File integrity monitoring
Wazuh's File integrity monitoring (FIM) system watches selected files and triggering alerts when these files are modified. The component responsible for this task is called syscheck
. This component stores the cryptographic checksum and other attributes of a known good file or Windows registry key and regularly compares it to the current file being used by the system, watching for changes.
Contents
- How it works
- Configuration
- Configuring syscheck - basic usage
- Configuring scheduled scans
- Configuring real-time monitoring
- Configuring who-data monitoring
- Configuring reporting new files
- Configuring reporting file changes
- Configuring ignoring files and Windows registry entries
- Configuring ignoring files via rules
- Configuring the alert severity for the monitored files
- Configuring maximum recursion level allowed
- Configuring syscheck process priority
- Configuring where the database is to be stored
- Configuring synchronization