wazuh-db
The Wazuh core uses list-based databases to store information related to agent keys, and FIM/Rootcheck event data.
Note
Each agent has a database which name is the id
of the agent registered in the manager
wazuh-db options
-d |
Basic debug mode. |
-dd |
Verbose debug mode. |
-f |
Run in foreground. |
-h |
Display the help message. |
-V |
Version and license message. |
-t |
Test configuration. |
Tables available for wazuh-db
scan_info
It stores the begin and end times of each scan of an agent
Field |
Description |
Example |
---|---|---|
module |
Module name |
fim |
first_start |
First scan begin date |
1538558233 |
first_end |
First scan end date |
1538556788 |
start_scan |
Last scan start date |
1538558233 |
end_scan |
Last scan end date |
1538558192 |
fim_first_check |
Start date of first scan |
1538558233 |
fim_second_check |
Start date of two scans ago |
1538556779 |
fim_third_check |
Start date of three scans ago |
1538555325 |
Note
Fields fim_first_check
, fim_second_check
and fim_third_check
are only used on FIM scans
fim_entry
Data from FIM records reported by the agent
Field |
Description |
Example |
---|---|---|
file |
File name |
/root/file |
type |
Type (file or registry) |
file |
date |
Event timestamp |
1538556788 |
changes |
CPU name |
0 |
size |
File size |
28179 |
perm |
File permissions |
100664 |
uid |
User ID |
1000 |
gid |
Group ID |
1000 |
md5 |
File MD5 |
6d9bd718faff778bbeabada6f07f5c2f |
sha1 |
File SHA1 |
3ad067d8949ab0e20c220d7b1acb338190967acc |
uname |
Unix name |
cervi |
gname |
Group name |
cervi |
mtime |
Modify time |
1536059852 |
inode |
Inode number |
14946484 |
sha256 |
File SHA256 |
09aaf47929660c513332aa2349bc66ce7ae710d030888530e0ae27646c9e6f5d |
metadata
Data needed to upgrade the agent's database
Field |
Description |
Example |
---|---|---|
key |
Field name |
version_major |
value |
Field value |
3 |
Syscollector tables
Table |
Description |
---|---|
Stores information about the hardware of the system |
|
Stores information about the existing network interfaces of the system |
|
Stores information about the IPv4 and IPv6 of the existing network interfaces |
|
Stores information about routing configuration for each interface |
|
Stores information about the operating system |
|
Stores information about the opened ports of a system |
|
Stores information about the current processes running in the system |
|
Stores information about the packages installed in the system |
CIS-CAT table
Results of a CIS-CAT scan of an agent
Field |
Description |
Example |
---|---|---|
id |
Unique identifier |
12372 |
scan_id |
Scan identifier |
1701467600 |
scan_time |
Scan time |
2018-02-08T11:47:28.066-08:00 |
benchmark |
Executed benchmark |
CIS Ubuntu Linux 16.04 LTS Benchmark |
profile |
Profile inside benchmark executed |
xccdf_org.cisecurity.benchmarks_profile_Level_2_-_Server |
pass |
Number of checks passed |
98 |
fail |
Number of fails |
85 |
error |
Number of errors |
0 |
notchecked |
Number of not checked |
36 |
unknown |
Number of unknown |
1 |
score |
Final score |
53% |