Wazuh for FIM in System32

[njsat...@gmail.com]

Hi, 

I am new to using Wazuh, and I am testing for a future deployment as a FIM solution. I can't seem to get alerts when files are added, deleted, or modified in C:\Windows\System32. 

I have groups set up, and have tried the following configurations (one at a time) in the group agent.conf file. None of them work when a test txt file is created. 

<directories check_all="yes" realtime="yes" report_changes="yes">C:\Windows\SysNative</directories>

<directories check_all="yes" realtime="yes" report_changes="yes">C:\Windows\System32</directories>

<directories check_all="yes" realtime="yes" report_changes="yes">%WINDIR%\SysNative</directories>

<directories check_all="yes" realtime="yes" report_changes="yes">%WINDIR%\System32</directories>

I created a Test directory in C:\WazuhTest, and used the same configuration, and that directory works as expected. 

<directories check_all="yes" realtime="yes" report_changes="yes">C:\WazuhTest</directories>

Any help or direction you could provide would be appreciated. 

Thanks,

Jake

[cris...@wazuh.com]

Hi,

Just a brief explanation:

- On 32-bit systems, C:\Windows\System32 is literally C:\Windows\System32.
- On 64-bit systems, for a 32-bit application like Wazuh:
    - C:\Windows\System32 is C:\Windows\SysWOW64.
    - C:\Windows\SysNative is C:\Windows\System32.

The reason you probably don't see alerts from those folders is because the prescan hasn't finished because that directory is too large. In this process all files are indexed from the indicated directory.

We do not recommend monitoring the root of system directories for this reason.

Best regards,
Cristobal Lopez.