Wazuh agent fim module is not working when wazuh-agent service is started in the user data script. The service starts and there's nothing wierd in ossec logs but nothing shows up in the dashboard. Fim starts working after I ssh into the instance and do a systemctl restart wazuh-agent. My user data script looks like this (variable assignments was omitted) :
yum update -y; WAZUH_MANAGER="${WAZUH_WORKER}" WAZUH_REGISTRATION_SERVER="${WAZUH_AUTH}" WAZUH_AGENT_NAME="${AGENT_NAME}" WAZUH_AGENT_GROUP="default" WAZUH_REGISTRATION_PASSWORD="${AUTH_PASSWORD}" yum install -y https://packages.wazuh.com/4.x/yum/wazuh-agent-4.3.9-1.x86_64.rpm; systemctl daemon-reload; systemctl enable wazuh-agent; systemctl start wazuh-agent;
I'm using centralized agent configuration. Not sure if the agent.conf is not getting pulled in user-data since it eventually does get pulled when I ssh into the instance.
The expected result was wazuh agent working normally and sending fim changes to dashboard once they happen. What i got was the fim module did nothing untill wazuh agent service was restart after sshing into the instance
I did some testing based on your script, I found the following:
agent.conf file is being imported to the recently launched endpoint, without SSHing in to the host I confirmed this by checking the configuration of this Agent for integrity monitoring in the Wazuh Web UI, where I added <directories check_all="yes" whodata="yes">/root</directories> to the default configuration that can be found here: Default syscheck configurationFirst script I used:
#!/bin/bash
yum update -y; WAZUH_MANAGER='172.30.0.5' WAZUH_REGISTRATION_PASSWORD='please123' WAZUH_AGENT_GROUP='linuxtest' yum install -y https://packages.wazuh.com/4.x/yum/wazuh-agent-4.3.8-1.x86_64.rpm; systemctl daemon-reload; systemctl enable wazuh-agent; systemctl start wazuh-agent; touch /root/carlostest
I assumed that it can detect changes after building the inventory of files being monitored, therefore I added a sleep 600 to test this and it was successful, I got a "File added to the system" rule.id 554
Second script I used:
#!/bin/bash
yum update -y; WAZUH_MANAGER='172.30.0.5' WAZUH_REGISTRATION_PASSWORD='please123' WAZUH_AGENT_GROUP='linuxtest' yum install -y https://packages.wazuh.com/4.x/yum/wazuh-agent-4.3.8-1.x86_64.rpm; systemctl daemon-reload; systemctl enable wazuh-agent; systemctl start wazuh-agent; sleep 600; touch /root/carlostest
Note: I am using Wazuh 4.3.8 since I already had a testing environment with this version, I noticed you are using 4.3.9 but I do not think much changed with that minor update, still you can test with a different version by changing the link and see what happens
I hope this information is helpful to you, let me know
Edit: Bear in mind the default configuration do not alert for changes on real time, that is why I added whodata to the directory I was testing on. Probably you just detect the changes when the wazuh-agent is restarted because that is part of the default configuration on <scan_on_start>yes</scan_on_start>. I recommend you to check the following documentation: