This is the documentation for Wazuh 3.8. Check out the docs for the latest version of Wazuh!

wazuh-db

The Wazuh core uses list-based databases to store information related to agent keys, and FIM/Rootcheck event data.

Note

Each agent has a database which name is the id of the agent registered in the manager

wazuh-db options

-d Basic debug mode.
-dd Verbose debug mode.
-f Run in foreground.
-h Display the help message.
-V Version and license message.
-t Test configuration.

Tables available for wazuh-db

scan_info

It stores the begin and end times of each scan of an agent

Field Description Example
module Module name fim
first_start First scan begin date 1538558233
first_end First scan end date 1538556788
start_scan Last scan start date 1538558233
end_scan Last scan end date 1538558192
fim_first_check Start date of first scan 1538558233
fim_second_check Start date of two scans ago 1538556779
fim_third_check Start date of three scans ago 1538555325

Note

Fields fim_first_check, fim_second_check and fim_third_check are only used on FIM scans

fim_entry

Data from FIM records reported by the agent

Field Description Example
file File name /root/file
type Type (file or registry) file
date Event timestamp 1538556788
changes CPU name 0
size File size 28179
perm File permissions 100664
uid User ID 1000
gid Group ID 1000
md5 File MD5 6d9bd718faff778bbeabada6f07f5c2f
sha1 File SHA1 3ad067d8949ab0e20c220d7b1acb338190967acc
uname Unix name cervi
gname Group name cervi
mtime Modify time 1536059852
inode Inode number 14946484
sha256 File SHA256 09aaf47929660c513332aa2349bc66ce7ae710d030888530e0ae27646c9e6f5d

metadata

Data needed to upgrade the agent’s database

Field Description Example
key Field name version_major
value Field value 3

Syscollector tables

Table Description
sys_hwinfo Stores information about the hardware of the system
sys_netiface Stores information about the existing network interfaces of the system
sys_netaddr Stores information about the IPv4 and IPv6 of the existing network interfaces
sys_netproto Stores information about routing configuration for each interface
sys_osinfo Stores information about the operating system
sys_ports Stores information about the opened ports of a system
sys_processes Stores information about the current processes running in the system
sys_programs Stores information about the packages installed in the system

CIS-CAT table

Results of a CIS-CAT scan of an agent

Field Description Example
id Unique identifier 12372
scan_id Scan identifier 1701467600
scan_time Scan time 2018-02-08T11:47:28.066-08:00
benchmark Executed benchmark CIS Ubuntu Linux 16.04 LTS Benchmark
profile Profile inside benchmark executed xccdf_org.cisecurity.benchmarks_profile_Level_2_-_Server
pass Number of checks passed 98
fail Number of fails 85
error Number of errors 0
notchecked Number of not checked 36
unknown Number of unknown 1
score Final score 53%