syscheck

XML section name

<syscheck>
</syscheck>

Configuration options for file integrity monitoring:

alert_new_files

Specifies if syscheck should alert when new files are created.

Default value yes
Allowed values yes, no

Example:

<alert_new_files>yes</alert_new_files>

Note

It is valid on: server and local.

allow_remote_prefilter_cmd

New in version 3.11.0.

Allows prefilter_cmd option apply in remote configuration (agent.conf).

Default value no
Allowed values yes, no

Example:

<allow_remote_prefilter_cmd>yes</allow_remote_prefilter_cmd>

Note

This option only can be activated from the agent side, on its own ossec.conf.

auto_ignore

Specifies whether or not syscheck will ignore files that change too many times (manager only).

Default value no
Allowed values yes, no

Attributes:

frequency Number of times the alert can be repeated in the ‘timeframe’ time interval.
Default value 10
Allowed values Any number between 1 and 99.
timeframe Time interval in which the number of alerts generated by a file accumulates.
Default value 3600
Allowed values Any number between 1 and 43200.

Example:

<auto_ignore frequency="10" timeframe="3600">no</auto_ignore>

Note

It is valid on: server and local.

database

New in version 3.12.0.

Specifies where the database is going to be stored.

Default value disk
Allowed values disk, memory

directories

List of directories to be monitored. The directories can be comma-separated or multiple lines may be entered to include multiple directories.

All files and subdirectories within the noted directories will also be monitored.

Drive letters without directories are not valid. At a minimum the ‘.’ should be included (D:\.).

This is to be set on the system to be monitored (or in the agent.conf, if appropriate).

There is a limit of 64 directories, comma-separated, that can be written in one line .

Default value The default configuration may vary depending on the operating system.
Allowed values Any directory

Attributes:

realtime

This will enable real-time/continuous monitoring on Linux (using the inotify system calls) and Windows systems.

Real time only works with directories, not individual files.

Default value no
Allowed values yes, no
whodata This will enable who-data monitoring on Linux and Windows systems.
Default value no
Allowed values yes, no
report_changes Report file changes. This is limited to text files at this time.
Default value no
Allowed values yes, no
check_all It modifies the value of all attributes with the prefix check_.
Default value yes
Allowed values yes, no
check_sum

Check the MD5, SHA-1 and SHA-256 hashes of the files.

Same as using check_md5sum="yes", check_sha1sum="yes" and check_sha256sum="yes" at the same time.

Default value yes
Allowed values yes, no
check_sha1sum Check only the SHA-1 hash of the files.
Default value yes
Allowed values yes, no
check_md5sum Check only the MD5 hash of the files.
Default value yes
Allowed values yes, no
check_sha256sum Check only the SHA-256 hash of the files.
Default value yes
Allowed values yes, no
check_size Check the size of the files.
Default value yes
Allowed values yes, no
check_owner

Check the owner of the files.

On Windows, uid will always be 0.

Default value yes
Allowed values yes, no
check_group

Check the group owner of the files/directories.

Available for UNIX. On Windows, gid will always be 0 and the group name will be blank.

Default value yes
Allowed values yes, no
check_perm

Check the permission of the files/directories.

On Windows, a list of denied and allowed permissions will be given for each user or group since version 3.8.0.

Only works on NTFS partitions on Windows systems.

Default value yes
Allowed values yes, no
check_attrs

Check the attributes of the files.

Available for Windows.

New in version 3.8.0.

Default value yes
Allowed values yes, no
check_mtime

Check the modification time of a file.

New in version 2.0.

Default value yes
Allowed values yes, no
check_inode

Check the file inode.

Available for UNIX. On Windows, inode will always be 0.

New in version 2.0.

Default value yes
Allowed values yes, no
restrict

Limit checks to files containing the entered string in the file name.

Any directory or file name (but not a path) is allowed.

Default value N/A
Allowed value sregex
tags

Add tags to alerts for monitored directories.

New in version 3.6.0.

Default value N/A
Allowed values Tags list separated by commas
recursion_level

Limits the maximum level of recursion allowed.

New in version 3.6.0.

Default value 256
Allowed values Any integer between 0 and 320
follow_symbolic_link

The setting is available for UNIX systems and only applies when a symbolic link is set in the configuration directly.

When this flag is enabled, the link is followed and its content is monitored. Otherwise, the own link is monitored.

New in version 3.8.0.

Default value no
Allowed values yes, no

When there is a conflict between options that modify the same attribute, the last one configured overrides. For instance:

<directories check_all="no" check_sha256="yes">/etc</directories>

The configuration above, set the option check_sha256 to YES.

<directories check_sha256="yes" check_all="no">/etc</directories>

Nevertheless, the second one disables the SHA-256 hash check.

disabled

Indicates if the syscheck scan is disabled or not.

Default value no
Allowed values yes, no

Example:

<disabled>no</disabled>

file_limit

New in version 3.13.

Specifies a limit on the number of files that will be monitored by syscheck. Files created when the database has reached the limit will be ignored.

<!-- Maximum number of files to be monitored -->
<file_limit>
  <enabled>yes</enabled>
  <entries>100000</entries>
</file_limit>

enabled

New in version 3.13.

Specifies whether there will be a limit on the number of monitored files or not.

Default value yes
Allowed values yes/no

entries

New in version 3.13.

Specifies the number of files to be monitored.

Default value 100000
Allowed values Integer number between 1 and 2147483647.

frequency

Frequency that the syscheck will be run. Given in seconds.

Default value 43200
Allowed values A positive number, time in seconds.

Example:

<frequency>43200</frequency>

ignore

List of files or directories to be ignored. Introduced as one entry per line. Multiple lines may be entered to include multiple files or directories. Ignored files and directories are still scanned, but the results are not reported.

Default value The default configuration may vary depending on the operating system.
Allowed values Any directory or file name.

Attributes:

type This is a simple regex pattern to filter out files so alerts are not generated.
Allowed values sregex

Example:

<ignore>/etc/mtab</ignore>
<ignore type="sregex">.log$|.swp$</ignore>

max_eps

New in version 3.12.0.

Sets the maximum event reporting throughput. Events are messages that will produce an alert.

Default value 100
Allowed values Integer number between 0 and 1000000. 0 means disabled.

Example:

<max_eps>100</max_eps>

nodiff

List of files to not compute the diff. Introduced as one entry per line. It could be used for sensitive files like a private key, credentials stored in a file or database configuration to avoid data leaking by sending the file content changes through alerts.

Default value The default configuration may vary depending on the operating system.
Allowed values Any file name.

Attributes:

type This is a simple regex pattern to filter out files to not compute the diff.
Allowed values sregex

Example:

<nodiff>/etc/ssl/private.key</nodiff>
<nodiff type="sregex">/tmp/test/file$</nodiff>

prefilter_cmd

Run to prevent prelinking from creating false positives.

Default value n/a
Allowed values Command to prevent prelinking.

Example:

<prefilter_cmd>/usr/sbin/prelink -y</prefilter_cmd>

Note

This option may negatively impact performance as the configured command will be run for each file checked.

Note

This option is ignored when defined at agent.conf if allow_remote_prefilter_cmd is set to no at ossec.conf.

process_priority

New in version 3.12.0.

Sets the nice value for Syscheck process.

Default value 10
Allowed values Integer number between -20 and 19.

The “niceness” scale in Linux goes from -20 to 19, whereas -20 is the highest priority and 19 the lowest priority.

For Windows the scale is translated as described in the following table:

-20 to -10 THREAD_PRIORITY_HIGHEST
-9 to -5 THREAD_PRIORITY_ABOVE_NORMAL
-4 to 0 THREAD_PRIORITY_NORMAL
1 to 5 THREAD_PRIORITY_BELOW_NORMAL
6 to 10 THREAD_PRIORITY_LOWEST
11 to 19 THREAD_PRIORITY_IDLE

Example:

<process_priority>10</process_priority>

registry_ignore

List of registry entries to be ignored. One entry per line. Multiple lines may be entered to include multiple registry entries.

Default value The default configuration may vary depending on the operating system.
Allowed values Any registry entry.

Attributes:

arch Select the Registry to ignore depending on the architecture.
Default value 32bit
Allowed values 32bit, 64bit, both
type This is a simple regex pattern to filter out files so alerts are not generated.
Allowed values sregex

Example:

<registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore>
<registry_ignore type="sregex">\Enum$</registry_ignore>

remove_old_diff

New in version 3.4.0.

Deprecated since version 3.8.0.

Specifies if Syscheck should delete the local snapshots that are not currently being monitored. Since version 3.8.0, Syscheck will always purge those snapshots.

Default value yes
Allowed values yes, no

Example:

<remove_old_diff>yes</remove_old_diff>

restart_audit

New in version 3.5.0.

Deprecated since version 3.9.0.

Note

This option is set inside the <whodata> tag since version 3.9.0.

Allows the system to restart Auditd after installing the plugin. Note that setting this field to no the new whodata rules won’t be applied automatically.

Default value yes
Allowed values yes, no

Example for restart_audit since v3.9.0:

<whodata>
 <restart_audit>yes</restart_audit>
</whodata>

scan_day

Day of the week to run the scans, one entry per line.

Default value n/a
Allowed values Day of the week.

Example:

<scan_day>thursday</scan_day>

scan_on_start

Specifies if syscheck scans immediately when started.

Default value yes
Allowed values yes, no

Example:

<scan_on_start>yes</scan_on_start>

scan_time

Time to run the scans. Times may be represented as 9pm or 8:30.

Default value n/a
Allowed values Time of day.

Example:

<scan_time>8:30</scan_time>

Note

This may delay the initialization of real-time scans.

skip_dev

New in version 3.12.0.

Specifies if syscheck should scan the /dev directory. This option works on Linux and FreeBSD systems.

Default value yes
Allowed values yes, no

Example:

<skip_dev>yes</skip_dev>

skip_nfs

Specifies if syscheck should scan network mounted filesystems. This option works on Linux and FreeBSD systems. Currently, skip_nfs will exclude checking files on CIFS or NFS mounts.

Default value yes
Allowed values yes, no

Example:

<skip_nfs>yes</skip_nfs>

skip_proc

New in version 3.12.0.

Specifies if syscheck should scan the /proc directory. This option works on Linux and FreeBSD systems.

Default value yes
Allowed values yes, no

Example:

<skip_proc>yes</skip_proc>

skip_sys

New in version 3.12.0.

Specifies if syscheck should scan the /sys directory. This option works on Linux system.

Default value yes
Allowed values yes, no

Example:

<skip_sys>yes</skip_sys>

synchronization

New in version 3.12.0.

The database synchronization settings are configured inside this tag.

<!-- Database synchronization settings -->
<synchronization>
  <enabled>yes</enabled>
  <interval>5m</interval>
  <max_interval>1h</max_interval>
  <response_timeout>30</response_timeout>
  <sync_queue_size>16384</sync_queue_size>
  <max_eps>10</max_eps>
</synchronization>

enabled

New in version 3.12.0.

Specifies whether there will be periodic inventory synchronizations or not.

Default value yes
Allowed values yes/no

interval

New in version 3.12.0.

Specifies the initial number of seconds between every inventory synchronization. If synchronization fails the value will be duplicated until it reaches the value of max_interval.

Default value 300 s
Allowed values Any number greater than or equal to 0. Allowed sufixes (s, m, h, d).

max_interval

New in version 3.12.0.

Specifies the maximum number of seconds between every inventory synchronization.

Default value 1 h
Allowed values Any number greater than or equal to interval. Allowed sufixes (s, m, h, d).

response_timeout

New in version 3.12.0.

Specifies the time elapsed in seconds since the agent sends the message to the manager and receives the response. If the response is not received in this interval, the message is marked as unanswered (timed-out) and the agent may start a new synchronization session at the defined interval.

Default value 30
Allowed values Any number greater than or equal to 0.

queue_size

New in version 3.12.0.

Specifies the queue size of the manager synchronization responses.

Default value 16384
Allowed values Integer number between 2 and 1000000.

max_eps

New in version 3.12.0.

Sets the maximum synchronization message throughput.

Default value 10
Allowed values Integer number between 0 and 1000000. 0 means disabled.

whodata

New in version 3.7.1.

The Whodata options will be configured inside this tag.

<!-- Whodata options -->
<whodata>
    <restart_audit>yes</restart_audit>
    <audit_key>auditkey1,auditkey2</audit_key>
    <startup_healthcheck>yes</startup_healthcheck>
</whodata>

restart_audit

New in version 3.9.0.

Allows the system to restart Auditd after installing the plugin. Note that setting this field to no the new whodata rules won’t be applied automatically.

Default value yes
Allowed values yes, no

audit_key

New in version 3.7.1.

Sets up the FIM engine to collect the Audit events using keys with audit_key. Wazuh will include in its FIM baseline those events being monitored by Audit using audit_key. For those systems where Audit is already set to monitor folders for other purposes, Wazuh can collect events generated as a key from audit_key. This option is only available for Linux systems with Audit.

Default value Empty
Allowed values Any string separated by commas

Note

Audit allow inserting spaces inside the keys, so the spaces inserted inside the field <audit_key> will be part of the key.

startup_healthcheck

New in version 3.9.0.

Allows to disable the Audit health check during the Whodata engine starting. This option is only available for Linux systems with Audit.

Default value yes
Allowed values yes, no

Warning

The health check ensures that the rules required by Whodata can be set in Audit correctly and also that the generated events can be obtained. Disabling the health check may cause functioning problems in Whodata and loss of FIM events.

For more information, please read auditing who-data

windows_audit_interval

New in version 3.5.0.

Sets the frequency in seconds with which the Windows agent will check that the SACLs of the directories monitored in whodata mode are correct.

Default value 300 seconds
Allowed values Any number from 1 to 9999

Example:

<windows_audit_interval>300</windows_audit_interval>

windows_registry

List of registry entries to be monitored. One entry per line. Multiple lines may be entered to include multiple registry entries.

Default value The default configuration may vary depending on the operating system.
Allowed values Any registry entry.

Attributes:

arch Select the Registry view depending on the architecture.
Default value 32bit
Allowed values 32bit, 64bit, both
tags

Add tags to alerts for monitored registry entries.

New in version 3.6.0.

Allowed values Tags list separated by commas

Example:

<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Classes\Protocols</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Policies</windows_registry>
<windows_registry tags="services-registry">HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry>

Note

New entries will not trigger alerts, only changes to existing entries.

Defaut syscheck configuration:

<!-- File integrity monitoring -->
<syscheck>
 <disabled>no</disabled>
 <!-- Frequency that syscheck is executed default every 12 hours -->
 <frequency>43200</frequency>
 <scan_on_start>yes</scan_on_start>
 <!-- Generate alert when new file detected -->
 <alert_new_files>yes</alert_new_files>
 <!-- Don't ignore files that change more than 'frequency' times -->
 <auto_ignore frequency="10" timeframe="3600">no</auto_ignore>
 <!-- Directories to check  (perform all possible verifications) -->
 <directories>/etc,/usr/bin,/usr/sbin</directories>
 <directories>/bin,/sbin,/boot</directories>
 <!-- Files/directories to ignore -->
 <ignore>/etc/mtab</ignore>
 <ignore>/etc/hosts.deny</ignore>
 <ignore>/etc/mail/statistics</ignore>
 <ignore>/etc/random-seed</ignore>
 <ignore>/etc/random.seed</ignore>
 <ignore>/etc/adjtime</ignore>
 <ignore>/etc/httpd/logs</ignore>
 <ignore>/etc/utmpx</ignore>
 <ignore>/etc/wtmpx</ignore>
 <ignore>/etc/cups/certs</ignore>
 <ignore>/etc/dumpdates</ignore>
 <ignore>/etc/svc/volatile</ignore>
 <!-- File types to ignore -->
 <ignore type="sregex">.log$|.swp$</ignore>
 <!-- Check the file, but never compute the diff -->
 <nodiff>/etc/ssl/private.key</nodiff>
 <skip_nfs>yes</skip_nfs>
 <skip_dev>yes</skip_dev>
 <skip_proc>yes</skip_proc>
 <skip_sys>yes</skip_sys>
 <!-- Nice value for Syscheck process -->
 <process_priority>10</process_priority>
 <!-- Maximum output throughput -->
 <max_eps>100</max_eps>
 <!-- Database synchronization settings -->
 <synchronization>
   <enabled>yes</enabled>
   <interval>5m</interval>
   <max_interval>1h</max_interval>
   <max_eps>10</max_eps>
 </synchronization>
</syscheck>
<!-- File integrity monitoring -->
<syscheck>
 <disabled>no</disabled>
 <!-- Frequency that syscheck is executed default every 12 hours -->
 <frequency>43200</frequency>
 <scan_on_start>yes</scan_on_start>
 <!-- Directories to check  (perform all possible verifications) -->
 <directories>/etc,/usr/bin,/usr/sbin</directories>
 <directories>/bin,/sbin,/boot</directories>
 <!-- Files/directories to ignore -->
 <ignore>/etc/mtab</ignore>
 <ignore>/etc/hosts.deny</ignore>
 <ignore>/etc/mail/statistics</ignore>
 <ignore>/etc/random-seed</ignore>
 <ignore>/etc/random.seed</ignore>
 <ignore>/etc/adjtime</ignore>
 <ignore>/etc/httpd/logs</ignore>
 <ignore>/etc/utmpx</ignore>
 <ignore>/etc/wtmpx</ignore>
 <ignore>/etc/cups/certs</ignore>
 <ignore>/etc/dumpdates</ignore>
 <ignore>/etc/svc/volatile</ignore>
 <!-- File types to ignore -->
 <ignore type="sregex">.log$|.swp$</ignore>
 <!-- Check the file, but never compute the diff -->
 <nodiff>/etc/ssl/private.key</nodiff>
 <skip_nfs>yes</skip_nfs>
 <skip_dev>yes</skip_dev>
 <skip_proc>yes</skip_proc>
 <skip_sys>yes</skip_sys>
 <!-- Nice value for Syscheck process -->
 <process_priority>10</process_priority>
 <!-- Maximum output throughput -->
 <max_eps>100</max_eps>
 <!-- Database synchronization settings -->
 <synchronization>
   <enabled>yes</enabled>
   <interval>5m</interval>
   <max_interval>1h</max_interval>
   <max_eps>10</max_eps>
 </synchronization>
</syscheck>
<!-- File integrity monitoring -->
<syscheck>
 <disabled>no</disabled>
 <!-- Frequency that syscheck is executed default every 12 hours -->
 <frequency>43200</frequency>
 <!-- Default files to be monitored. -->
 <directories recursion_level="0" restrict="regedit.exe$|system.ini$|win.ini$">%WINDIR%</directories>
 <directories recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$|net.exe$|net1.exe$|netsh.exe$|reg.exe$|regedt32.exe|regsvr32.exe|runas.exe|sc.exe|schtasks.exe|sethc.exe|subst.exe$">%WINDIR%\SysNative</directories>
 <directories recursion_level="0">%WINDIR%\SysNative\drivers\etc</directories>
 <directories recursion_level="0" restrict="WMIC.exe$">%WINDIR%\SysNative\wbem</directories>
 <directories recursion_level="0" restrict="powershell.exe$">%WINDIR%\SysNative\WindowsPowerShell\v1.0</directories>
 <directories recursion_level="0" restrict="winrm.vbs$">%WINDIR%\SysNative</directories>
 <!-- 32-bit programs. -->
 <directories recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$|net.exe$|net1.exe$|netsh.exe$|reg.exe$|regedit.exe$|regedt32.exe$|regsvr32.exe$|runas.exe$|sc.exe$|schtasks.exe$|sethc.exe$|subst.exe$">%WINDIR%\System32</directories>
 <directories recursion_level="0">%WINDIR%\System32\drivers\etc</directories>
 <directories recursion_level="0" restrict="WMIC.exe$">%WINDIR%\System32\wbem</directories>
 <directories recursion_level="0" restrict="powershell.exe$">%WINDIR%\System32\WindowsPowerShell\v1.0</directories>
 <directories recursion_level="0" restrict="winrm.vbs$">%WINDIR%\System32</directories>
 <directories realtime="yes">%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup</directories>
 <ignore>%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini</ignore>
 <ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ignore>
 <!-- Windows registry entries to monitor. -->
 <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry>
 <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</windows_registry>
 <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</windows_registry>
 <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</windows_registry>
 <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</windows_registry>
 <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects</windows_registry>
 <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</windows_registry>
 <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</windows_registry>
 <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Classes\Protocols</windows_registry>
 <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Policies</windows_registry>
 <windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>
 <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer</windows_registry>
 <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry>
 <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs</windows_registry>
 <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg</windows_registry>
 <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</windows_registry>
 <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</windows_registry>
 <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</windows_registry>
 <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL</windows_registry>
 <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies</windows_registry>
 <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows</windows_registry>
 <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon</windows_registry>
 <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components</windows_registry>
 <!-- Windows registry entries to ignore. -->
 <registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore>
 <registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users</registry_ignore>
 <registry_ignore type="sregex">\Enum$</registry_ignore>
 <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs</registry_ignore>
 <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP</registry_ignore>
 <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSIn</registry_ignore>
 <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSOut</registry_ignore>
 <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap</registry_ignore>
 <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo</registry_ignore>
 <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PolicyAgent\Parameters\Cache</registry_ignore>
 <registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</registry_ignore>
 <registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ADOVMPPackage\Final</registry_ignore>
 <!-- Frequency for ACL checking (seconds) -->
 <windows_audit_interval>60</windows_audit_interval>
 <!-- Nice value for Syscheck module -->
 <process_priority>10</process_priority>
 <!-- Maximum output throughput -->
 <max_eps>100</max_eps>
 <!-- Database synchronization settings -->
 <synchronization>
   <enabled>yes</enabled>
   <interval>5m</interval>
   <max_interval>1h</max_interval>
   <max_eps>10</max_eps>
 </synchronization>
</syscheck>
<!-- File integrity monitoring -->
<syscheck>
 <disabled>no</disabled>
 <!-- Frequency that syscheck is executed default every 12 hours -->
 <frequency>43200</frequency>
 <scan_on_start>yes</scan_on_start>
 <!-- Directories to check  (perform all possible verifications) -->
 <directories>/etc,/usr/bin,/usr/sbin</directories>
 <directories>/bin,/sbin</directories>
 <!-- Files/directories to ignore -->
 <ignore>/etc/mtab</ignore>
 <ignore>/etc/hosts.deny</ignore>
 <ignore>/etc/mail/statistics</ignore>
 <ignore>/etc/random-seed</ignore>
 <ignore>/etc/random.seed</ignore>
 <ignore>/etc/adjtime</ignore>
 <ignore>/etc/httpd/logs</ignore>
 <ignore>/etc/utmpx</ignore>
 <ignore>/etc/wtmpx</ignore>
 <ignore>/etc/cups/certs</ignore>
 <ignore>/etc/dumpdates</ignore>
 <ignore>/etc/svc/volatile</ignore>
 <!-- File types to ignore -->
 <ignore type="sregex">.log$|.swp$</ignore>
 <!-- Check the file, but never compute the diff -->
 <nodiff>/etc/ssl/private.key</nodiff>
 <skip_nfs>yes</skip_nfs>
 <skip_dev>yes</skip_dev>
 <skip_proc>yes</skip_proc>
 <skip_sys>yes</skip_sys>
 <!-- Nice value for Syscheck process -->
 <process_priority>10</process_priority>
 <!-- Maximum output throughput -->
 <max_eps>100</max_eps>
 <!-- Database synchronization settings -->
 <synchronization>
   <enabled>yes</enabled>
   <interval>5m</interval>
   <max_interval>1h</max_interval>
   <max_eps>10</max_eps>
 </synchronization>
</syscheck>