Warning: This is the documentation for Wazuh 3.5. Check out the docs for the latest version of Wazuh!
Manual configuration of the Local Audit Policies in Windows¶
To manually configure the audit policies needed to run Syscheck’s whodata mode, it is necessary to activate the capture of successful events. You can do it from the Local Group Policy Editor using the following command:
gpedit.msc
Advanced Audit Policy Configuration section method¶
Recommended option to configure policies. You have to activate the following options:
Object Access -> File System
Object Access -> Handle Manipulation
Audit Policy section method¶
This option is only recommended if the previous method cannot be followed because your host is Windows Vista or Windows Server 2008. To do this, edit the following policy:
Security Settings -> Local Polies -> Audit Policy -> Audit object access