0

Have a wazuh (ossec fork) server and an agent (testing for now). the server gets all the info from the agent (login attempts and so on) but one thing - file changes (creation, deletion and so on). upon agent restarting, all the information is being sent.

I've made sure that inotify and inotify-tools are installed, even build-essential (just in case), but nothing. unless the agent is restarted, it will not send the new updates to the server.

OS ubuntu 16.04

Any ideas?

Improve this question

2 Answers 2

Reset to default
1

This is because the file integrity monitoring is configured by default to run scans on startups, and the default periodic scan is every 12 hours, you can change the frequency of the FIM module scans in the /var/ossec/etc/ossec.conf, inside the FIM configuration, change the value inside the syscheck block:

<syscheck>
   <frequency>900</frequency>
</syscheck>

Here we configured the scan to run every 900 seconds. Check the official documentation for all possible values, like in realtime, every day...

Also, you need to choose what value to get in your Wazuh server, like the whodata, md5...

For example:

<syscheck>
   <directories check_all="yes" whodata="yes">/etc</directories>
</syscheck>

Will give you all the data related to the modification of files inside /etc.

Improve this answer
0

You must take into account that the file change alerts are triggered when syscheckd detect any change from a previous scan, you can set the scan frequency using option.

When an agent is started a file integrity scan start too if <scan_on_start>yes</scan_on_start> (enabled by default) is set, for that reason you receive alerts of file changes when you restart the agent.

Also, you could take a look to the <realtime> option, this will alert you when a file change instantly.

Here you can find the official documentation https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html

And our maillist is located at https://groups.google.com/forum/#!forum/wazuh we are glad to help you there too.

In addition, it could be nice you use the wazuh tag, we will appreciate that, thanks.

I hope this could help you.

Regards

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .