Monitoring configuration changes

Monitoring configuration changes helps to establish accountability for changes made to systems and applications. Organizations can identify responsible parties and ensure that changes are properly authorized and documented by maintaining a record of changes and who made them.

You can configure the FIM module to monitor configuration files and report any changes. The Wazuh FIM module uses the whodata and report_changes attributes to record the following information about such changes:

  • The login user that made the changes.

  • The time of the changes.

  • The process that the user executed.

  • The changes made to the file.

Use case description



Ubuntu 20.04

The FIM module monitors a configuration file on this endpoint to detect file changes.


Perform the following steps to configure the FIM module to monitor the /etc/app.conf file and report changes.

  1. Create a file app.conf in the /etc directory:

    # touch /etc/app.conf
  2. Edit the /var/ossec/etc/ossec.conf configuration file and add the configuration below:

      <directories check_all="yes" report_changes="yes" whodata="yes">/etc/app.conf</directories>
  3. Restart the Wazuh agent to apply the configuration changes:

    systemctl restart wazuh-agent

Test the configuration

  1. Modify the /etc/app.conf file by using nano with root privilege:

    # nano /etc/app.conf
  2. Add updated image to V2 to the file and save.

Visualize the alert

Navigate to Modules > Integrity monitoring on the Wazuh dashboard to view the alert generated when the FIM module detects modification of the configuration file.

Modification of the configuration file

Expand the alert to get more information about the event. In this example, the nano text editor modified the configuration file. The logged-in user on the endpoint was ubuntu. The user modified the file using root privilege. The content added to the file is updated image to V2.

Get more information about the event