Wazuh syscheck agent SQL error on centos7: FIM is not working

Question

I havd wazuh v3.13.3 installed on centos 7. syscheck module configuration:

  <syscheck>
    <disabled>no</disabled>

    <!-- Frequency that syscheck is executed default every 12 hours -->
    <frequency>43200</frequency>

    <scan_on_start>yes</scan_on_start>
    <alert_new_files>yes</alert_new_files>


    <!-- Directories to check  (perform all possible verifications) -->
    <directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
    <directories check_all="yes">/bin,/sbin,/boot</directories>
    <directories check_all="yes" realtime="yes">/root</directories>

    <!-- Files/directories to ignore -->
    <ignore>/etc/mtab</ignore>
    <ignore>/etc/hosts.deny</ignore>
    <ignore>/etc/mail/statistics</ignore>
    <ignore>/etc/random-seed</ignore>
    <ignore>/etc/random.seed</ignore>
    <ignore>/etc/adjtime</ignore>
    <ignore>/etc/httpd/logs</ignore>
    <ignore>/etc/utmpx</ignore>
    <ignore>/etc/wtmpx</ignore>
    <ignore>/etc/cups/certs</ignore>
    <ignore>/etc/dumpdates</ignore>
    <ignore>/etc/svc/volatile</ignore>
    <ignore>/sys/kernel/security</ignore>
    <ignore>/sys/kernel/debug</ignore>
    <ignore>/dev/core</ignore>

    <!-- File types to ignore -->
    <ignore type="sregex">^/proc</ignore>
    <ignore type="sregex">.log$|.swp$</ignore>

    <!-- Check the file, but never compute the diff -->
    <nodiff>/etc/ssl/private.key</nodiff>

    <skip_nfs>yes</skip_nfs>
  </syscheck>

Adding new file to the /root directory:

[root@host ossec]# date; echo "date" >  ~/newfile.txt
Sat May  7 17:01:48 UTC 2022

agent log messages:

2022/05/07 17:01:48 ossec-syscheckd[26052] fim_db.c:558 at fim_db_exec_simple_wquery(): ERROR: SQL ERROR: cannot commit - no transaction is active
2022/05/07 17:01:48 ossec-syscheckd[26052] fim_db.c:558 at fim_db_exec_simple_wquery(): ERROR: SQL ERROR: cannot commit - no transaction is active
2022/05/07 17:01:48 ossec-syscheckd[26052] fim_db.c:558 at fim_db_exec_simple_wquery(): ERROR: SQL ERROR: cannot commit - no transaction is active
2022/05/07 17:01:48 ossec-syscheckd: ERROR: SQL ERROR: (8)attempt to write a readonly database
2022/05/07 17:01:48 ossec-syscheckd: ERROR: SQL ERROR: (8)attempt to write a readonly database

and I see no messages about new file in the logs.

It is too big infrastructure to upgrade to wazuh 4.x

How to solve this issue?

Thank you.

Answer 1

The message ERROR: SQL ERROR: (8)attempt to write a readonly database indicates some kind of problem with database permissions or that the FIM database fim.db does not exist, please check that the following files in the agent exist and have the following permissions, user, and group:

[drwxr-x--- ossec    ossec   ]  /var/ossec/queue/fim 
[drwxr-x--- ossec    ossec   ]  /var/ossec/queue/fim/db 
[-rw-rw---- root     ossec   ]  /var/ossec/queue/fim/db/fim.db 
[-rw-rw---- root     ossec   ]  /var/ossec/queue/fim/db/fim.db-journal

• In case the fim.db file does not exist, the agent recreates said file when restarting the agent.
• In case the fim/ or fim/db/ directories do not exist, it is necessary to create them using the mkdir command and assign them the properties specified above [drwxr-x--- ossec ossec], then restart the agent.