Agent.conf file rule

[Massimiliano De Falco]

Good morning,

I have a win10 clients with 4.3.10 version agent and a problem about my agent.conf file. My agent.conf of default group is:

<agent_config>
    <!-- Shared agent configuration here -->
    <!-- FIM user -->
    <syscheck>
        <frequency>3600</frequency>
        <directories check_all="yes" report_changes="yes" realtime="yes">C:\\Users\\%USERNAME%</directories>
        <directories check_all="yes" report_changes="yes" realtime="yes">C:\\Windows\\System32</directories>
        <!-- <ignore>C:\\Users\%USERNAME%\\appdata\\local</ignore>
                     -->
    </syscheck>
    <!-- Alert when USB device is inserted/extracted -->
    <localfile>
        <log_format>full_command</log_format>
        <command>powershell "Get-PnpDevice -PresentOnly | Where-Object { $_.Class -match '^DiskDrive' }"</command>
        <frequency>20</frequency>
    </localfile>
</agent_config>

The syscheck of the C:\\Windows\\System32 work fine, but no answer, no log about the C:\\Users\\%USERNAME% directory.

Is the syntax writed correctly? How can I know where is the problem?

[Henadence Anyam]

Hello  Massimiliano!

Thank you for using Wazuh.

The environment variable %USERNAME% appends a $ sign at the end of the username which it not the same as the user directory.

You can use the wildcard (*) to match any directory or explicitly specify the path.

For example the following configuration:

<directories check_all="yes" report_changes="yes" realtime="yes">C:\Users\*\Downloads</directories>

Note The wildcard (*) used in the configuration works on Wazuh version 4.3 and above.  For older versions of Wazuh, you need to explicitly specify the full path.

See the following link: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#reference-ossec-syscheck-directories

Let me know if that helps resolve your issue.