0

I'm running wazuh on 4.3 (latest version) and I'm worried about the following situation:

  • lets say i have syscheck configured to run at 5am.
  • some changes are made during the day.
  • the machine reboots at 2am.
  • the machine now has lost all changes made from 5am to 2am.

If i remember correctly from my tests with ossec that program saved it's local database in a text file, but i cant seem to find it for wazuh. I was trying to find this file so that i can have a system in place that in the event of a reboot fetches the old config file and runs a syslog comparing to that one, this was no changes are lost. Thanks

Pedro Pereira
  • 33
  • 3

2 Answers2

1

FIM is a utility designed to monitor changes in files, not to make backup copies, so you will have to adapt the process to recover the data. Currently, during FIM's operation, the changes detected through the report_changes option are saved in the /var/ossec/queue/diff/ directory, where a directory structure will be created, for example, in the Wazuh manager, for a file /etc/myfile, the change made will be reflected in: /var/ossec/queue/diff/local/etc/myfile/, where a file last-entry.gz will exist. Note that this gz file contains only the last change made, but this is reset at every start as follows:

  • When Wazuh starts, any content in /queue/diff is deleted.
  • In the initial scan, a copy of all files with report_changes enabled is stored in /queue/diff.
  • Whenever there is a modification to those files, their contents are checked and compared with the stored files (diff command).
  • If there are differences, the What changed field is added to the alert, and the content of the stored files is updated in /queue/diff. This means that if you make a change to a file and the content is lost on reboot, this last-entry file will contain the content after the reboot.

The most viable and direct alternative is to obtain these changes from the generated alerts themselves, either from the alerts.json file, the alerts.log file, or from the Wazuh dashboard UI itself if you have it accessible.

raul.delpozo
  • 36
  • 4
0

After asking the official support I got the following response:

That’s right, that is a situation users might experience when syscheck is configured in such way. The good news is that there are attributes of the option directories that overcome that problem, one of this is the attribute realtime and the other which has additional advantages is whodata,both will report for changes on real time so you would not miss any change if there is a reboot in the system. [...]

So making things short, my problem is not solvable by design but can be circumvented by the realtime option which enables real time monitoring and logging.

Pedro Pereira
  • 33
  • 3