file integrity monitor

193 views
Skip to first unread message

Yectli Huerta

unread,
Mar 21, 2022, 4:36:39 PM3/21/22
to Wazuh mailing list
Hi,

I am having issues with FIM. When I look at the inventory tab on the web interface, I can see that the test file I modified changed its checksum. But when I add a filter under the Events tab, I don't get any results when I execute the query.

I try the following filter

syscheck.path is /etc/issue

but it did not work. Filebeat is running on the client.  The ossec.conf configuration is this

   <directories check_all="yes" report_changes="yes" whodata="yes">/etc,/usr/bin,/usr/sbi
n</directories>

I did restart the daemon to ensure that the change to the ossec.conf file was read.


 Logstash is running on the server

# systemctl status logstash
● logstash.service - logstash
   Loaded: loaded (/etc/systemd/system/logstash.service; enabled;
vendor preset: disabled)
   Active: active (running) since Mon 2022-03-21 19:16:48 UTC; 3s ago
 Main PID: 591 (java)
   CGroup: /system.slice/logstash.service
           └─591 /usr/share/logstash/jdk/bin/java -Xms1g -Xmx1g
-XX:+UseConcMarkSweepGC...

Mar 21 19:16:48 yah-wazuh.novalocal systemd[1]: Started logstash.
Mar 21 19:16:48 yah-wazuh.novalocal logstash[591]: Using bundled JDK:
/usr/share/logst...k
Mar 21 19:16:48 yah-wazuh.novalocal logstash[591]: OpenJDK 64-Bit
Server VM warning: O....
Hint: Some lines were ellipsized, use -l to show in full.

but the log shows that it crashes periodically. The following lines come from logstash-plain.log:

[2022-03-21T20:36:04,083][INFO ][logstash.config.source.local.configpathloader] No config
files found in path {:path=>"/etc/logstash/conf.d/*.conf"}
[2022-03-21T20:36:04,107][ERROR][logstash.config.sourceloader] No configuration found in t
he configured sources.
[2022-03-21T20:36:04,227][INFO ][logstash.agent           ] Successfully started Logstash
API endpoint {:port=>9601, :ssl_enabled=>false}
[2022-03-21T20:36:09,350][INFO ][logstash.runner          ] Logstash shut down.
[2022-03-21T20:36:09,367][FATAL][org.logstash.Logstash    ] Logstash stopped processing be
cause of an error: (SystemExit) exit
org.jruby.exceptions.SystemExit: (SystemExit) exit
        at org.jruby.RubyKernel.exit(org/jruby/RubyKernel.java:747) ~[jruby-complete-9.2.2
0.1.jar:?]
        at org.jruby.RubyKernel.exit(org/jruby/RubyKernel.java:710) ~[jruby-complete-9.2.2
0.1.jar:?]
        at usr.share.logstash.lib.bootstrap.environment.<main>(/usr/share/logstash/lib/boo
tstrap/environment.rb:94) ~[?:?]

Do you have any suggestions?

thanks,

Aditya Sharma

unread,
Mar 23, 2022, 12:10:22 AM3/23/22
to Wazuh mailing list
Hi  yhuerta, Thanks for using Wazuh!

Can you please share with us more details about this:
1. Wazuh-Manager Version
2. Elasticsearch Version
3. Filebeat Version
4. Logstash Version

Is Filebeat running on Wazuh-Manager? Can you share the ossec.conf file also?

To get more insights over this please check out: https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/how-it-works.html 
To check the capabilities of FIM: https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html

I hope this helps you. Don't hesitate to ask questions, We are very happy to help you.

Regards
Aditya Sharma

Yectli Huerta

unread,
Mar 23, 2022, 2:21:33 PM3/23/22
to Wazuh mailing list
Thanks for your reply. we are using centos 7 on both the client and server




On Tuesday, March 22, 2022 at 11:10:22 PM UTC-5 aditya...@wazuh.com wrote:
Hi  yhuerta, Thanks for using Wazuh!

Can you please share with us more details about this:
1. Wazuh-Manager Version
2. Elasticsearch Version
3. Filebeat Version
4. Logstash Version


on server

[root@wazuh-server2 etc]# rpm -qa |grep elastic
elasticsearch-oss-7.10.2-1.x86_64
opendistroforelasticsearch-1.13.2-1.x86_64
opendistroforelasticsearch-kibana-1.13.2-1.x86_64
[root@wazuh-server2 etc]# rpm -qa |grep wazuh
wazuh-manager-4.2.5-1.x86_64
[root@wazuh-server2 etc]# rpm -qa |grep filebeat
filebeat-7.17.1-1.x86_64
[root@wazuh-server2 etc]# rpm -qa |grep logstash
logstash-7.17.1-1.x86_64
[root@wazuh-server2 etc]#

on client

[root@wazuh-client etc]# rpm -qa |grep wazuh
wazuh-agent-4.2.5-1.x86_64
[root@wazuh-client etc]# rpm -qa |grep fileb
filebeat-7.10.2-1.x86_64
[root@wazuh-client etc]#

 
Is Filebeat running on Wazuh-Manager? Can you share the ossec.conf file also?


yes, filebeat and logstrunning on the server.

[root etc]# systemctl status logstash | head -n 3

● logstash.service - logstash
   Loaded: loaded (/etc/systemd/system/logstash.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2022-03-23 02:43:14 UTC; 15h ago
[root etc]# systemctl status filebeat  | head -n 3
● filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch.
   Loaded: loaded (/usr/lib/systemd/system/filebeat.service; enabled; vendor preset: disabled)
   Active: active (running) since Tue 2022-03-22 18:47:53 UTC; 23h ago
[root etc]#

filebeat is also running on the client. here is the ossec.conf on the client, i'm using a frequency of 120 just to speed up the testing

 <!-- File integrity monitoring -->
  <syscheck>
    <disabled>no</disabled>

    <!-- Frequency that syscheck is executed default every 12 hours -->
    <frequency>120</frequency>

    <scan_on_start>yes</scan_on_start>

          <alert_new_files>yes</alert_new_files>
    <!-- Directories to check  (perform all possible verifications) -->

    <directories check_all="yes" report_changes="yes" whodata="yes">/etc,/usr/bin,/usr/sbin</directories>
    <directories check_all="yes" report_changes="yes" whodata="yes">/bin,/sbin,/boot</directories>
    <skip_nfs>yes</skip_nfs>
    <skip_dev>yes</skip_dev>
    <skip_proc>yes</skip_proc>
    <skip_sys>yes</skip_sys>

    <!-- Nice value for Syscheck process -->
    <process_priority>10</process_priority>

    <!-- Maximum output throughput -->
    <max_eps>100</max_eps>

    <!-- Database synchronization settings -->
    <synchronization>
      <enabled>yes</enabled>
      <interval>5m</interval>
      <max_interval>10m</max_interval>
      <max_eps>10</max_eps>
    </synchronization>
  </syscheck>

Yectli Huerta

unread,
Mar 23, 2022, 2:34:38 PM3/23/22
to Wazuh mailing list
One more thing that I left out, the client is talking to the server

[root@wazuh-server2 etc]# /var/ossec/bin/agent_control -i 001

Wazuh agent_control. Agent information:
   Agent ID:   001
   Agent Name: wazuh-client.novalocal
   IP address: any/any
   Status:     Active

   Operating system:    Linux |wazuh-client.novalocal |3.10.0-1160.59.1.el7.x86_64 |#1 SMP Wed Feb 23 16:47:03 UTC 2022 |x86_64
   Client version:      Wazuh v4.2.5
   Configuration hash:  ab73af41699f13fdd81903b5f23d8d00
   Shared file hash:    2c45c95db2954d2c7d0ea533f09e81a5
   Last keep alive:     1648060326

   Syscheck last started at:  Wed Mar 23 18:31:46 2022 (Scan in progress)
   Syscheck last ended at:    Wed Mar 23 18:29:45 2022

   Rootcheck last started at: Unknown
[root@wazuh-server2 etc]#
Reply all
Reply to author
Forward
0 new messages