wazuh-db

The Wazuh core uses list-based databases to store information related to agent keys, and FIM/Rootcheck event data.

Note

Each agent has a database which name is the id of the agent registered in the manager

wazuh-db options

-d Basic debug mode.
-dd Verbose debug mode.
-f Run in foreground.
-h Display the help message.
-V Version and license message.
-t Test configuration.

Tables available for wazuh-db

fim_entry

Data from FIM records reported by the agent

Field Description Example
file File name /test/file
type Type (file or registry) file
date Event timestamp 1538556788
changes Successive file changes 0
size File size 28179
perm File permissions 100664
uid User ID 1000
gid Group ID (Unix) 1000
md5 File MD5 6d9bd718faff778bbeabada6f07f5c2f
sha1 File SHA1 3ad067d8949ab0e20c220d7b1acb338190967acc
uname Unix name root
gname Group name root
mtime Modify time 1536059852
inode Inode number 14946484
sha256 File SHA256 09aaf47929660c513332aa2349bc66ce7ae710d030888530e0ae27646c9e6f5d
attributes File attrs mask (Windows) 32
symbolic_path Path of the monitored sym link /test/link
checksum SHA1 of all file attributes da39a3ee5e6b4b0d3255bfef95601890afd80709

sync_info

New in version 3.12.0.

It stores the information related to the synchronization between the databases of the agents and the manager

Field Description Example
component Module name fim
last_attempt Unix timestamp of the last synchronization attempt 1580906939
last_completion Unix timestamp of the last successful synchronization 1580906939
n_attempts Number of synchronization attempts 32
n_completions Number of successful synchronizations 29

scan_info

It stores the begin and end times of each scan of an agent (used for agents prior to 3.12)

Field Description Example
module Module name fim
first_start First scan begin date 1538558233
first_end First scan end date 1538556788
start_scan Last scan start date 1538558233
end_scan Last scan end date 1538558192
fim_first_check Start date of first scan 1538558233
fim_second_check Start date of two scans ago 1538556779
fim_third_check Start date of three scans ago 1538555325

Note

Fields fim_first_check, fim_second_check and fim_third_check are only used on FIM scans

metadata

Data needed to upgrade the agent’s database

Field Description Example
key Field name db_version
value Field value 3

Syscollector tables

Table Description
sys_hwinfo Stores information about the hardware of the system
sys_netiface Stores information about the existing network interfaces of the system
sys_netaddr Stores information about the IPv4 and IPv6 of the existing network interfaces
sys_netproto Stores information about routing configuration for each interface
sys_osinfo Stores information about the operating system
sys_ports Stores information about the opened ports of a system
sys_processes Stores information about the current processes running in the system
sys_programs Stores information about the packages installed in the system
sys_hotfixes Stores information about the Windows updates installed on the agent

CIS-CAT table

Results of a CIS-CAT scan of an agent

Field Description Example
id Unique identifier 12372
scan_id Scan identifier 1701467600
scan_time Scan time 2018-02-08T11:47:28.066-08:00
benchmark Executed benchmark CIS Ubuntu Linux 16.04 LTS Benchmark
profile Profile inside benchmark executed xccdf_org.cisecurity.benchmarks_profile_Level_2_-_Server
pass Number of checks passed 98
fail Number of fails 85
error Number of errors 0
notchecked Number of not checked 36
unknown Number of unknown 1
score Final score 53%