I havd wazuh v3.13.3 installed on centos 7. syscheck module configuration:
<syscheck>
<disabled>no</disabled>
<!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>43200</frequency>
<scan_on_start>yes</scan_on_start>
<alert_new_files>yes</alert_new_files>
<!-- Directories to check (perform all possible verifications) -->
<directories check_all="yes">/etc,/usr/bin,/usr/sbin</directories>
<directories check_all="yes">/bin,/sbin,/boot</directories>
<directories check_all="yes" realtime="yes">/root</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/random.seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<ignore>/sys/kernel/security</ignore>
<ignore>/sys/kernel/debug</ignore>
<ignore>/dev/core</ignore>
<!-- File types to ignore -->
<ignore type="sregex">^/proc</ignore>
<ignore type="sregex">.log$|.swp$</ignore>
<!-- Check the file, but never compute the diff -->
<nodiff>/etc/ssl/private.key</nodiff>
<skip_nfs>yes</skip_nfs>
</syscheck>
Adding new file to the /root directory:
[root@host ossec]# date; echo "date" > ~/newfile.txt
Sat May 7 17:01:48 UTC 2022
agent log messages:
2022/05/07 17:01:48 ossec-syscheckd[26052] fim_db.c:558 at fim_db_exec_simple_wquery(): ERROR: SQL ERROR: cannot commit - no transaction is active
2022/05/07 17:01:48 ossec-syscheckd[26052] fim_db.c:558 at fim_db_exec_simple_wquery(): ERROR: SQL ERROR: cannot commit - no transaction is active
2022/05/07 17:01:48 ossec-syscheckd[26052] fim_db.c:558 at fim_db_exec_simple_wquery(): ERROR: SQL ERROR: cannot commit - no transaction is active
2022/05/07 17:01:48 ossec-syscheckd: ERROR: SQL ERROR: (8)attempt to write a readonly database
2022/05/07 17:01:48 ossec-syscheckd: ERROR: SQL ERROR: (8)attempt to write a readonly database
and I see no messages about new file in the logs.
It is too big infrastructure to upgrade to wazuh 4.x
How to solve this issue?
Thank you.
The message
ERROR: SQL ERROR: (8)attempt to write a readonly database
indicates some kind of problem with database permissions or that the FIM databasefim.db
does not exist, please check that the following files in the agent exist and have the following permissions, user, and group:fim.db
file does not exist, the agent recreates said file when restarting the agent.fim/
orfim/db/
directories do not exist, it is necessary to create them using themkdir
command and assign them the properties specified above[drwxr-x--- ossec ossec]
, then restart the agent.