Skip to content

FIM does not work in who-data mode with Audit provider on Fedora 43 #33304

New issue
New issue
Closed
Bug
#33313
Closed
FIM does not work in who-data mode with Audit provider on Fedora 43#33304
Bug
#33313
Assignees
vikman90
Labels
level/taskmodule/fimFile Integrity Monitoringmodule/fim/whodataFile Integrity Monitoring whodata enginetype/bugSomething isn't working
@vikman90

Description

@vikman90
vikman90
opened on Nov 27, 2025

Problem

When using File Integrity Monitoring (FIM) in who-data mode with the Audit provider on Fedora 43, the following log messages are produced:

2025/11/27 12:49:22 wazuh-syscheckd: ERROR: (6642): Audit health check couldn't be completed correctly.
2025/11/27 12:49:22 wazuh-syscheckd: WARNING: (6913): Who-data engine could not start. Switching who-data to real-time.

The who-data engine fails to start and reverts to real-time mode instead.

Environment

Platform Audit
Fedora 43 4.1.2-2-fc43

Steps to Reproduce

  1. Set up Wazuh FIM in who-data mode using Audit provider on Fedora 43. 
    <syscheck>
  <disabled>no</disabled>
  <frequency>43200</frequency>
  <scan_on_start>yes</scan_on_start>
  <directories whodata="yes">/root/test</directories>
</syscheck>
  2. Monitor the logs from wazuh-syscheckd.
  3. Observe the error and warning messages above.

Metadata

Metadata

Assignees

Labels

level/taskmodule/fimFile Integrity Monitoringmodule/fim/whodataFile Integrity Monitoring whodata enginetype/bugSomething isn't working

Type

Bug

Projects

XDR+SIEM/Release 4.14.2

Status

Done

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions