivers\etc'.
2023/01/09 05:26:35 ossec-agent: INFO: (6003): Monitoring directory/file: 'c:\windows\system32\wbem', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2023/01/09 05:26:35 ossec-agent: INFO: (6040): Maximum file size limit to generate diff information configured to '51200 KB' for 'c:\windows\system32\wbem'.
2023/01/09 05:26:35 ossec-agent: INFO: (6003): Monitoring directory/file: 'c:\windows\system32\windowspowershell\v1.0', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'.
2023/01/09 05:26:35 ossec-agent: INFO: (6040): Maximum file size limit to generate diff information configured to '51200 KB' for 'c:\windows\system32\windowspowershell\v1.0'.
2023/01/09 05:26:35 ossec-agent: INFO: (6041): Maximum disk quota size limit configured to '1048576 KB'.
Please help to resolve this issue.
Carlos Dams
Jan 9, 2023, 8:14:41 AM1/9/23
to Wazuh mailing list
Hi Prajapati,
Also, checking your configuration, whodata implies real-time monitoring but adds the who-data information, therefore it is not necessary to have realtime="yes" if you are already using whodata="yes"
Thanks for using Wazuh!
The "Maximum file size limit to generate diff information configured to '51200 KB'" is not an error, it has INFO, it comes from the diff_size_limit even if it is not specified in the configuration, as in the screenshot I attached below:
In newer releases of Wazuh you will get that message only on debug mode.
You can find more information about the properties of syscheck for your version here
Also, checking your configuration, whodata implies real-time monitoring but adds the who-data information, therefore it is not necessary to have realtime="yes" if you are already using whodata="yes"
Also, consider updating your Wazuh server installation and Wazuh Agent at least to 4.0.4 if updating to the latest release is not an option.
Have you noticed an issue with the FIM module?
I hope you find this information useful.
Prajapati Hitesh
Jan 9, 2023, 10:35:26 AM1/9/23
to Wazuh mailing list
Hi Carlos,
My FIM is not working properly. I have created one temp folder and created one file in %windir% and deleted that file after some time but report was not generate in wazuh manager.
Can you help to resolve this.
Carlos Dams
Jan 9, 2023, 3:27:27 PM1/9/23
to Wazuh mailing list
Hi Prajapati,
I just tested in Wazuh version 4.2.7 with the following centralized configuration and it is working well on my side:
<agent_config>
<!-- Shared agent configuration here -->
<syscheck>
<directories recursion_level="1" check_all="yes" realtime="yes">%windir%</directories>
</syscheck>
</agent_config>
<!-- Shared agent configuration here -->
<syscheck>
<directories recursion_level="1" check_all="yes" realtime="yes">%windir%</directories>
</syscheck>
</agent_config>
I recommend you to be more specific than just monitoring the whole directory since there are many temporary files and probably log files which will create a bunch of alerts, I am adding a screenshot to show you what I mean, the following happened in just a few minutes:
Also, I recommend you to update your Wazuh installation since there has been some issues resolved on newer versions related to FIM
Prajapati Hitesh
Jan 10, 2023, 6:36:36 AM1/10/23
to Wazuh mailing list
Hi Carlos,
I will first check rule which shared by you. In case if any issue arrived i will update.
Thank you.
Prajapati Hitesh
Jan 10, 2023, 7:21:09 AM1/10/23
to Wazuh mailing list
Hi Carlos,
Thank you, the issue has been resolved.
Could you help on one more topic? I want enable mail trigger in share agent if any file extension will change.
Like:- from .txt to .exe, .pdf, .jpg etc....
Carlos Dams
Jan 11, 2023, 2:28:58 PM1/11/23
to Wazuh mailing list
Hi Prajapat, sorry for the late response,
As the last request is different than the topic of the thread "Maximum File Size Issue", I encourage you to make a new post where you elaborate on this new request and anyone from Wazuh or the Community will be happy to help you
Thanks,
Reply all
Reply to author
Forward
0 new messages