FIM feature enablement

[Zarak Ali]

Dear Folk 

please anyone who can guide me how to enable FIm on wazuh and how to get fIM feature on desired server for any file or data modification.

[Isaiah Daboh]

Hi Zarak,

To enable FIM (File Integrity Monitoring) on Wazuh, you need to configure the Wazuh manager and agent. First, make sure you have the Wazuh manager and agent installed and running on your desired server. Then, you can enable FIM by modifying the Wazuh agent configuration file (ossec.conf) on the server. In the ossec.conf file, you will find a section for FIM configuration where you can define the directories and files you want to monitor for modifications. Once you have made the necessary changes, restart the Wazuh agent for the new configuration to take effect. The Wazuh manager will then receive FIM alerts whenever there is a file or data modification on the monitored server.

Wazuh Agent Configuration File

1. Add the following settings to the Wazuh agent configuration file, replacing the directories values with your own filepaths:

   • Linux: /var/ossec/etc/ossec.conf

   • Windows: C:\Program Files (x86)\ossec-agent\ossec.conf

   • macOS: /Library/Ossec/etc/ossec.conf

   <syscheck> <directories>FILEPATH/OF/MONITORED/FILE</directories> <directories>FILEPATH/OF/MONITORED/DIRECTORY</directories> </syscheck>
2. Restart the Wazuh agent with administrator privilege

You can learn how the FIM works here

And here or more configuration options 

Regards,

[Zarak Ali]

i already add the path properly but did not getting deletion file event and one thing more can u please tell me is any delay in event if we configure any change on manger or server end?

[Zarak Ali]

Pease check as i added this path when I create file is show add alert but when I delete form this I would not show so how to get deleted event plz tell ss attached for reference