Collecting old logs

[serano...@gmail.com]

Hi All.

I Just want to know if there is the possibility to collect with wazuh all the logs (from the monitored channels) that was generated before wazuh agent installazion that (of course) are still present into the event channel of the window machines, like  i want to know what appened before the istallation of the agent.

Thanks for your job guys.

[Jesus Linares]

Hi,

Wazuh is designed to get only the current events. There is a setting called only-future-events that has the following behavior:

• yes (default): Read logs since the moment Wazuh was started
• no: Read the logs since the last bookmark (when Wazuh was stopped).

As you can see, if you configure with "no", you will not get the logs before the agent installation.

That said, there is a workaround that you can test (I don't recommend it in production environments):

1. Start the agent with your log configuration. In this way, the proper bookmark will be created (folder bookmark)
2. Modify the bookmark and set the value to 0 (keep in mind the file is in UTF-16)
3. Set only-future-events to no
4. Restart the agent

In this way, the agent will send events from the beginning of the source (bookmark = 0).

You could potentially have two issues:

• Send duplicated events
• The agent could be flooded (see leaky bucket)

I hope it helps.