Wazuh does not exclude files/folders from FIM.
186 views
Skip to first unread message
Lucas Miranda
Feb 17, 2025, 3:10:44 AM2/17/25
to Wazuh | Mailing List
I configured the path to monitor in real time.
<!-- Directories to check (perform all possible verifications) -->
<directories>/etc,/usr/bin,/usr/sbin</directories>
<directories>/bin,/sbin,/boot</directories>
<directories>/var/www</directories>
but, when I set it to exclude subdirectories, the service does not start.
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/random.seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<ignore>/var/www/SITE1/storage/framework/cache<ignore>
<ignore>/var/www/SITE2/storage/framework/cache<ignore>
<ignore>/var/www/SITE3/storage/framework/cache<ignore>
<ignore>/var/www/SITE4/storage/framework/cache/data<ignore>
<ignore>/etc/unified-monitoring-agent<ignore>
I need these paths to not be monitored, any ideas on how to do this?
<ignore>/var/www/SITE1/storage/framework/cache<ignore>
<ignore>/var/www/SITE2/storage/framework/cache<ignore>
<ignore>/var/www/SITE3/storage/framework/cache<ignore>
<ignore>/var/www/SITE4/storage/framework/cache/data<ignore>
<!-- Directories to check (perform all possible verifications) -->
<directories>/etc,/usr/bin,/usr/sbin</directories>
<directories>/bin,/sbin,/boot</directories>
<directories>/var/www</directories>
but, when I set it to exclude subdirectories, the service does not start.
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/random.seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<ignore>/var/www/SITE1/storage/framework/cache<ignore>
<ignore>/var/www/SITE2/storage/framework/cache<ignore>
<ignore>/var/www/SITE3/storage/framework/cache<ignore>
<ignore>/var/www/SITE4/storage/framework/cache/data<ignore>
<ignore>/etc/unified-monitoring-agent<ignore>
I need these paths to not be monitored, any ideas on how to do this?
<ignore>/var/www/SITE1/storage/framework/cache<ignore>
<ignore>/var/www/SITE2/storage/framework/cache<ignore>
<ignore>/var/www/SITE3/storage/framework/cache<ignore>
<ignore>/var/www/SITE4/storage/framework/cache/data<ignore>
Bony V John
Feb 17, 2025, 4:05:58 AM2/17/25
to Wazuh | Mailing List
Hi,
<ignore>/var/www/SITE1/storage/framework/cache<ignore>
<ignore>/var/www/SITE2/storage/framework/cache<ignore>
<ignore>/var/www/SITE3/storage/framework/cache<ignore>
<ignore>/var/www/SITE4/storage/framework/cache/data<ignore>
The issue you are facing is due to a syntax error in the configuration of the <ignore> block.
In your <ignore> block, you did not close the </ignore> tags properly.
In your <ignore> block, you did not close the </ignore> tags properly.
Your ignore configuration:
<ignore>/var/www/SITE1/storage/framework/cache<ignore>
<ignore>/var/www/SITE2/storage/framework/cache<ignore>
<ignore>/var/www/SITE3/storage/framework/cache<ignore>
<ignore>/var/www/SITE4/storage/framework/cache/data<ignore>
Correct configuration using <ignore> tag:
<ignore>/var/www/SITE1/storage/framework/cache</ignore>
<ignore>/var/www/SITE2/storage/framework/cache</ignore>
<ignore>/var/www/SITE3/storage/framework/cache</ignore>
<ignore>/var/www/SITE4/storage/framework/cache/data</ignore>
<ignore>/var/www/SITE2/storage/framework/cache</ignore>
<ignore>/var/www/SITE3/storage/framework/cache</ignore>
<ignore>/var/www/SITE4/storage/framework/cache/data</ignore>
Additionally, if you want to monitor the /var/www directory in real-time, you need to add the realtime attribute in the configuration, as shown below:
<directories realtime="yes">/var/www</directories>
After saving the configuration, you can restart the Wazuh agent:
systemctl restart wazuh-agent
You can refer to the Wazuh syscheck configuration documentation for more details on the configuration.
Lucas Miranda
Feb 17, 2025, 7:49:04 AM2/17/25
to Wazuh | Mailing List
Thanks!!
I can't believe I was so careless, thank you very much.
Another question, is there a wildcard character for log files?
Example:
<localfile>
<log_format>apache</log_format>
<location>/var/log/apache2/*/error.log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/apache2/*/access.log</location>
</localfile>
I need to configure 1257 log hosts, could I do it like this? Or would I have to put them all in a single file?
I can't believe I was so careless, thank you very much.
Another question, is there a wildcard character for log files?
Example:
<localfile>
<log_format>apache</log_format>
<location>/var/log/apache2/*/error.log</location>
</localfile>
<localfile>
<log_format>apache</log_format>
<location>/var/log/apache2/*/access.log</location>
</localfile>
I need to configure 1257 log hosts, could I do it like this? Or would I have to put them all in a single file?
Bony V John
Feb 18, 2025, 5:10:40 AM2/18/25
to Wazuh | Mailing List
Hi,
Yes, in Wazuh, you can use the wildcard (*) to monitor files using the <localfile> configuration.
Based on your configuration, the Wazuh agent will monitor access.log and error.log files in all directories inside apache2.
For more details, refer to the Wazuh localfile configuration documentation.
Reply all
Reply to author
Forward
0 new messages