Implementing File Integrity Monitoring (FIM) on a Linux Endpoint Using Wazuh

In my previous article, Complete Wazuh Setup Guide for Windows and Linux Endpoints, I covered the complete process of installing Wazuh, accessing the dashboard, and onboarding both Windows and Linux agents into a centralized monitoring platform.

Complete Wazuh Setup Guide for Windows and Linux Endpoints Security monitoring is one of those topics that seems overwhelming at first. SIEMs, agents, dashboards, alerts, and log…

With the Linux endpoint already connected and actively reporting to the Wazuh server, I decided to explore one of its most useful security features: File Integrity Monitoring (FIM). In this article, I will configure Wazuh to monitor a custom directory on a Parrot Security machine and verify whether file creation, modification, and deletion events are detected and reported in real time.

I started by logging in to the Wazuh Dashboard to verify that my Linux endpoint was successfully connected and actively communicating with the Wazuh server.

From the Endpoints section, I confirmed that the Parrot Security Linux agent appeared with an active status, indicating that it was properly enrolled and ready for monitoring.

Next, I navigated to the File Integrity Monitoring module. Since no endpoint was selected initially, Wazuh prompted me to choose an agent before displaying any monitoring information.

I clicked Select agent and chose my Linux endpoint from the available agents list.

With the Linux agent selected, I moved to the endpoint itself and created a dedicated directory that would be used exclusively for FIM testing. Using a separate directory ensures that monitoring activities remain isolated from important system files while making it easier to generate and analyze events.

I created the directory using the following command:

mkdir -p /home/user/fim-test

mkdir -p /home/user/fim-test

After creating the directory, I verified that the fim-test folder was successfully created under the /home/user path.

/home/user/

/home/user/

The next step was to configure Wazuh to monitor this directory. To do this, I opened the Wazuh agent configuration file located at /var/ossec/etc/ossec.conf.

sudo nano /var/ossec/etc/ossec.conf

sudo nano /var/ossec/etc/ossec.conf

Inside the section, I added a custom directory entry to enable real-time monitoring of the newly created folder.

<directories check_all="yes" report_changes="yes" realtime="yes">/home/user/
fim-test</directories>

<directories check_all="yes" report_changes="yes" realtime="yes">/home/user/
fim-test</directories>

This configuration instructs Wazuh to monitor all file activities within the directory, capture content changes, and generate alerts immediately whenever a modification occurs.

After saving the configuration file, I restarted the Wazuh agent so that the new monitoring settings would take effect.

sudo systemctl restart wazuh-agent

sudo systemctl restart wazuh-agent

With monitoring enabled, I began generating file events inside the monitored directory. First, I created a test file and verified that it was successfully written to disk.

echo "This file is to check fim in wazuh" > /home/user/fim-test/test.txt
ls

echo "This file is to check fim in wazuh" > /home/user/fim-test/test.txt
ls

To test another file integrity event, I deleted the same file from the monitored directory.

rm test.txt
ls

rm test.txt
ls

After performing these actions, I returned to the Wazuh Dashboard and reviewed the File Integrity Monitoring events generated by the Linux agent.

After performing the file operations, I returned to the Wazuh Dashboard and reviewed the generated FIM events. Wazuh successfully detected the activity within the monitored directory and generated alerts for the file changes, confirming that the Linux agent was monitoring the configured location correctly.

This simple lab demonstrated how File Integrity Monitoring can be used to track file activity on Linux systems. By monitoring important directories and detecting unexpected changes in real time, Wazuh provides valuable visibility into endpoint activity and helps strengthen security monitoring.

Thank you for reading my blog. Keep learning and stay tuned for more cybersecurity labs and walkthroughs.

Thank You, Vrushali Pagar