- Basic usage
- Configuring scheduled scans
- Configuring real-time monitoring
- Configure to report changes
- Configure to ignore files
- Configure maximum recursion level allowed
- Ignoring files via rules
- Changing severity
Syscheck is configured in the ossec.conf file. Generally this configuration is set using the following sections:
For detailed configuration options, go to Syscheck.
To configure syscheck, a list of files and directories must be identified. The
check_all option checks file size, permissions, owner, last modification date, inode and all the hash sums (MD5, SHA1 and SHA256).
The directories pushed from centralized configuration are overwritten in the
ossec.conf file if the directory path is the same.
<syscheck> <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> <directories check_all="yes">/root/users.txt,/bsd,/root/db.html</directories> </syscheck>
Configuring scheduled scans¶
Syscheck has an option to configure the
frequency of the system scans. In this example, syscheck is configured to run every 10 hours.
<syscheck> <frequency>36000</frequency> <directories>/etc,/usr/bin,/usr/sbin</directories> <directories>/bin,/sbin</directories> </syscheck>
Configuring real-time monitoring¶
Real-time monitoring is configured with the
realtime option. This option only works with directories rather than with individual files. Real-time change detection is paused during periodic syscheck scans and reactivates as soon as these scans are complete.
<syscheck> <directories check_all="yes" realtime="yes">c:/tmp</directories> </syscheck>
Configuring who-data monitoring¶
New in version 3.4.0.
Who-data monitoring is configured with the
whodata option. This option replaces the
realtime option, which means that
whodata implies real-time monitoring but adding the who-data information.
This functionality uses Linux Audit subsystem and the Microsoft Windows SACL, so additional configurations might be necessary. Check the Auditing who-data entry to get further information.
<syscheck> <directories check_all="yes" whodata="yes">/etc</directories> </syscheck>
Configure to report changes¶
report_changes option, we can see what specifically changed in text files. Be careful about which folders you set up to
report_changes to, because in order to do this, Wazuh copies every single file you want to monitor to a private location.
<syscheck> <directories check_all="yes" realtime="yes" report_changes="yes">/test</directories> </syscheck>
Configure to ignore files¶
Files and directories can be omitted using the ignore option (or registry_ignore for Windows registry entries). In order to avoid false positives, syscheck can be configured to ignore certain files that don’t need to be monitored.
<syscheck> <ignore>/etc/random-seed</ignore> <ignore>/root/dir</ignore> <ignore type="sregex">.log$|.tmp</ignore> </syscheck>
Configure maximum recursion level allowed¶
New in version 3.6.0.
It is possible to configure the maximum recursion level allowed for a specific directory by setting the
recursion_level option. This option must be an integer between 0 and 320. An example of use:
<syscheck> <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories> <directories check_all="yes">/root/users.txt,/bsd,/root/db.html</directories> <directories check_all="yes" recursion_level="3">folder_test</directories> </syscheck>
Using the following directory structure and
folder_test ├── file_0.txt └── level_1 ├── file_1.txt └── level_2 ├── file_2.txt └── level_3 ├── file_3.txt └── level_4 ├── file_4.txt └── level_5 └── file_5.txt
We will receive alerts for all files up to
folder_test/level_1/level_2/level_3/ but we won’t receive alerts from any directory deeper than
If we don’t want any recursion (just get alerts from the files in the monitored folder), we must set
recursion_level to 0.
recursion_level is not specified, it will be set to the default value defined by
syscheck.default_max_depth in the internal options configuration file.
Ignoring files via rules¶
It is also possible to ignore files using rules, as in this example:
<rule id="100345" level="0"> <if_group>syscheck</if_group> <match>/var/www/htdocs</match> <description>Ignore changes to /var/www/htdocs</description> </rule>
With a custom rule, the level of a syscheck alert can be altered when changes to a specific file or file pattern are detected.
<rule id="100345" level="12"> <if_group>syscheck</if_group> <match>/var/www/htdocs</match> <description>Changes to /var/www/htdocs - Critical file!</description> </rule>