File integrity monitoring
Wazuh’s File integrity monitoring (FIM) system watches selected files and triggering alerts when these files are modified. The component responsible for this task is called syscheck. This component stores the cryptographic checksum and other attributes of a known good file or Windows registry key and regularly compares it to the current file being used by the system, watching for changes.
Contents
- How it works
- Configuration
- Configuring syscheck - basic usage
- Configuring scheduled scans
- Configuring real-time monitoring
- Configuring who-data monitoring
- Configuring reporting new files
- Configuring Windows registry
- Configuring reporting file and registry value changes
- Configuring ignoring files and Windows registry entries
- Configuring ignoring files via rules
- Configuring the alert severity for the monitored files
- Configuring maximum recursion level allowed
- Configuring syscheck process priority
- Configuring where the database is to be stored
- Configuring synchronization