This is the documentation for Wazuh 3.7. Check out the docs for the latest version of Wazuh!

How it works

  1. The Wazuh agent scans the system and sends the checksums and attributes of monitored files and Windows registry keys to the Wazuh manager. The following options are configurable:
  • Frequency: By default, syscheck runs every 12 hours.
  • Real-time monitoring: Wazuh supports real-time file integrity monitoring on servers running Windows or Linux (Solaris does not support Inotify so is not available for this system). Note that the real-time option can only be used for directories and not for individual files.
  • Whodata: This feature works like real-time, in addition provides information about who triggered the event.
  1. The Wazuh manager stores the checksums and attributes of the monitored files and looks for modifications by comparing the new values to the old values.

Note

Syscheck can be configured to report a diff summary of the actual changes made to text files.

  1. An alert is generated any time that modifications are detected in the monitored files and/or registry keys.

False positives can be addressed using the ignore configuration option or by creating rules that list files to be excluded from FIM alerts.

Alert example, generated by FIM:

** Alert 1540815355.847397: - ossec,syscheck,pci_dss_11.5,gpg13_4.11,gdpr_II_5.1.f,
2018 Oct 29 13:15:55 (ubuntu) 10.0.0.144->syscheck
Rule: 550 (level 7) -> 'Integrity checksum changed.'
File '/test/hello' checksum changed.
Old md5sum was: '2a4732b1de5db823e94d662d207b8fb2'
New md5sum is : '146c07ef2479cedcd54c7c2af5cf3a80'
Old sha1sum was: 'b89f4786dcf00fb1c4ddc6ad282ca0feb3e18e1b'
New sha1sum is : 'e1efc99729beb17560e02d1f5c15a42a985fe42c'
Old sha256sum was: 'a8a3ea3ddbea6b521e4c0e8f2cca8405e75c042b2a7ed848baaa03e867355bc2'
New sha256sum is : 'a7998f247bd965694ff227fa325c81169a07471a8b6808d3e002a486c4e65975'
Old modification time was: 'Mon Oct 29 13:15:19 2018', now it is 'Mon Oct 29 13:15:54 2018'
(Audit) User: 'root (0)'
(Audit) Login user: 'test (1000)'
(Audit) Effective user: 'root (0)'
(Audit) Group: 'root (0)'
(Audit) Process id: '26089'
(Audit) Process name: '/bin/nano'

Attributes:
- Size: 4
- Permissions: 100644
- Date: Mon Oct 29 13:15:54 2018
- Inode: 537259
- User: root (0)
- Group: root (0)
- MD5: 146c07ef2479cedcd54c7c2af5cf3a80
- SHA1: e1efc99729beb17560e02d1f5c15a42a985fe42c
- SHA256: a7998f247bd965694ff227fa325c81169a07471a8b6808d3e002a486c4e65975