File integrity monitoring

Wazuh’s File integrity monitoring (FIM) system watches selected files, triggering alerts when these files are modified. The component responsible for this task is called syscheck. This component stores the cryptographic checksum and other attributes of a known good file or Windows registry key and regularly compares it to the current file being used by the system, watching for changes.

Contents

• How it works
• Configuration
  • Basic usage
  • Configuring scheduled scans
  • Configuring real-time monitoring
  • Configuring who-data monitoring
  • Configure to report changes
  • Configure to ignore files
  • Configure maximum recursion level allowed
  • Ignoring files via rules
  • Changing severity
• FAQ
  • How often does syscheck run?
  • What is the CPU usage like on the agents?
  • Where are all the checksums stored?
  • Can I ignore files in a directory?
  • Can Wazuh report changes in the content of a text file?
  • How does Wazuh verify the integrity of files?
  • Does Wazuh monitor any directories by default?
  • Can I force an immediate syscheck scan?
  • Does Syscheck start when Wazuh starts?
  • Does Wazuh alert when a new file is created?
  • How FIM manages historical records in his database?
  • How can I migrate my old DB information into a new SQLite database?
  • Can I hot-swap monitored directories?