Missing Integrity Monitoring Logs , especially deletes

428 views
Skip to first unread message

Black Fish

unread,
Jun 21, 2021, 4:12:57 AM6/21/21
to Wazuh mailing list
Hi All,

I am using the following configurations, I have 2500+ per day events for monitored D: drive but I am missing many of the logs especially delete logs, for hundreds of deletes there are only 3 logs for delete, I am sharing D: with file-server users, and it's critical for me to monitor each integrity event.

<directories check_all="yes" realtime="yes" report_changes="no">D:\</directories>

Thanks
Imran

antonio....@wazuh.com

unread,
Jun 21, 2021, 4:58:11 AM6/21/21
to Wazuh mailing list
Hi @mranqutab.2018t

We are aware of some problem with FIM and windows shares:
- https://github.com/wazuh/wazuh/issues/5797 (this one is fixed in the latests versions of wazuh)

Having this in mind, we will need more information about the setup:
- Wazuh version
- Amount of files that you want to monitor and the total size

FIM needs to create a baseline scan before starting the realtime monitoring. This first scan can take time, specially if the amount of files is big.

Finally, we will need the debug logs of the windows agent. To enable it, you need to:
- Add the following line to the file `C:\Program Files (x86)\ossec-agent\local_internal_options`
```
syscheck.debug=2
```
- Stop the agent
- Remove the contents (not the file) of the log file `C:\Program Files (x86)\ossec-agent\ossec.log` (you can backup the log file if you want)
- Start the agent
- Create the events inside the folders.
- Share the log file (hidding any sensible information like public IPs).

antonio....@wazuh.com

unread,
Jun 24, 2021, 5:53:46 AM6/24/21
to Wazuh mailing list
Hi Antonio, 
Thanks for your reply, I enabled debug  but even after 6 hours there is no single event for add, modify or  delete, the agent is active, I removed thousands of the logs stating  ignoring for matching regexes like jpg and HTML, etc. I attached the log  file with this email. the monitored directory is d: drive.

Wazuh version = Wazuh v3.12.3
data-size = about 1.5TB (cant count total files)
OS = Microsoft Windows Server 2012 R2 Datacenter 

thanks
imran

Hi Imran

I have been looking at the logs that you shared, and as I mentioned before, the problem here is that the baseline scan did not end after 6 hours. When FIM performs a scan, it calculates hashes for every single file that is configured, and when the amount of files is big and the size of those files is also big, this scan can take a lot of time.
When the Windows agent starts, FIM will print these messages when the scan starts:

2021/06/23 12:55:08 ossec-agent[18380] run_check.c:201 at start_daemon(): INFO: (6010): File integrity monitoring scan frequency: 43200 seconds
2021/06/23 12:55:08 ossec-agent[18380] create_db.c:60 at fim_scan(): INFO: (6008): File integrity monitoring scan started.
2021/06/23 12:55:08 ossec-agent[18380] run_check.c:110 at send_syscheck_msg(): DEBUG: (6321): Sending FIM event: {"type":"scan_start","data":{"timestamp":1624434908}}

and FIM will print the following message when the scan ends:

Sending FIM event: {"type":"scan_end","data":{"timestamp":x}}

The end scan event hasn’t been triggered, so FIM won’t have the baseline to check the changes in the files. Without this baseline, the realtime module won’t start, this is why you are not seeing any realtime event.

There is an issue that will allow FIM to have persistent DBs, this will avoid the hash calculation when the agent starts (only if a previous scan was completed before). This won’t improve the time that a scan can take.

We don’t recommend monitoring entire drives because of this. I will recommend focusing the configuration on specific folders and monitor in real-time only those folders that are critical (like the ones with configuration files).
If still want to monitor the entire drive, you can try disabling some hashes, this will improve the time of the scan, but with that quantity of files, the scan may take a lot of time (specially in low drives like HDD). If you want to try, you can find the options at this page of the documentation.
The options that you must look are:

  • check_sum
  • check_sha1sum
  • check_sha256sum
  • check_md5sum
    Hope this information is usefull
Reply all
Reply to author
Forward
0 new messages