How to filter on Wazuh FIM
15 views
Skip to first unread message
Emar Flix
May 7, 2026, 10:18:16 AM (3 days ago) May 7
to Wazuh | Mailing List
Hello,
I use FIM module of Wazuh and somebody has a file on the path that I monitor on FIM. I just know name of file and want to see who has this file on that path. But filters like data.audit.filename, data.file etc. fileds are empty.
How can I do that
Thanks.
I use FIM module of Wazuh and somebody has a file on the path that I monitor on FIM. I just know name of file and want to see who has this file on that path. But filters like data.audit.filename, data.file etc. fileds are empty.
How can I do that
Thanks.
Olamilekan Abdullateef Ajani
May 7, 2026, 11:16:08 AM (3 days ago) May 7
to Wazuh | Mailing List
Hello Emarf,
Regards,
What you are trying to do I believe depends on how the file was detected.
Wazuh FIM logs file changes (create, modify, delete) and it keeps inventory of the files on the system per path being monitored.
So if the file has not triggered a recent FIM event, you won’t see it in searches, which is why fields like data.file or data.audit.filename are empty.
If the file was changed and detected by FIM, you should search using fields like: syscheck.path
If your goal is to find which systems currently have that file (not just changes), The FIM may not be able to capture that information as it entirely depends on changes as it occur and you can query that from the Discover dashboard.
Another thing is to navigate to the FIM dashboard, select the agent and navigate to inventory, you will find files being monitored and active, please see attached image for reference.
Please let me know if this works.
Wazuh FIM logs file changes (create, modify, delete) and it keeps inventory of the files on the system per path being monitored.
So if the file has not triggered a recent FIM event, you won’t see it in searches, which is why fields like data.file or data.audit.filename are empty.
If the file was changed and detected by FIM, you should search using fields like: syscheck.path
If your goal is to find which systems currently have that file (not just changes), The FIM may not be able to capture that information as it entirely depends on changes as it occur and you can query that from the Discover dashboard.
Another thing is to navigate to the FIM dashboard, select the agent and navigate to inventory, you will find files being monitored and active, please see attached image for reference.
Please let me know if this works.
Regards,
Reply all
Reply to author
Forward
0 new messages