Scan paths configuration

Leaving this unconfigured will result in Wazuh using the module defaults.

By default, it will monitor /etc, /usr/bin, /usr/sbin, /bin and /sbin on the Wazuh Server, with real time monitoring disabled and report_changes enabled.

To overwrite the defaults or add in new paths to scan, you can use here to overwrite the defaults.

To tell Wazuh to enable real time monitoring of the default paths:

wazuh::server::ossec_scanpaths:

path: /etc report_changes: 'no' realtime: 'no'

path: /usr/bin report_changes: 'no' realtime: 'no'

path: /usr/sbin report_changes: 'no' realtime: 'no'

path: /bin report_changes: 'yes' realtime: 'yes'

path: /sbin report_changes: 'yes' realtime: 'yes'

wazuh::server::ossec_ignorepaths:

By default, it will empty.

To overwrite the defaults or add in new paths to scan, you can use here to overwrite the defaults.

More information in about syscheck configuration in the File integrity monitoring section.

Note

Configuring the ossec_scanpaths variable will overwrite the default paths. If you want to add a new directory to monitor, you must also add the above default paths to be monitored as well.