I'm running wazuh on 4.3 (latest version) and I'm worried about the following situation:
If i remember correctly from my tests with ossec that program saved it's local database in a text file, but i cant seem to find it for wazuh. I was trying to find this file so that i can have a system in place that in the event of a reboot fetches the old config file and runs a syslog comparing to that one, this was no changes are lost. Thanks
After asking the official support I got the following response:
That’s right, that is a situation users might experience when syscheck is configured in such way. The good news is that there are attributes of the option directories that overcome that problem, one of this is the attribute realtime and the other which has additional advantages is whodata,both will report for changes on real time so you would not miss any change if there is a reboot in the system. [...]
So making things short, my problem is not solvable by design but can be circumvented by the realtime option which enables real time monitoring and logging.