FIM Integration Agent or Wazuh Server ossec.conf
136 views
Skip to first unread message
Fatih Yuksektepe
Apr 15, 2024, 5:30:14 AM4/15/24
to Wazuh | Mailing List
Hello, I'm not very proficient in WAZUH, I have a question. Do I need to write something to the agent's ossec.conf file for FIM, Virustotal integration, or is it enough to add it only to the ossec.conf file on the WAZUH server?
Olusegun Adenrele Oyebo
Apr 15, 2024, 10:44:56 AM4/15/24
to Wazuh | Mailing List
Hello Fatih,
Thanks for reaching out.
For configuring Wazuh FIM, you need to specify the directories where the FIM module must monitor the creation, modification, and deletion of files or configure the specific files you need to monitor. For you to specify the file or directory to monitor, you need to specify the path in the agent's ossec.conf file.
<integration>
<name>virustotal</name>
<api_key>API_KEY</api_key> <!-- Replace with your VirusTotal API key -->
<group>syscheck</group>
<alert_format>json</alert_format>
</integration>
Restart the Wazuh manager service to save the changes systemctl restart wazuh-manager
You can also check the below use case on how combining Virustotal and FIM capability can help to detect a malicious file.
I hope this helps. If you have any other query, do not hesitate to ask.
Thanks for reaching out.
For configuring Wazuh FIM, you need to specify the directories where the FIM module must monitor the creation, modification, and deletion of files or configure the specific files you need to monitor. For you to specify the file or directory to monitor, you need to specify the path in the agent's ossec.conf file.
- Windows: C:\Program Files (x86)\ossec-agent\ossec.conf
- Linux: /var/ossec/etc/ossec.conf
- Mac: /Library/Ossec/etc/ossec.conf
<syscheck>
<directories><FILEPATH_OF_MONITORED_FILE></directories>
<directories><FILEPATH_OF_MONITORED_DIRECTORY></directories>
</syscheck>
<directories><FILEPATH_OF_MONITORED_FILE></directories>
<directories><FILEPATH_OF_MONITORED_DIRECTORY></directories>
</syscheck>
Replace <FILEPATH_OF_MONITORED_FILE> and <FILEPATH_OF_MONITORED_DIRECTORY> with the path of the file or directory you want to monitor. It's also good to mention that if you also want to monitor changes in directory and files on the Wazuh server itself, you can do so by making the necessary configuration on the Wazuh server's /var/ossec/etc/ossec.conf file.
Make sure you restart the Wazuh agent service with admin privilege after you must have made the necessary changes.
For integrating Wazuh with VirusTotal, you'll need to do the configuration on the Wazuh server's /var/ossec/etc/ossec.conf file by adding the VirusTotal API key. Go the Virustotal API key page to get you API key. Below is a sample configuration that needs to be done on the Wazuh server.
Make sure you restart the Wazuh agent service with admin privilege after you must have made the necessary changes.
- Linux: systemctl restart wazuh-agent
- Windows: Restart-Service -Name wazuh
- macOS: /Library/Ossec/bin/wazuh-control restart
For integrating Wazuh with VirusTotal, you'll need to do the configuration on the Wazuh server's /var/ossec/etc/ossec.conf file by adding the VirusTotal API key. Go the Virustotal API key page to get you API key. Below is a sample configuration that needs to be done on the Wazuh server.
<integration>
<name>virustotal</name>
<api_key>API_KEY</api_key> <!-- Replace with your VirusTotal API key -->
<group>syscheck</group>
<alert_format>json</alert_format>
</integration>
Restart the Wazuh manager service to save the changes systemctl restart wazuh-manager
You can also check the below use case on how combining Virustotal and FIM capability can help to detect a malicious file.
I hope this helps. If you have any other query, do not hesitate to ask.
Best regards.
Reply all
Reply to author
Forward
0 new messages