This is the documentation for Wazuh 3.7. Check out the docs for the latest version of Wazuh!
Wazuh Docs
    Wazuh Docs
    • Product
    • Blog
    • Cloud
    • Services
    • Community
    • Contact us
      • Getting started
        • Components
        • Architecture
        • Use cases
      • Installation guide
        • Installing Wazuh server
          • Install Wazuh server with RPM packages
          • Install Wazuh server with DEB packages
          • Install Wazuh server from sources
        • Installing Elastic Stack
          • Install Elastic Stack with RPM packages
          • Install Elastic Stack with Debian packages
        • Installing Wazuh agent
          • Install Wazuh agent with RPM packages
          • Install Wazuh agent with DEB packages
          • Install Wazuh agent on Windows
          • Install Wazuh agent on Mac OS X
          • Install Wazuh agent on Solaris
          • Install Wazuh agent on HP-UX
          • Install Wazuh agent on AIX
          • Install Wazuh agent from sources
        • Optional configurations
          • Setting up SSL for Filebeat and Logstash
          • Setting up SSL and authentication for Kibana
          • Securing the Wazuh API
          • Elasticsearch tuning
          • Insert a Wazuh API entry automatically
        • Upgrading Wazuh
          • Upgrading from a legacy version
            • Upgrading Wazuh server
            • Upgrading Elastic Stack server
            • Upgrading Wazuh agents
          • Upgrade from the same minor version
          • Upgrade from the same major version (2.x)
          • Upgrade from different major version
          • Upgrade from the same major version (3.x)
          • Restore Wazuh alerts from Wazuh 2.x
        • Virtual Machine
        • Packages List
        • Compatibility matrix
      • User manual
        • Overview
        • Wazuh server administration
          • Remote service
          • Defining an alert level threshold
          • Integration with external APIs
          • Configuring syslog output
          • Configuring database output
          • Generating automatic reports
          • Configuring email alerts
            • SMTP server with authentication
          • Configuring a cluster
        • Registering agents
          • The registration process
          • Using the registration service
        • Agent management
          • Agent life cycle
          • Using the command line
            • Register Agent
            • Listing Agents
            • Remove Agents
          • Using the RESTful API
            • Register Agents
            • Listing Agents
            • Remove Agents
          • Using the Wazuh app
          • Checking connection with Manager
          • Grouping agents
          • Remote upgrading
            • Upgrading agent
            • Adding a custom repository
            • Creating custom WPK packages
            • Installing a custom WPK package
            • WPK List
        • Capabilities
          • Log data collection
            • How it works
            • Configuration
            • FAQ
          • File integrity monitoring
            • How it works
            • Configuration
            • FAQ
          • Auditing who-data
            • Auditing who-data in Linux
            • Auditing who-data in Windows
            • Manual configuration of the Local Audit Policies in Windows
          • Anomaly and malware detection
            • How it works
            • Configuration
            • FAQ
          • Monitoring security policies
            • Rootcheck
              • How it works
              • Configuration
              • FAQ
            • OpenSCAP
              • How it works
              • Configuration
              • FAQ
            • CIS-CAT integration
          • Monitoring system calls
            • How it works
            • Configuration
          • Command monitoring
            • How it works
            • Configuration
            • FAQ
          • Active response
            • How it works
            • Configuration
            • FAQ
          • Agentless monitoring
            • How it works
            • Configuration
            • FAQ
          • Anti-flooding mechanism
          • Agent labels
          • System inventory
          • Vulnerability detection
          • VirusTotal integration
            • About VirusTotal
            • How it works
          • Osquery
        • Ruleset
          • Getting started
          • Update ruleset
          • JSON decoder
          • Custom rules and decoders
          • Dynamic fields
          • Ruleset XML syntax
            • Decoders Syntax
            • Rules Syntax
            • Regular Expression Syntax
          • Testing decoders and rules
          • Using CDB lists
          • Contribute to the ruleset
          • Rules classification
        • RESTful API
          • Getting started
          • Filtering data using queries
          • Configuration
          • Reference
          • Examples
        • Kibana app
          • Setting up the app
          • Wazuh app and X-Pack
            • Defining X-Pack users
            • Configure X-Pack users
            • X-Pack troubleshooting
          • App features
            • App overview
            • Ruleset
            • Settings
            • Dev tools
            • Reporting
            • Index pattern selector
            • Download as CSV
            • Query configuration
          • Troubleshooting
          • Reference
            • Configuration file
            • Elasticsearch indices
        • Reference
          • Local configuration (ossec.conf)
            • active-response
            • agentless
            • alerts
            • auth
            • client
            • client_buffer
            • cluster
            • command
            • database_output
            • email_alerts
            • global
            • integration
            • labels
            • localfile
            • logging
            • remote
            • reports
            • rootcheck
            • ruleset
            • socket
            • syscheck
            • syslog_output
            • wodle name=”open-scap”
            • wodle name=”command”
            • wodle name=”cis-cat”
            • wodle name=”aws-s3”
            • wodle name=”syscollector”
            • wodle name=”vulnerability-detector”
            • wodle name=”osquery”
            • wodle name=”docker-listener”
            • wodle name=”azure-logs”
            • Verifying configuration
          • Centralized configuration (agent.conf)
          • Internal configuration
          • Daemons
            • ossec-agentd
            • ossec-agentlessd
            • ossec-analysisd
            • ossec-authd
            • ossec-csyslogd
            • ossec-dbd
            • ossec-execd
            • ossec-logcollector
            • ossec-maild
            • ossec-monitord
            • ossec-remoted
            • ossec-reportd
            • ossec-syscheckd
            • wazuh-clusterd
            • wazuh-modulesd
            • wazuh-db
            • Tables available for wazuh-db
            • ossec-integratord
          • Tools
            • agent-auth
            • agent_control
            • manage_agents
            • ossec-control
            • ossec-logtest
            • ossec-makelists
            • rootcheck_control
            • syscheck_control
            • syscheck_update
            • clear_stats
            • ossec-regex
            • update_ruleset
            • util.sh
            • verify-agent-conf
            • agent_groups
            • agent_upgrade
            • cluster_control
            • fim_migrate
          • Unattended Installation
          • Statistics files
            • ossec-agentd state file
            • ossec-remoted state file
            • ossec-analysisd state file
      • Development
        • Client keys file
        • Standard OSSEC message format
        • Makefile options
      • Docker
        • Docker installation
        • Wazuh Docker deployment
        • Wazuh Docker utilities
        • FAQ
      • Deploying with Puppet
        • Set up Puppet
          • Installing Puppet master
          • Installing Puppet agent
          • Setting up Puppet certificates
        • Wazuh Puppet module
          • Scan paths configuration
          • Wazuh agent class
          • Wazuh server class
      • Deploying with Ansible
        • Installation Guide
          • Install Ansible
          • Install Wazuh Server
          • Install Elastic Stack Server
          • Install Wazuh Agent
        • Remote Hosts Connection
        • Roles
          • Wazuh Manager
          • Filebeat
          • Elasticsearch
          • Kibana
          • Logstash
          • Wazuh Agent
        • Variables references
      • Using Wazuh for PCI DSS
        • Log analysis
        • Policy monitoring
        • Rootkit detection
        • File integrity monitoring
        • Active response
        • Elastic Stack
      • Using Wazuh for GDPR
        • GDPR II, Principles <gdpr_II>
        • GDPR III, Rights of the data subject <gdpr_III>
        • GDPR IV, Controller and processor <gdpr_IV>
      • Using Wazuh to Monitor AWS
        • Installation
        • Use Cases
          • S3 use cases
          • IAM use cases
          • EC2 use cases
          • VPC Use cases
        • Troubleshooting
      • Using Wazuh to Monitor Microsoft Azure
        • Manager Requirements
        • Monitoring Instances
        • Monitoring Activity
        • Monitoring Services
      • Using Wazuh to Monitor Docker
        • Monitoring Docker server
        • Monitoring containers activity
      • Installing Splunk
        • Install Splunk in single-instance mode
        • Install Splunk in multi-instance mode
        • Install Wazuh app for Splunk
        • Install and configure Splunk Forwarder
        • Setting up reverse proxy configuration for Splunk
        • Customize agents status indexation
      • Migrating from OSSEC
        • Migrating OSSEC server
        • Migrating OSSEC agent
      • Release notes
        • 3.7.2 Release Notes
        • 3.7.1 Release Notes
        • 3.7.0 Release Notes
        • 3.6.1 Release Notes
        • 3.6.0 Release Notes
        • 3.5.0 Release Notes
        • 3.4.0 Release Notes
        • 3.3.1 Release Notes
        • 3.3.0 Release Notes
        • 3.2.4 Release Notes
        • 3.2.3 Release Notes
        • 3.2.2 Release Notes
        • 3.2.1 Release Notes
        • 3.2.0 Release Notes
        • 3.1.0 Release Notes
        • 3.0.0 Release Notes
        • 2.1 Release Notes
      Open source community Professional services
      Edit on GitHub
      • Documentation
      • User manual
      • Capabilities
      • File integrity monitoring

      File integrity monitoring¶

      Wazuh’s File integrity monitoring (FIM) system watches selected files, triggering alerts when these files are modified. The component responsible for this task is called syscheck. This component stores the cryptographic checksum and other attributes of a known good file or Windows registry key and regularly compares it to the current file being used by the system, watching for changes.

      Contents

      • How it works
      • Configuration
        • Basic usage
        • Configuring scheduled scans
        • Configuring real-time monitoring
        • Configuring who-data monitoring
        • Configure to report changes
        • Configure to ignore files
        • Configure maximum recursion level allowed
        • Ignoring files via rules
        • Changing severity
      • FAQ
        • How often does syscheck run?
        • What is the CPU usage like on the agents?
        • Where are all the checksums stored?
        • Can I ignore files in a directory?
        • Can Wazuh report changes in the content of a text file?
        • How does Wazuh verify the integrity of files?
        • Does Wazuh monitor any directories by default?
        • Can I force an immediate syscheck scan?
        • Does Syscheck start when Wazuh starts?
        • Does Wazuh alert when a new file is created?
        • How FIM manages historical records in his database?
        • How can I migrate my old DB information into a new SQLite database?
      FAQ How it works
      © 2020 · Wazuh Inc.