monitor folder access on Windows with Wazuh

[Mohammadullah Mohmand]

to Wazuh mailing list

recently i have installed wazuhv4.3.7 and main plan is to   to monitor all office windows and Linux servers ,.. most of the tasks has successfully completed but now want to monitor all the change in file server D and F Drives , hence i have tried to fix the problem with below commands but not succeed , therefore i need you support to solve the problem  

with whodata 

<directories check_all="yes" whodata="yes" report_changes="yes">F:\\</directories>

 with realtime 

<directories check_all="yes" realtime="yes" report_changes="yes">F:\\</directories>

note: i have also checked below but not worked 

<directories check_all="yes" whodata="yes" report_changes="yes">F:\.</directories>

regards

[Jeremias Ignacio Posse]

Hi, thanks for using Wazuh! I'll be with you in a moment!

[Jeremias Ignacio Posse]

Well, here is a post in our blog where we talk about how to monitor access to specific folders in windows and how to do all this process

https://wazuh.com/blog/how-to-monitor-folder-access-on-windows/

In addition to this blog here you have a link to our documentation to learn more about the functionality of Who-Data 

https://documentation.wazuh.com/current/user-manual/capabilities/auditing-whodata/who-windows.html

https://documentation.wazuh.com/current/user-manual/capabilities/auditing-whodata/who-linux.html

I think with this information you have enough to read on the subject and if you have more questions feel free to post them here or in a new message,

greetings

On Wednesday, September 7, 2022 at 7:27:16 AM UTC-3 mohammadul...@gmail.com wrote:

[Mohammadullah Mohmand]

Hello Sir 

thanks for the update and advise, i have followed all the steps, but still  Drvie D:// share folders  changes, add and delete logs are not appearing in wazha events , even i have followed the below link  Trouble getting real-time FIM alerts with whodata on Windows (google.com)

but i think this one is for the old versions, hence if you could send me the step by step commands what i need to do in windows file server which agent is installed and what steps  needs to be done on wazuh manager to have file server share fodlers logs in wazuh .

thanks for your help in advnance .

[Mohammadullah Mohmand]

for more info plz have a look to the attached screenshots.

regards

[Mohammadullah Mohmand]

is there any update please ?

[Jeremias Ignacio Posse]

Hi, I apologize for the delay, I will be answering your questions in a few minutes.

[Jeremias Ignacio Posse]

I'm still looking for an answer to your solution but, could you confirm that following this guide below, you get the expected results?
Thanks in advance and sorry for the delay.
Guide  Detect filesystem changes
https://documentation.wazuh.com/current/learning-wazuh/detect-fs-changes.html?highlight=fim#detect-filesystem-changes

[Mohammadullah Mohmand]

Hello Sir,

thanks for your help and support i have added the below command in client agent now its working fine .

<directories check_all="yes"  realtime="yes" report_changes="yes">F:\.</directories>

thanks for your support