File intergrity monitoring
432 views
Skip to first unread message
Dai Nguyen
Mar 20, 2023, 11:40:03 PM3/20/23
to Wazuh mailing list
Why I add this to my ossec.conf and restart wazuh agent but I don't receive anything in wazuh dashboard.
2023/03/21 10:30:06 wazuh-agent: ERROR: Could not move (C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz) to (C:\Program Files (x86)\ossec-agent\queue\diff/local/f\workspace\build\main\exe-00.toc/last-entry.gz) which returned (32)
2023/03/21 10:30:06 wazuh-agent: ERROR: (1124): Could not rename file 'C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz' to 'C:\Program Files (x86)\ossec-agent\queue\diff/local/f\workspace\build\main\exe-00.toc/last-entry.gz' due to [(17)-(File exists)]."
Here is my config:
Here is my dashboard:
And I got error in ossec.log file:
" 2023/03/21 10:30:06 wazuh-agent: ERROR: Could not move (C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz) to (C:\Program Files (x86)\ossec-agent\queue\diff/local/f\workspace\build\main\base_library.zip/last-entry.gz) which returned (32)
2023/03/21 10:30:06 wazuh-agent: ERROR: (1124): Could not rename file 'C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz' to 'C:\Program Files (x86)\ossec-agent\queue\diff/local/f\workspace\build\main\base_library.zip/last-entry.gz' due to [(17)-(File exists)].2023/03/21 10:30:06 wazuh-agent: ERROR: Could not move (C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz) to (C:\Program Files (x86)\ossec-agent\queue\diff/local/f\workspace\build\main\exe-00.toc/last-entry.gz) which returned (32)
2023/03/21 10:30:06 wazuh-agent: ERROR: (1124): Could not rename file 'C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz' to 'C:\Program Files (x86)\ossec-agent\queue\diff/local/f\workspace\build\main\exe-00.toc/last-entry.gz' due to [(17)-(File exists)]."
How to fix this problem? Thank you!
Himanshu Sharma
Mar 21, 2023, 3:58:33 AM3/21/23
to Wazuh mailing list
Hi Dai,
Thank you for using wazuh!!
Its seems issue with the configuration.
you can edit the configuration file like below
<syscheck>
<disabled>no</disabled>
<scan_on_start>yes</scan_on_start>
<frequency>300</frequency>
<directories check_all="yes" whodata="yes" real_time="yes">C:\Program Files (x86)</directories>
</syscheck>
for more information, you can use the following documentation.
https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/fim-configuration.html#configuring-windows-registry
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#reference-ossec-syscheck-directories
Keep in mind that after adding the configuration and restart the agent.
Hope this information helps you.
Thank you for using wazuh!!
Its seems issue with the configuration.
you can edit the configuration file like below
<syscheck>
<disabled>no</disabled>
<scan_on_start>yes</scan_on_start>
<frequency>300</frequency>
<directories check_all="yes" whodata="yes" real_time="yes">C:\Program Files (x86)</directories>
</syscheck>
for more information, you can use the following documentation.
https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/fim-configuration.html#configuring-windows-registry
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html#reference-ossec-syscheck-directories
Keep in mind that after adding the configuration and restart the agent.
Hope this information helps you.
Dai Nguyen
Mar 21, 2023, 4:31:54 AM3/21/23
to Wazuh mailing list
Hi,
I edited my configuration as you did and restart my agent, but it doesn't work for me. I don't receive any alert after I added a file or modified a file.
Here is my configuiration:
Vào lúc 14:58:33 UTC+7 ngày Thứ Ba, 21 tháng 3, 2023, Himanshu Sharma đã viết:
Aditya Sharma
Mar 21, 2023, 5:29:44 AM3/21/23
to Wazuh mailing list
Hi Dai, Sorry for the above response!
It would be necessary to know the version of the Wazuh agent and Wazuh manager that you are using, as well as the Windows system used. I will initially assume that you are using the latest version (Wazuh v4.3.10)
Regarding the options, keep in mind that the use of whodata already implies the use of realtime, so it is not necessary to add it.
Who-data monitoring is configured with the whodata attribute of the directories option. This attribute replaces the realtime attribute, which means that whodata implies real-time monitoring but adds the who-data information.
So the configuration would be as follow:
<directories check_all="yes" report_changes="yes" whodata="yes">C:\Windows</directories>
<directories check_all="yes" report_changes="yes" whodata="yes">C:\Program Files (x86)</directories>
<directories check_all="yes" report_changes="yes" whodata="yes">F:\workspace\test-dai</directories>
Note that it is not a good idea to monitor these folders in their entirety, as, for example, you would be monitoring the agent's own folder (ossec-agent) in Program Files (x86), generating messages like the following:
2023/03/21 10:30:06 wazuh-agent: ERROR: Could not move (C:\Program Files (x86)\ossec-agent\queue\diff/tmp/tmp-entry.gz) to (C:\Program Files (x86)\ossec-agent\queue\diff/local/f\workspace\build\main\base_library.zip/last-entry.gz) which returned (32)
This error is specifically due to the limitation of Windows in the length of the paths, this has been fixed for the future version of Wazuh 4.5.0: https://github.com/wazuh/wazuh/pull/13588
Also, this will add a lot of load to the system since certain files are constantly changing. So, I recommend that you establish localized monitoring, or if you still want to monitor the entire folder, use the ignore option to avoid certain directories, for example:
<ignore>%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini</ignore>
According to the configuration you have shared, you should have messages in the ossec.log file like the following, indicating that the directory is being monitored, please check if you see this message:
2022/12/27 09:39:41 wazuh-agent: INFO: (6003): Monitoring path: 'c:\program files (x86)', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | report_changes | whodata'.
Keep in mind that after adding the configuration and restarting the agent, depending on the system load it may take more or less time to detect the changes. Additionally, check the ossec.log file for messages listed as "ERROR", "CRITICAL", "WARNING", and "FATAL"
Please share the /var/ossec/logs/ossec.log from both the Wazuh-manager & Wazuh-agent. So I can try to look into this issue in depth and be able to help in the better way possible.
Looking for your response soon!
Regards
Aditya Sharma
Please share the /var/ossec/logs/ossec.log from both the Wazuh-manager & Wazuh-agent. So I can try to look into this issue in depth and be able to help in the better way possible.
Looking for your response soon!
Regards
Aditya Sharma
Dai Nguyen
Mar 21, 2023, 6:11:37 AM3/21/23
to Wazuh mailing list
Hi, 
I use the wazuh agent version 4.3.10, the wazuh manager too and my windows OS is Windows 10 Pro
Here is my ossec.log file in my agent, I had this mee
And here is my ossec.log in wazuh server, i got a lot of errors here.
Vào lúc 16:29:44 UTC+7 ngày Thứ Ba, 21 tháng 3, 2023, Aditya Sharma đã viết:
Aditya Sharma
Mar 21, 2023, 6:18:06 AM3/21/23
to Wazuh mailing list
Hi Dai
Can you share with me the whole configuration of ossec.conf in text format, so I can try it in my local lab and see where we need to rectify it?
Regards
Aditya Sharma
Can you share with me the whole configuration of ossec.conf in text format, so I can try it in my local lab and see where we need to rectify it?
Regards
Aditya Sharma
Dai Nguyen
Mar 21, 2023, 6:32:43 AM3/21/23
to Wazuh mailing list
Hi,
<ignore>%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini</ignore>
Here is my content of my ossec.conf file:
<!--
Wazuh - Agent - Default configuration for Windows
More info at: https://documentation.wazuh.com
Mailing list: https://groups.google.com/forum/#!forum/wazuh
-->
<ossec_config>
<client>
<server>
<address>192.168.1.50</address>
<port>1514</port>
<protocol>tcp</protocol>
</server>
<config-profile>windows, windows10</config-profile>
<crypto_method>aes</crypto_method>
<notify_time>10</notify_time>
<time-reconnect>60</time-reconnect>
<auto_restart>yes</auto_restart>
</client>
<!-- Agent buffer options -->
<client_buffer>
<disabled>no</disabled>
<queue_size>5000</queue_size>
<events_per_second>500</events_per_second>
</client_buffer>
<!-- Log analysis -->
<localfile>
<location>Application</location>
<log_format>eventchannel</log_format>
</localfile>
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and
EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
EventID != 5152 and EventID != 5157]</query>
</localfile>
<localfile>
<location>System</location>
<log_format>eventchannel</log_format>
</localfile>
<localfile>
<location>active-response\active-responses.log</location>
<log_format>syslog</log_format>
</localfile>
<!-- Policy monitoring -->
<rootcheck>
<disabled>no</disabled>
<windows_apps>./shared/win_applications_rcl.txt</windows_apps>
<windows_malware>./shared/win_malware_rcl.txt</windows_malware>
</rootcheck>
<!-- Security Configuration Assessment -->
<sca>
<enabled>yes</enabled>
<scan_on_start>yes</scan_on_start>
<interval>12h</interval>
<skip_nfs>yes</skip_nfs>
</sca>
<!-- File integrity monitoring -->
<syscheck>
<directories check_all="yes" whodata="yes">F:\workspace\test-dai</directories>
<disabled>no</disabled>
<!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>43200</frequency>
<!-- Default files to be monitored. -->
<directories recursion_level="0" restrict="regedit.exe$|system.ini$|win.ini$">%WINDIR%</directories>
<directories recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$|net.exe$|net1.exe$|netsh.exe$|reg.exe$|regedt32.exe|regsvr32.exe|runas.exe|sc.exe|schtasks.exe|sethc.exe|subst.exe$">%WINDIR%\SysNative</directories>
<directories recursion_level="0">%WINDIR%\SysNative\drivers\etc</directories>
<directories recursion_level="0" restrict="WMIC.exe$">%WINDIR%\SysNative\wbem</directories>
<directories recursion_level="0" restrict="powershell.exe$">%WINDIR%\SysNative\WindowsPowerShell\v1.0</directories>
<directories recursion_level="0" restrict="winrm.vbs$">%WINDIR%\SysNative</directories>
<!-- 32-bit programs. -->
<directories recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$|net.exe$|net1.exe$|netsh.exe$|reg.exe$|regedit.exe$|regedt32.exe$|regsvr32.exe$|runas.exe$|sc.exe$|schtasks.exe$|sethc.exe$|subst.exe$">%WINDIR%\System32</directories>
<directories recursion_level="0">%WINDIR%\System32\drivers\etc</directories>
<directories recursion_level="0" restrict="WMIC.exe$">%WINDIR%\System32\wbem</directories>
<directories recursion_level="0" restrict="powershell.exe$">%WINDIR%\System32\WindowsPowerShell\v1.0</directories>
<directories recursion_level="0" restrict="winrm.vbs$">%WINDIR%\System32</directories>
<directories realtime="yes">%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup</directories>
Wazuh - Agent - Default configuration for Windows
More info at: https://documentation.wazuh.com
Mailing list: https://groups.google.com/forum/#!forum/wazuh
-->
<ossec_config>
<client>
<server>
<address>192.168.1.50</address>
<port>1514</port>
<protocol>tcp</protocol>
</server>
<config-profile>windows, windows10</config-profile>
<crypto_method>aes</crypto_method>
<notify_time>10</notify_time>
<time-reconnect>60</time-reconnect>
<auto_restart>yes</auto_restart>
</client>
<!-- Agent buffer options -->
<client_buffer>
<disabled>no</disabled>
<queue_size>5000</queue_size>
<events_per_second>500</events_per_second>
</client_buffer>
<!-- Log analysis -->
<localfile>
<location>Application</location>
<log_format>eventchannel</log_format>
</localfile>
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and
EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
EventID != 5152 and EventID != 5157]</query>
</localfile>
<localfile>
<location>System</location>
<log_format>eventchannel</log_format>
</localfile>
<localfile>
<location>active-response\active-responses.log</location>
<log_format>syslog</log_format>
</localfile>
<!-- Policy monitoring -->
<rootcheck>
<disabled>no</disabled>
<windows_apps>./shared/win_applications_rcl.txt</windows_apps>
<windows_malware>./shared/win_malware_rcl.txt</windows_malware>
</rootcheck>
<!-- Security Configuration Assessment -->
<sca>
<enabled>yes</enabled>
<scan_on_start>yes</scan_on_start>
<interval>12h</interval>
<skip_nfs>yes</skip_nfs>
</sca>
<!-- File integrity monitoring -->
<syscheck>
<directories check_all="yes" whodata="yes">F:\workspace\test-dai</directories>
<disabled>no</disabled>
<!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>43200</frequency>
<!-- Default files to be monitored. -->
<directories recursion_level="0" restrict="regedit.exe$|system.ini$|win.ini$">%WINDIR%</directories>
<directories recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$|net.exe$|net1.exe$|netsh.exe$|reg.exe$|regedt32.exe|regsvr32.exe|runas.exe|sc.exe|schtasks.exe|sethc.exe|subst.exe$">%WINDIR%\SysNative</directories>
<directories recursion_level="0">%WINDIR%\SysNative\drivers\etc</directories>
<directories recursion_level="0" restrict="WMIC.exe$">%WINDIR%\SysNative\wbem</directories>
<directories recursion_level="0" restrict="powershell.exe$">%WINDIR%\SysNative\WindowsPowerShell\v1.0</directories>
<directories recursion_level="0" restrict="winrm.vbs$">%WINDIR%\SysNative</directories>
<!-- 32-bit programs. -->
<directories recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$|net.exe$|net1.exe$|netsh.exe$|reg.exe$|regedit.exe$|regedt32.exe$|regsvr32.exe$|runas.exe$|sc.exe$|schtasks.exe$|sethc.exe$|subst.exe$">%WINDIR%\System32</directories>
<directories recursion_level="0">%WINDIR%\System32\drivers\etc</directories>
<directories recursion_level="0" restrict="WMIC.exe$">%WINDIR%\System32\wbem</directories>
<directories recursion_level="0" restrict="powershell.exe$">%WINDIR%\System32\WindowsPowerShell\v1.0</directories>
<directories recursion_level="0" restrict="winrm.vbs$">%WINDIR%\System32</directories>
<directories realtime="yes">%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup</directories>
<ignore>%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini</ignore>
<ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ignore>
<!-- Windows registry entries to monitor. -->
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Classes\Protocols</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Policies</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components</windows_registry>
<!-- Windows registry entries to ignore. -->
<registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users</registry_ignore>
<registry_ignore type="sregex">\Enum$</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSIn</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSOut</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PolicyAgent\Parameters\Cache</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ADOVMPPackage\Final</registry_ignore>
<!-- Frequency for ACL checking (seconds) -->
<windows_audit_interval>60</windows_audit_interval>
<!-- Nice value for Syscheck module -->
<process_priority>10</process_priority>
<!-- Maximum output throughput -->
<max_eps>100</max_eps>
<!-- Database synchronization settings -->
<synchronization>
<enabled>yes</enabled>
<interval>5m</interval>
<max_interval>1h</max_interval>
<max_eps>10</max_eps>
</synchronization>
</syscheck>
<!-- System inventory -->
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="no">yes</ports>
<processes>yes</processes>
<!-- Database synchronization settings -->
<synchronization>
<max_eps>10</max_eps>
</synchronization>
</wodle>
<!-- CIS policies evaluation -->
<wodle name="cis-cat">
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
<java_path>\\server\jre\bin\java.exe</java_path>
<ciscat_path>C:\cis-cat</ciscat_path>
</wodle>
<!-- Osquery integration -->
<wodle name="osquery">
<disabled>yes</disabled>
<run_daemon>yes</run_daemon>
<bin_path>C:\Program Files\osquery\osqueryd</bin_path>
<log_path>C:\Program Files\osquery\log\osqueryd.results.log</log_path>
<config_path>C:\Program Files\osquery\osquery.conf</config_path>
<add_labels>yes</add_labels>
</wodle>
<!-- Active response -->
<active-response>
<disabled>no</disabled>
<ca_store>wpk_root.pem</ca_store>
<ca_verification>yes</ca_verification>
</active-response>
<!-- Choose between plain or json format (or both) for internal logs -->
<logging>
<log_format>plain</log_format>
</logging>
</ossec_config>
<!-- END of Default Configuration. -->
<!-- Windows registry entries to monitor. -->
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Classes\Protocols</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Policies</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components</windows_registry>
<!-- Windows registry entries to ignore. -->
<registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users</registry_ignore>
<registry_ignore type="sregex">\Enum$</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSIn</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSOut</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PolicyAgent\Parameters\Cache</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ADOVMPPackage\Final</registry_ignore>
<!-- Frequency for ACL checking (seconds) -->
<windows_audit_interval>60</windows_audit_interval>
<!-- Nice value for Syscheck module -->
<process_priority>10</process_priority>
<!-- Maximum output throughput -->
<max_eps>100</max_eps>
<!-- Database synchronization settings -->
<synchronization>
<enabled>yes</enabled>
<interval>5m</interval>
<max_interval>1h</max_interval>
<max_eps>10</max_eps>
</synchronization>
</syscheck>
<!-- System inventory -->
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="no">yes</ports>
<processes>yes</processes>
<!-- Database synchronization settings -->
<synchronization>
<max_eps>10</max_eps>
</synchronization>
</wodle>
<!-- CIS policies evaluation -->
<wodle name="cis-cat">
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
<java_path>\\server\jre\bin\java.exe</java_path>
<ciscat_path>C:\cis-cat</ciscat_path>
</wodle>
<!-- Osquery integration -->
<wodle name="osquery">
<disabled>yes</disabled>
<run_daemon>yes</run_daemon>
<bin_path>C:\Program Files\osquery\osqueryd</bin_path>
<log_path>C:\Program Files\osquery\log\osqueryd.results.log</log_path>
<config_path>C:\Program Files\osquery\osquery.conf</config_path>
<add_labels>yes</add_labels>
</wodle>
<!-- Active response -->
<active-response>
<disabled>no</disabled>
<ca_store>wpk_root.pem</ca_store>
<ca_verification>yes</ca_verification>
</active-response>
<!-- Choose between plain or json format (or both) for internal logs -->
<logging>
<log_format>plain</log_format>
</logging>
</ossec_config>
<!-- END of Default Configuration. -->
Vào lúc 17:18:06 UTC+7 ngày Thứ Ba, 21 tháng 3, 2023, Aditya Sharma đã viết:
Aditya Sharma
Mar 21, 2023, 6:34:58 AM3/21/23
to Wazuh mailing list
Thanks, Dai,
Allow me some time, I will test it and let you know with proper updates.
Thanks for your patience!
Regards
Aditya Sharma
Allow me some time, I will test it and let you know with proper updates.
Thanks for your patience!
Regards
Aditya Sharma
Aditya Sharma
Mar 22, 2023, 12:20:47 AM3/22/23
to Wazuh mailing list
Hi Dai, Sorry for the late response!
As I checked the above configuration in my local lab and restarted the agent, and it is not showing me any kind of Error logs in the Wazuh manager and Wazuh agent itself. So might be possible agent restart is not happening correctly or we are missing some configuration somewhere. Can you please provide me below command output once:
systemctl status wazuh-manager
systemctl status wazuh-indexer
systemctl status wazuh-dashboard
systemctl status filebeat
filebeat test output
Share the Agent logs from here:
But one strong recommendation from our side is that don't monitor C:\Program Files (x86) directly because this directory contains all the installed software and other things which are changing and refreshing every second, which is changing lots of attributes of files and folders like MD5SUM, User, SHA5 values, etc which will trigger lots of alerts in a shorter period of time and can cause lots of Disk Usage issues and bombardment of lots of events.
As you are using report_changes, Report_changes should be used with caution as Wazuh copies every single monitored file to a private location. You can find more information here for that: https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/fim-configuration.html#configuring-reporting-file-and-registry-value-changes
Looking for your response soon!
Regards
Aditya Sharma
As I checked the above configuration in my local lab and restarted the agent, and it is not showing me any kind of Error logs in the Wazuh manager and Wazuh agent itself. So might be possible agent restart is not happening correctly or we are missing some configuration somewhere. Can you please provide me below command output once:
systemctl status wazuh-manager
systemctl status wazuh-indexer
systemctl status wazuh-dashboard
systemctl status filebeat
filebeat test output
Share the Agent logs from here:
But one strong recommendation from our side is that don't monitor C:\Program Files (x86) directly because this directory contains all the installed software and other things which are changing and refreshing every second, which is changing lots of attributes of files and folders like MD5SUM, User, SHA5 values, etc which will trigger lots of alerts in a shorter period of time and can cause lots of Disk Usage issues and bombardment of lots of events.
As you are using report_changes, Report_changes should be used with caution as Wazuh copies every single monitored file to a private location. You can find more information here for that: https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/fim-configuration.html#configuring-reporting-file-and-registry-value-changes
Looking for your response soon!
Regards
Aditya Sharma
Message has been deleted
Aditya Sharma
Mar 23, 2023, 11:45:14 PM3/23/23
to Wazuh mailing list
Hi Dai, Sorry for the late response!
Syscheck can do 2 types of directory scans: normal and realtime. The only difference is that the scan for realtime directories is in "real time", while normal scanning runs periodically, at the time indicated by the frequency field.In your case, every 120 seconds the normal scan is activated, which stops the realtime scanning. When normal scanning is finished, syscheck starts monitoring directories again in real time.
What I meant was I replicated your configuration and kept it for 30 minutes. After this time, I checked how realtime marked directories were still monitored in real time. That is why I think it is possible that you checked the real-time monitoring at the moment when syscheck was launching a "normal analysis", and after that time, the realtime directories were still running normally.
In short, I recommend you one thing:
- Increase the realtime frequency.
Regards
Aditya Sharma
On Wednesday, March 22, 2023 at 1:06:08 PM UTC+5:30 Dai Nguyen wrote:
HI,Here is status of wazuh-manager:\
Here is my agent log after I restart my wazuh-agent:Currently, I got some alert in my dashboard about directories that I monitored, but It's not realtime even though I added a "realtime" attribute in <directories> node. Iit took a long time to show an alert like this but it's not showing immediately. I add this file "a.c" on Mar 21, 2023 but It's showed today (Mar 22, 2023)
My English is not good. So if you don't understand what I mean, please tell me. Thank you so much!Vào lúc 11:20:47 UTC+7 ngày Thứ Tư, 22 tháng 3, 2023, Aditya Sharma đã viết:
Reply all
Reply to author
Forward
0 new messages