Syscheck is configured in the ossec.conf file. Generally this configuration is set using the following sections:
For detailed configuration options, go to Syscheck.
To configure syscheck, a list of files and directories must be identified. The
check_all option checks file size, permissions, owner, last modification date, inode and all the hash sums (MD5, SHA1 and SHA256).
If a directory is specified both in a centralized configuration and on the agent’s
ossec.conf, the centralized configuration will take precedence and override the local configuration.
<syscheck> <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> <directories check_all="yes">/root/users.txt,/bsd,/root/db.html</directories> </syscheck>
Configuring scheduled scans¶
Syscheck has an option to configure the
frequency of the system scans. In this example, syscheck is configured to run every 10 hours.
<syscheck> <frequency>36000</frequency> <directories>/etc,/usr/bin,/usr/sbin</directories> <directories>/bin,/sbin</directories> </syscheck>
Configuring real-time monitoring¶
Real-time monitoring is configured with the
realtime option. This option only works with directories rather than with individual files. Real-time change detection is paused during periodic syscheck scans and reactivates as soon as these scans are complete.
<syscheck> <directories check_all="yes" realtime="yes">c:/tmp</directories> </syscheck>
Configuring who-data monitoring¶
New in version 3.4.0.
Who-data monitoring is configured with the
whodata option. This option replaces the
realtime option, which means that
whodata implies real-time monitoring but adding the who-data information.
This functionality uses Linux Audit subsystem and the Microsoft Windows SACL, so additional configurations might be necessary. Check the Auditing who-data entry to get further information.
<syscheck> <directories check_all="yes" whodata="yes">/etc</directories> </syscheck>
Configure to report changes¶
report_changes option, we can see what specifically changed in text files. Be careful about which folders you set up to
report_changes to, because in order to do this, Wazuh copies every single file you want to monitor to a private location.
<syscheck> <directories check_all="yes" realtime="yes" report_changes="yes">/test</directories> </syscheck>
Configure to ignore files¶
Files and directories can be omitted using the ignore option (or registry_ignore for Windows registry entries). In order to avoid false positives, syscheck can be configured to ignore certain files that don’t need to be monitored.
<syscheck> <ignore>/etc/random-seed</ignore> <ignore>/root/dir</ignore> <ignore type="sregex">.log$|.tmp</ignore> </syscheck>
Configure maximum recursion level allowed¶
New in version 3.6.0.
It is possible to configure the maximum recursion level allowed for a specific directory by setting the
recursion_level option. This option must be an integer between 0 and 320. An example of use:
<syscheck> <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> <directories check_all="yes">/root/users.txt,/bsd,/root/db.html</directories> <directories check_all="yes" recursion_level="3">folder_test</directories> </syscheck>
Using the following directory structure and
folder_test ├── file_0.txt └── level_1 ├── file_1.txt └── level_2 ├── file_2.txt └── level_3 ├── file_3.txt └── level_4 ├── file_4.txt └── level_5 └── file_5.txt
We will receive alerts for all files up to
folder_test/level_1/level_2/level_3/ but we won’t receive alerts from any directory deeper than
If we don’t want any recursion (just get alerts from the files in the monitored folder), we must set
recursion_level to 0.
recursion_level is not specified, it will be set to the default value defined by
syscheck.default_max_depth in the internal options configuration file.
Ignoring files via rules¶
It is also possible to ignore files using rules, as in this example:
<rule id="100345" level="0"> <if_group>syscheck</if_group> <match>/var/www/htdocs</match> <description>Ignore changes to /var/www/htdocs</description> </rule>
With a custom rule, the level of a syscheck alert can be altered when changes to a specific file or file pattern are detected.
<rule id="100345" level="12"> <if_group>syscheck</if_group> <match>/var/www/htdocs</match> <description>Changes to /var/www/htdocs - Critical file!</description> </rule>