Scenario of FIM that worked on testing but didnt worked on production

[Khem Raj Bhatta]

Hi everyone,

I recently tried to monitor a different partition using FIM in my testing environment and it worked the part that I have added was

<directories check_all="yes" realtime="yes" whodata="yes" report_changes="yes">E:</directories>

as I had to monitor the E: partition

The above scenario worked in my test environment but the issue occurred when I did the same and it didn't work on my client side could someone here help me out by providing conditions in which scenario the FIM with the above condition won't work

[Jose Luis Carreras Marin]

Hello khem.bhatta,

Before we start, a couple of tips related to that FIM configuration:

• The realtime and whodata modes cannot be activated simultaneously (In your case, it overwrites the configuration, and only the last one, whodata, remains). Both are real-time modes, they act in the same way, with the difference that whodata includes information about the user who has triggered the events.
• The configuration you are using (whodata and report_changes) on the entire disk would require a lot of resources to run. It is more advisable to specify a bit more the configured directories in order not to have a multitude of events that could be considered unnecessary. Besides, configuring the Wazuh installation directory itself could cause some infinite loops (Log files).

Now getting into the problems you may be having. Several questions about the environment:

• Are there any differences between the testing environment and the production environment?
• What installation method did you use?
• Are any of the monitored partitions NFS?
• What kind of errors are you encountering? Can you check the Wazuh agent log file for any clues (C:\Program Files (X86)\ossec-agent\ossec.log)?

I hope I can help as much as possible.
Best regards, jose