Hello Farid, that alert shows up because Wazuh's FIM database on the agent has a built-in entry limit, right now you're at 87,841 out of 100,000. It's just a heads-up that if you hit the cap, any new files added after that point won't be tracked (existing ones are fine). To raise the limit, update this block in your ossec.conf (or via centralized config in the manager):
<syscheck>
<file_limit>
<enabled>yes</enabled>
<entries>200000</entries>
</file_limit>
</syscheck>
You can also check why you have so many files being monitored — sometimes a broad path like /var or /usr sneaks in and increases the count. You can use <ignore> tags to exclude directories you don't really need to watch.
After making changes, restart the agent to apply them.
Thanks.
Diego.
Thank you for your support Diego!
--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/5afe4e0b-efdb-488b-a4d1-cc6609b116abn%40googlegroups.com.
This is the configuration reference for the FIM file limit.(file_limit)
You need to make the changes in the agent’s configuration.
<!-- Maximum number of files to be monitored -->
<file_limit>
<enabled>yes</enabled>
<entries>100000</entries>
</file_limit>
By default, the limit is 10000, so it will not monitor any files after scanning the first 10000 files by default.
You can use different filters to tune your FIM configuration.(syscheck ) to monitor more specific files.
You can check the
restrict
ignore
Let me know if you need any further help on this.
Thank you for your response.
I increased the limit to 100,000, but the issue still occurs—the indices continue to fill up.
In this case, what else can I do?
Also, I have one more question: if the maximum is set to 100,000, does Wazuh start overwriting the oldest documents once that limit is reached (FIFO), or should it automatically create a new index instead?
Thanks in advance!
If the maximum number of files to monitor is set to 100,000. While reading the FIM configuration from the agent’s ossec.conf from top to bottom.
The files which will come first in the configuration the FIM with motinor those files first.
For example:
If you have a configuration like this.
<syscheck>
—--------------
<directories>/etc,/usr/bin,/usr/sbin</directories>
<directories>/bin,/sbin,/boot</directories>
—------------
</syscheck>
If you have more than 100000 files in
/etc
/usr/bin
/usr/sbin
/bin
The FIM scan will never check the files in
/sbin
/boot
unless you increase the limit
If you want to monitor more files, you can increase the limit.
<entries>100000</entries>
If you do not wish to monitor more files, you can tune the configuration to make sure FIM monitors more specific files.
For this, you can check the
restrict
ignore
For example,
<ignore>/var/log</ignore>
<ignore type="sregex">.log$|.swp$</ignore>
This configuration will ignore all log, swp files and the files in the path /var/log
Let me know if you need any further information.