Configuration

  1. Basic usage

  2. Configuring scheduled scans

  3. Configuring real-time monitoring

  4. Configure to report changes

  5. Configure to ignore files

  6. Ignoring files via rules

  7. Changing severity

Basic usage

Syscheck is configured in the ossec.conf file. Generally this configuration is set using the following sections:

For detailed configuration options, go to Syscheck.

To configure syscheck, a list of files and directories must be identified. The check_all option checks md5, sha1, owner, and permissions of the file.

<syscheck>
    <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
    <directories check_all="yes">/root/users.txt,/bsd,/root/db.html</directories>
</syscheck>

Configuring scheduled scans

Syscheck has an option to configure the frequency of the system scans. In this example, syscheck is configured to run every 10 hours.

<syscheck>
  <frequency>36000</frequency>
  <directories>/etc,/usr/bin,/usr/sbin</directories>
  <directories>/bin,/sbin</directories>
</syscheck>

Configuring real-time monitoring

Real-time monitoring is configured with the realtime option. This option only works with directories rather than with individual files. Real-time change detection is paused during periodic syscheck scans and reactivates as soon as these scans are complete.

<syscheck>
        <directories check_all="yes" realtime="yes">c:/tmp</directories>
</syscheck>

Configure to report changes

Using the``report_changes`` option, we can see what specifically changed in text files. Be careful about which folders you set up to report_changes to, because in order to do this, Wazuh copies every single file you want to monitor to a private location.

<syscheck>
        <directories check_all="yes" realtime="yes" report_changes="yes">/test</directories>
</syscheck>

Configure to ignore files

Files and directories can be omitted using the ignore option (or registry_ignore for Windows registry entries). In order to avoid false positives, syscheck can be configured to ignore certain files that don't need to be monitored.

<syscheck>
    <ignore>/etc/random-seed</ignore>
    <ignore>/root/dir</ignore>
    <ignore type="sregex">.log$|.tmp</ignore>
</syscheck>

Ignoring files via rules

It is also possible to ignore files using rules, as in this example:

<rule id="100345" level="0">
    <if_group>syscheck</if_group>
    <match>/var/www/htdocs</match>
    <description>Ignore changes to /var/www/htdocs</description>
</rule>

Changing severity

With a custom rule, the level of a syscheck alert can be altered when changes to a specific file or file pattern are detected.

<rule id="100345" level="12">
    <if_group>syscheck</if_group>
    <match>/var/www/htdocs</match>
    <description>Changes to /var/www/htdocs - Critical file!</description>
</rule>