Wazuh fim is not work properly.

92 views
Skip to first unread message

Farid Alakbarli

unread,
May 21, 2026, 11:49:24 AMMay 21
to Wazuh | Mailing List
Hello,
I get alert on fim monitoring list rule description like below:

The maximum limit of files monitored is close to being reached. At this moment there are 87841 files and the limit is 100000. If the limit is reached some events can be lost. You can modify this setting in the centralized configuration or locally in the agent.

syscheck files does not overwrite?
 

Diego Cappri

unread,
May 21, 2026, 12:42:43 PMMay 21
to Wazuh | Mailing List

Hello Farid, that alert shows up because Wazuh's FIM database on the agent has a built-in entry limit, right now you're at 87,841 out of 100,000. It's just a heads-up that if you hit the cap, any new files added after that point won't be tracked (existing ones are fine). To raise the limit, update this block in your ossec.conf (or via centralized config in the manager):

<syscheck>
  <file_limit>
    <enabled>yes</enabled>
    <entries>200000</entries>  
  </file_limit>
</syscheck>

You can also check why you have so many files being monitored — sometimes a broad path like /var or /usr sneaks in and increases the count. You can use <ignore> tags to exclude directories you don't really need to watch.

After making changes, restart the agent to apply them.

Thanks.

Diego.

Diego Cappri

unread,
May 22, 2026, 7:48:10 AMMay 22
to Farid Alakbarli, wa...@googlegroups.com
Anytime.

On Fri, May 22, 2026 at 2:32 AM Farid Alakbarli <alakbar...@gmail.com> wrote:
Thank you for your support Diego!

--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/5afe4e0b-efdb-488b-a4d1-cc6609b116abn%40googlegroups.com.

Diego Cappri

unread,
May 22, 2026, 10:05:58 AMMay 22
to Wazuh | Mailing List
Hi Farid,
let me add the link to the official documentation, for your reference: https://documentation.wazuh.com/current/user-manual/capabilities/file-integrity/index.html

Thank you.
Diego.

Farid Alakbarli

unread,
Jun 3, 2026, 12:03:12 AMJun 3
to Wazuh | Mailing List
Hi, Diego.
I want to overwrite FIM logs (only keep 100000). I dont want to increase file limit, because it will load again. 
I search internet but can not find tag for overwrite this logs, how can I do this?

Should I use crontask for this or there is another ways to do this?

thanks.

Md. Nazmur Sakib

unread,
Jun 30, 2026, 2:07:50 AM (3 days ago) Jun 30
to Wazuh | Mailing List

This is the configuration reference for the FIM file limit.(file_limit)

You need to make the changes in the agent’s configuration.

<!-- Maximum number of files to be monitored -->

<file_limit>

  <enabled>yes</enabled>

  <entries>100000</entries>

</file_limit>


By default, the limit is 10000, so it will not monitor any files after scanning the first 10000 files by default.


You can use different filters to tune your FIM configuration.(syscheck ) to monitor more specific files.

You can check the
restrict
ignore

registry_ignore


Let me know if you need any further help on this.

Farid Alakbarli

unread,
Jul 1, 2026, 11:10:22 AM (2 days ago) Jul 1
to Wazuh | Mailing List

Thank you for your response.

I increased the limit to 100,000, but the issue still occurs—the indices continue to fill up.

In this case, what else can I do?

Also, I have one more question: if the maximum is set to 100,000, does Wazuh start overwriting the oldest documents once that limit is reached (FIFO), or should it automatically create a new index instead?

Thanks in advance!

Md. Nazmur Sakib

unread,
Jul 2, 2026, 2:06:24 AM (24 hours ago) Jul 2
to Wazuh | Mailing List

If the maximum number of files to monitor is set to 100,000. While reading the FIM configuration from the agent’s ossec.conf from top to bottom.

The files which will come first in the configuration the FIM with motinor those files first.


For example:

If you have a configuration like this.
<syscheck>
—--------------
<directories>/etc,/usr/bin,/usr/sbin</directories>

<directories>/bin,/sbin,/boot</directories>

—------------
</syscheck>




If you have more than 100000 files in
/etc
/usr/bin
/usr/sbin
/bin

The FIM scan will never check the files in 
/sbin
/boot
unless you increase the limit
If you want to monitor more files, you can increase the limit.
<entries>100000</entries>

If you do not wish to monitor more files, you can tune the configuration to make sure FIM monitors more specific files.

For this, you can check the
restrict
ignore

registry_ignore


For example,

<ignore>/var/log</ignore>

<ignore type="sregex">.log$|.swp$</ignore>

This configuration will ignore all log, swp files and the files in the path /var/log

Let me know if you need any further information.

Reply all
Reply to author
Forward
0 new messages