wazuh-db

The Wazuh core uses list-based databases to store information related to agent keys, and FIM/Rootcheck event data.

Note

Each agent has a database which name is the id of the agent registered in the manager

wazuh-db options

-d

Basic debug mode.

-dd

Verbose debug mode.

-f

Run in foreground.

-h

Display the help message.

-V

Version and license message.

-t

Test configuration.

Tables available for wazuh-db

scan_info

It stores the begin and end times of each scan of an agent

Field

Description

Example

module

Module name

fim

first_start

First scan begin date

1538558233

first_end

First scan end date

1538556788

start_scan

Last scan start date

1538558233

end_scan

Last scan end date

1538558192

fim_first_check

Start date of first scan

1538558233

fim_second_check

Start date of two scans ago

1538556779

fim_third_check

Start date of three scans ago

1538555325

Note

Fields fim_first_check, fim_second_check and fim_third_check are only used on FIM scans

fim_entry

Data from FIM records reported by the agent

Field

Description

Example

file

File name

/root/file

type

Type (file or registry)

file

date

Event timestamp

1538556788

changes

CPU name

0

size

File size

28179

perm

File permissions

100664

uid

User ID

1000

gid

Group ID

1000

md5

File MD5

6d9bd718faff778bbeabada6f07f5c2f

sha1

File SHA1

3ad067d8949ab0e20c220d7b1acb338190967acc

uname

Unix name

cervi

gname

Group name

cervi

mtime

Modify time

1536059852

inode

Inode number

14946484

sha256

File SHA256

09aaf47929660c513332aa2349bc66ce7ae710d030888530e0ae27646c9e6f5d

metadata

Data needed to upgrade the agent’s database

Field

Description

Example

key

Field name

version_major

value

Field value

3

Syscollector tables

Table

Description

sys_hwinfo

Stores information about the hardware of the system

sys_netiface

Stores information about the existing network interfaces of the system

sys_netaddr

Stores information about the IPv4 and IPv6 of the existing network interfaces

sys_netproto

Stores information about routing configuration for each interface

sys_osinfo

Stores information about the operating system

sys_ports

Stores information about the opened ports of a system

sys_processes

Stores information about the current processes running in the system

sys_programs

Stores information about the packages installed in the system

CIS-CAT table

Results of a CIS-CAT scan of an agent

Field

Description

Example

id

Unique identifier

12372

scan_id

Scan identifier

1701467600

scan_time

Scan time

2018-02-08T11:47:28.066-08:00

benchmark

Executed benchmark

CIS Ubuntu Linux 16.04 LTS Benchmark

profile

Profile inside benchmark executed

xccdf_org.cisecurity.benchmarks_profile_Level_2_-_Server

pass

Number of checks passed

98

fail

Number of fails

85

error

Number of errors

0

notchecked

Number of not checked

36

unknown

Number of unknown

1

score

Final score

53%