search

wazuh / wazuh

Wazuh - The Open Source Security Platform. Unified XDR and SIEM protection for endpoints and cloud workloads.
https://wazuh.com/
Other
10.46k stars 1.61k forks source link

Wazuh FIM realtime issue - no content_change field for new file #25709

Open xmlijhu opened 1 week ago

xmlijhu commented 1 week ago

|Wazuh version|Component|Install type|Install method|Platform| |4.4.3|SYSCHECK/FIM|Agent|RPM|Linux|

Description

When new file added to the monitored directory, FIM detected the change, but no report_change reported. (test1) The following modifications of the same file will have report_change content. (test2, and test3)

Configuration

/etc/sudoers.d/

Operation

Note: sudoers.d/xmlijhu is a new file

[ etc]# echo '###test1' >> sudoers.d/xmlijhu [ etc]# echo '###test2' >> sudoers.d/xmlijhu [ etc]# echo '###test3' >> sudoers.d/xmlijhu

Logs

In the ossec.log ( I have turned on FIM debug to 2 ), we can see three detection on FIM, but for the first direction, there is no conent_changes.

2024/09/13 15:21:24 wazuh-syscheckd[13687] run_check.c:127 at send_syscheck_msg(): DEBUG: (6321): Sending FIM event: {"type":"event","data":{"path":"/etc/sudoers.d/xmlijhu","version":2,"mode":"realtime","type":"added","timestamp":1726240884,"attributes":{"type":"file","hash_sha256":"c24db6fdb67cb81d4716918428283f916939d38341dab156f16afe59d4e97753","checksum":"c82edb4963db1bd9704f730ad4dab91a914dbab0"}}} 2024/09/13 15:21:24 wazuh-syscheckd[13687] fim_diff_changes.c:433 at fim_file_diff(): DEBUG: (6351): The files are identical, don't compute differences 2024/09/13 15:21:37 wazuh-syscheckd[13687] fim_db.c:439 at fim_db_check_transaction(): DEBUG: Database transaction completed. 2024/09/13 15:21:37 wazuh-syscheckd[13687] run_check.c:127 at send_syscheck_msg(): DEBUG: (6321): Sending FIM event: {"type":"event","data":{"path":"/etc/sudoers.d/xmlijhu","version":2,"mode":"realtime","type":"modified","timestamp":1726240897,"attributes":{"type":"file","hash_sha256":"82491cb8bdda909fbe575743f0dad5b3c2c94d712f61d57e2a6eacbd792062bf","checksum":"7980404cf633474674319b023aac7b9768fac284"},"changed_attributes":["sha256"],"old_attributes":{"type":"file","hash_sha256":"c24db6fdb67cb81d4716918428283f916939d38341dab156f16afe59d4e97753","checksum":"c82edb4963db1bd9704f730ad4dab91a914dbab0"},"content_changes":"1a2\n> ###test2\n"}} 2024/09/13 15:21:45 wazuh-syscheckd[13687] fim_db.c:439 at fim_db_check_transaction(): DEBUG: Database transaction completed. 2024/09/13 15:21:45 wazuh-syscheckd[13687] run_check.c:127 at send_syscheck_msg(): DEBUG: (6321): Sending FIM event: {"type":"event","data":{"path":"/etc/sudoers.d/xmlijhu","version":2,"mode":"realtime","type":"modified","timestamp":1726240905,"attributes":{"type":"file","hash_sha256":"e533e3d1447e2d870d36e5974e1582bffcee5c9e1c0ce9eb910da0e80e8e302a","checksum":"d38d0dd077ab4023ab5699d5ef245e955c40b025"},"changed_attributes":["sha256"],"old_attributes":{"type":"file","hash_sha256":"82491cb8bdda909fbe575743f0dad5b3c2c94d712f61d57e2a6eacbd792062bf","checksum":"7980404cf633474674319b023aac7b9768fac284"},"content_changes":"2a3\n> ###test3\n"}}

MROSSFTEK commented 1 week ago

having the same issue.. 2 days now, nothing being reported to FIM

MROSSFTEK commented 1 week ago

still having this issue.. anyone got any clues?