This is the documentation for Wazuh 3.9. Check out the docs for the latest version of Wazuh!

FAQ

  1. How often does syscheck run?
  2. What is the CPU usage like on the agents?
  3. Where are all the checksums stored?
  4. Can I ignore files in a directory?
  5. Can Wazuh report changes in the content of a text file?
  6. How does Wazuh verify the integrity of files?
  7. Does Wazuh monitor any directories by default?
  8. Can I force an immediate syscheck scan?
  9. Does Syscheck start when Wazuh starts?
  10. Does Wazuh alert when a new file is created?
  11. How FIM manages historical records in his database?
  12. How can I migrate my old DB information into a new SQLite database?
  13. Can I hot-swap monitored directories?

How often does syscheck run?

By default, Syscheck runs every 12 hours, but the interval between scans can be user-defined with the frequency option.

What is the CPU usage like on the agents?

Syscheck scans are designed to run slowly to avoid too much CPU or memory use.

Where are all the checksums stored?

The data collected by the FIM daemon is sent to Analysisd to analyze if we should send an alert. Analysisd sends a query to Wazuh-db to collect old data from that file. When we receive a response the checksum is compared with the string sent by the agent and if the checksum changes, we report an alert.

For Wazuh 3.7.0 the FIM decoder communicates with Wazuh-DB and stores all the data in an SQL database. A DB is created for each agent, which stores information related to it. On every database, we can find the fim_entry table, which contains the FIM records.

Can I ignore files in a directory?

Yes, you can use the ignore option to avoid false positives. See an example of this configuration by clicking on ignore-false-positives

Can Wazuh report changes in the content of a text file?

Yes, this is possible when monitoring directories. Using the report_changes option gives the exact content that has been changed in text files within the directory being monitored. Be selective about which folders you use report_changes on, because this requires syscheck to copy every single file you want to monitor with report_changes to a private location for comparison purposes.

See an example of this configuration by clicking on report changes

How does Wazuh verify the integrity of files?

The Wazuh manager stores and looks for modifications to all the checksums and file attributes received from the agents for the monitored files. It then compares the new checksums and attributes against the stored ones, generating an alert when changes are detected.

Does Wazuh monitor any directories by default?

Yes. By default Wazuh monitors /etc, /usr/bin, /usr/sbin, /bin and /sbin on Unix-like systems and C:\Windows\System32 on Windows systems.

Can I force an immediate syscheck scan?

Yes, you can force an agent to perform a system integrity check with:

/var/ossec/bin/agent_control -r -a
/var/ossec/bin/agent_control -r -u <agent_id>

See the Ossec control section for more information.

Does Syscheck start when Wazuh starts?

By default, syscheck scans when Wazuh starts, however, this behavior can be changed with the scan_on_start option

Does Wazuh alert when a new file is created?

Wazuh can send an alert when a new file is created, however, this configuration option would need to be set up by the user. Use the alert_new_files option for this configuration.

How FIM manages historical records in his database?

Since Wazuh 3.7.0, FIM deletes the old records from the database. Every record that is no longer monitored is cataloged as historical. The deletion of the database is done, for security reasons, after the agent has been restarted 3 times.

How can I migrate my old DB information into a new SQLite database?

We provide a tool to migrate all registries to the new database. You can checkit in fim upgrade tool section.

Can I hot-swap monitored directories?

Yes, this can be done for Linux in both agents and manager by setting the monitoring of symbolic links to directories. To set the refresh interval, use option syscheck.symlink_scan_interval.