Filtering data using queries

New in version 3.7.0.

Advance filtering is possible using the Wazuh API's queries. Queries are specified using the q parameter. A query has the following structure:

  • Field name: Field name to filter by. If an incorrect field name is used, an error will be raised.

  • Operator: Operator to filter by:
    • =: equality.

    • !=: not equality.

    • <: smaller.

    • >: bigger.

    • ~: like as.

  • Value: Value to filter filter by.

  • Separator: Operator to join multiple "queries":
    • ,: represents an OR.

    • ;: represents an AND.

Examples

Filtering agents by OS name and OS version

For example, to filter Ubuntu agents with a version higher than 12, the following query would be used:

# curl -u foo:bar -X GET "http://localhost:55000/agents?pretty&q=os.name=ubuntu;os.version>12&select=id,name,os.name,os.version,os.codename,os.major"
{
    "error": 0,
    "data": {
        "totalItems": 2,
        "items": [
            {
                "os": {
                "codename": "Bionic Beaver",
                "version": "18.04.1 LTS",
                "major": "18",
                "name": "Ubuntu"
                },
                "name": "wazuh",
                "id": "000"
            },
            {
                "os": {
                "codename": "Xenial Xerus",
                "version": "16.04.5 LTS",
                "major": "16",
                "name": "Ubuntu"
                },
                "name": "ubuntu",
                "id": "001"
            }
        ]
    }
}

The same field can be used multiple times to get a more accurate result. For example, filtering agents with a version higher than Ubuntu 12 but lower than Ubuntu 18:

# curl -u foo:bar -X GET "http://localhost:55000/agents?pretty&q=os.name=ubuntu;os.version>12;os.version<18&select=id,name,os.name,os.version,os.codename,os.major"
{
    "error": 0,
    "data": {
        "totalItems": 1,
        "items": [
            {
                "os": {
                "codename": "Xenial Xerus",
                "version": "16.04.5 LTS",
                "major": "16",
                "name": "Ubuntu"
                },
                "name": "ubuntu",
                "id": "001"
            }
        ]
    }
}

An example of using the OR operator can be filtering Ubuntu or CentOS agents:

# curl -u foo:bar -X GET "http://localhost:55000/agents?pretty&q=os.name=ubuntu,os.name=centos+linux&select=id,name,os.name,os.version,os.codename,os.major"
{
    "error": 0,
    "data": {
        "totalItems": 3,
        "items": [
            {
                "os": {
                "codename": "Bionic Beaver",
                "version": "18.04.1 LTS",
                "major": "18",
                "name": "Ubuntu"
                },
                "name": "wazuh",
                "id": "000"
            },
            {
                "os": {
                "codename": "Xenial Xerus",
                "version": "16.04.5 LTS",
                "major": "16",
                "name": "Ubuntu"
                },
                "name": "ubuntu",
                "id": "001"
            },
            {
                "os": {
                "codename": "Core",
                "version": "7",
                "major": "7",
                "name": "CentOS Linux"
                },
                "name": "centos7",
                "id": "002"
            }
        ]
    }
}

Another example using the ~ operator is the following:

# curl -u foo:bar -X GET "http://localhost:55000/agents?pretty&q=os.name~cent"
{
    "error": 0,
    "data": {
        "items": [
            {
                "os": {
                "arch": "x86_64",
                "codename": "Core",
                "major": "7",
                "name": "CentOS Linux",
                "platform": "centos",
                "uname": "Linux |localhost.localdomain |3.10.2-862.11.6.el7.x86_64 |#1 SMP Tue Aug 14 21:49:04 UTC 2018 |x86_64",
                "version": "7"
                },
                "name": "agent002",
                "configSum": "ab73af41699f13fdd81903b5f23d8d00",
                "node_name": "master",
                "status": "Active",
                "lastKeepAlive": "2018-10-16 16:36:36",
                "mergedSum": "bcb219b9b009801f3b29eb9e00a6a88d",
                "id": "002",
                "group": [
                "default"
                ],
                "manager": "localhost.localdomain",
                "version": "Wazuh v3.7.0",
                "dateAdd": "2018-10-16 13:34:24",
                "ip": "192.168.122.19"
            }
        ],
        "totalItems": 1
    }
}

Filtering rootcheck events by date

The following example shows how to check rootcheck events generated in a specified timeframe:

# curl -u foo:bar -X GET "http://localhost:55000/rootcheck/001?pretty&q=oldDay<3h25m&limit=2"
{
    "error": 0,
    "data": {
        "totalItems": 7,
        "items": [
            {
                "status": "outstanding",
                "oldDay": "2018-10-03 12:47:26",
                "event": "Ending CIS-CAT scan. File: /var/ossec/wodles/ciscat/benchmarks/CIS_Ubuntu_Linux_16.04_LTS_Benchmark_v1.0.0-xccdf.xml. ",
                "readDay": "2018-10-03 15:44:53"
            },
            {
                "status": "outstanding",
                "oldDay": "2018-10-03 12:46:06",
                "event": "Starting CIS-CAT scan. File: /var/ossec/wodles/ciscat/benchmarks/CIS_Ubuntu_Linux_16.04_LTS_Benchmark_v1.0.0-xccdf.xml. ",
                "readDay": "2018-10-03 15:44:18"
            }
        ]
    }
}

A more precise timeframe can be specified using operators > and < together:

# curl -u foo:bar -X GET "http://localhost:55000/rootcheck/001?pretty&q=oldDay<3h30m;oldDay>3h&limit=2"
{
    "error": 0,
    "data": {
        "totalItems": 7,
        "items": [
            {
                "status": "outstanding",
                "oldDay": "2018-10-03 12:47:26",
                "event": "Ending CIS-CAT scan. File: /var/ossec/wodles/ciscat/benchmarks/CIS_Ubuntu_Linux_16.04_LTS_Benchmark_v1.0.0-xccdf.xml. ",
                "readDay": "2018-10-03 15:44:53"
            },
            {
                "status": "outstanding",
                "oldDay": "2018-10-03 12:46:06",
                "event": "Starting CIS-CAT scan. File: /var/ossec/wodles/ciscat/benchmarks/CIS_Ubuntu_Linux_16.04_LTS_Benchmark_v1.0.0-xccdf.xml. ",
                "readDay": "2018-10-03 15:44:18"
            }
        ]
    }
}