System inventory

The Wazuh agents are able to collect interesting system information and store it into an SQLite database for each agent on the manager side. The Syscollector module is in charge of this task.

How it works

As mentioned above, the main purpose of this module is to gather the most relevant information from the monitored system.

Once the agent starts, Syscollector runs periodically scans of defined targets (hardware, OS, packages, etc.), forwarding the new collected data to the manager, which updates the appropriate tables of the database.

The agent's inventory is gathered for different goals. The entire inventory can be found at the inventory tab of the Wazuh APP for each agent, by querying the Wazuh API to retrieve the data from the DB. Also the Dev tools tab is available, with this feature the Wazuh API can be directly queried about the different scans being able to filter by any desired field.

In addition, the packages and hotfixes inventory is used as feed for the Vulnerability detector module.

Available scans

The collected information from Wazuh agents is stored in different SQLite tables. Here the content of each available table is described.

At present, this module is available for Linux, Windows, MacOS, OpenBS and FreeBSD. See the compatibility matrix for more information.

Hardware

New in version 3.2.0.

Retrieve basic information about the hardware components of a system.

Field

Description

Example

Available

scan_id

Scan identifier

573872577

All

scan_time

Scan date

2018/07/31 15:31:26

All

board_serial

Motherboard serial number

XDR840TUGM65E03171

All

cpu_name

CPU name

Intel(R) Core(TM) i7-7700HQ CPU @ 2.80GHz

All

cpu_cores

Number of cores of the CPU

4

All

cpu_mhz

Current processor frequency

900.106

All

ram_total

Total RAM (KB)

16374572

All

ram_free

Free RAM (KB)

2111928

All

ram_usage

Percentage of RAM in use

87

All

Operating system

New in version 3.2.0.

Retrieve basic information about the operating system.

Field

Description

Example

Available

scan_id

Scan identifier

468455719

All

scan_time

Scan date

2018/07/31 15:31:26

All

hostname

Hostname of the machine

ag-ubuntu-16

All

architecture

OS architecture

x86_64

All

os_name

OS name

Ubuntu

All

os_version

OS version

16.04.5 LTS (Xenial Xerus)

All

os_codename

OS version codename

Xenial Xerus

All

os_major

Major release version

16

All

os_minor

Minor release version

04

All

os_build

Optional build-specific

14393

Windows

os_release

Windows Release ID

SP2

Windows

os_platform

OS platform

ubuntu

All

sysname

System name

Linux

Linux

release

Release name

4.15.0-29-generic

Linux

version

Release version

#31~16.04.1-Ubuntu SMP Wed Jul 18 08:54:04 UTC 2018

All

Packages

New in version 3.2.0.

The current packages inventory of each Wazuh agent. On Linux systems, retrieved packages can be deb or rpm types.

Field

Description

Example

Available

scan_id

Scan identifier

1454946158

All

scan_time

Scan date

2018/07/27 07:27:14

All

format

Format of the package

deb

All

name

Name of the package

linux-headers-generic

All

priority

Priority of the package

optional

deb

section

Section of the package

kernel

deb/rpm/pkg

size

Size of the installed package in bytes

14

deb/rpm

vendor

Vendor name

Ubuntu Kernel Team

deb/rpm/win

install_time

Date when the package was installed

2018/02/08 18:45:48

rpm/win

version

Version of the package

4.4.0.130.136

All

architecture

Architecture of the package

amd64

All

multiarch

Multiarchitecture support

same

deb

source

Source of the package

linux-meta

deb/rpm/pkg

description

Description of the package

Generic Linux kernel headers

deb/rpm/pkg

location

Location of the package

C:\Program Files\VMware\VMware Tools\

win/pkg

Network interfaces

New in version 3.5.0.

The network interfaces scan retrieves information about the existing network interface of a system (up and down interfaces) as well as their routing configuration, it is composed of three tables to ensure that the information is as structured as possible.

  • sys_netiface table

Field

Description

Example

Available

id

Id

1

All

scan_id

Scan identifier

160615720

All

scan_time

Scan date

2018/07/31 16:46:20

All

name

Interface name

eth0

All

adapter

Physical adapter name

Intel(R) PRO/1000 MT Desktop Adapter

Windows

type

Network adapter

ethernet

All

state

State of the interface

up

All

mtu

Maximum Transmission Unit

1500

All

mac

MAC Address

08:00:27:C0:14:A5

All

tx_packets

Transmitted packets

30279

All

rx_packets

Received packets

12754

All

tx_bytes

Transmitted bytes

10034626

All

rx_bytes

Received bytes

1111175

All

tx_errors

Transmission errors

0

All

rx_errors

Reception errors

0

All

tx_dropped

Dropped transmission packets

0

All

rx_dropped

Dropped reception packets

0

All

  • sys_netaddr table

Referencing interfaces described at sys_netiface, this table shows the IPv4 and IPv6 addresses associated to that interfaces.

Field

Description

Example

Available

id

Referenced id from sys_netiface

1

All

scan_id

Scan identifier

160615720

All

proto

Protocol name

ipv4

All

address

IPv4/IPv6 address

192.168.1.87

All

netmask

Netmask address

255.255.255.0

All

broadcast

Broadcast address

192.168.1.255

All

  • sys_netproto table

Referencing interfaces described at sys_netiface, this table shows the routing configuration for each interface.

Field

Description

Example

Available

id

Referenced id from sys_netiface

1

All

scan_id

Scan identifier

160615720

All

iface

Interface name

eth0

All

type

Protocol of the interface data

ipv4

All

gateway

Default gateway

192.168.1.1

Linux/Windows/macOS

dhcp

DHCP status

enabled

Linux/Windows

Ports

New in version 3.5.0.

List the opened ports of a system.

Field

Description

Example

Available

scan_id

Scan identifier

1618114744

All

scan_time

Scan date

2018/07/27 07:27:15

All

protocol

Protocol of the port

tcp

All

local_ip

Local IP

0.0.0.0

All

local_port

Local port

22

All

remote_ip

Remote IP

0.0.0.0

All

remote_port

Remote port

0

All

tx_queue

Packets pending to be transmitted

0

Linux

rx_queue

Packets at the receiver queue

0

Linux

inode

Inode of the port

16974

Linux

state

State of the port

listening

All

PID

PID owner of the opened port

4

Windows/macOS

process

Name of the PID

System

Windows/macOS

Processes

New in version 3.5.0.

List the current processes running in a system host.

Field

Description

Example

Available

scan_id

Scan identifier

215303769

All

scan_time

Scan date

2018/08/03 12:57:58

All

pid

PID of the process

603

All

name

Name of the process

rsyslogd

All

state

State of the process

S

Linux/macOS

ppid

PPID of the process

1

All

utime

Time spent executing user code

157

Linux

stime

Time spent executing system code

221

All

cmd

Command executed

/usr/sbin/rsyslogd

Linux/Windows

argvs

Arguments of the process

-n

Linux

euser

Effective user

root

Linux/macOS

ruser

Real user

root

Linux/macOS

suser

Saved-set user

root

Linux

egroup

Effective group

root

Linux

rgroup

Real group

root

Linux/macOS

sgroup

Saved-set group

root

Linux

fgroup

Filesystem group name

root

Linux

priority

Kernel scheduling priority

20

All

nice

Nice value of the process

0

Linux/macOS

size

Size of the process

53030

All

vm_size

Total VM size (KB)

212120

All

resident

Residen size of the process in bytes

902

Linux

share

Shared memory

814

Linux

start_time

Time when the process started

1893

Linux

pgrp

Process group

603

Linux

session

Session of the process

603

All

nlwp

Number of light weight processes

3

All

tgid

Thread Group ID

603

Linux

tty

Number of TTY of the process

0

Linux

processor

Number of the processor

0

Linux

Windows updates

New in version 3.11.0.

List the Windows updates installed on Windows agents, also known as hotfixes. They are used as feed for the Vulnerability detector to find out Windows vulnerabilities.

Field

Description

Example

Available

scan_id

Scan identifier

1618114744

Windows

scan_time

Scan date

2019/08/22 07:27:15

Windows

hotfix

Windows update ID

KB4489899

Windows

Compatibility matrix

The following table shows the operating systems that this module currently supports.

Operating System

Syscollector scan

Hardware

OS

Packages

Network

Ports

Processes

Hotfixes

Windows

Linux

macOS

FreeBSD

OpenBSD

Using Syscollector information to trigger alerts

Since Wazuh 3.9 version, Syscollector module information can be used to trigger alerts and show that information in the alerts' description.

To allow this configuration, in a rule declaration set the <decoded_as> field as syscollector.

As an example, this rule will be triggered when the interface eth0 of an agent is enabled and will show what IPv4 has that interface.

<rule id="100001" level="5">
  <if_sid>221</if_sid>
  <decoded_as>syscollector</decoded_as>
  <field name="netinfo.iface.name">eth0</field>
  <description>eth0 interface enabled. IP: $(netinfo.iface.ipv4.address)</description>
</rule>

Warning

The tag <if_sid>221</if_sid> is necessary because the events from Syscollector are muted by default with that rule.

When the alerts are triggered they will be displayed in Kibana this way:

New searchable fields for Kibana

In Elasticsearch the fields will be saved as data.type.value. For example, for Hardware type, the cpu_name field can be found as data.hardware.cpu_name

Type

Fields

Example

Hardware

cpu_name, cpu_cores, cpu_mhz, ram_total, ram_free, ram_usage

data.hardware.cpu_mhz

Operating System

architecture, name, version, codename, major, minor, build, platform, sysname, release, release_version

data.os.codename

Port

local_ip, local_port, remote_ip, remote_port, tx_queue, rx_queue, inode, state, pid, process

data.port.inode

Program

name, priority, section, size, vendor, install_time, version, architecture, multiarch, source, description, location

data.program.name

Process

name, state, ppid, utime, stime, cmd, args, euser, ruser, suser, egroup, sgroup, fgroup, rgroup, priority, nice, size, vm_size, resident, share, start_time, pgrp, session, nlwp, tgid, tty, processor

data.process.state

Network

mac, adapter, type, state, mtu, tx_bytes, rx_bytes, tx_errors, rx_errors, tx_dropped, rx_dropped, tx_packets, rx_packets, ipv4, ipv6

data.netinfo.iface.ipv4.address, data.netinfo.iface.mac

Hotfix

hotfix

data.hotfix

Use case: Visualize system inventory in the Wazuh app

The Syscollector module is enabled by default in all compatible systems including all the available scans. Here we can see the default configuration block:

<!-- System inventory -->
<wodle name="syscollector">
  <disabled>no</disabled>
  <interval>1h</interval>
  <scan_on_start>yes</scan_on_start>
  <hardware>yes</hardware>
  <os>yes</os>
  <network>yes</network>
  <packages>yes</packages>
  <ports all="no">yes</ports>
  <processes>yes</processes>
</wodle>

Once the module starts, it will run periodically scans and send the new data in JSON events format to the manager, where it will be decoded and stored into a particular database for each agent.

The current inventory can be consulted in different ways. Let's see an example querying for a particular package in a Debian agent:

  • Querying the Database directly on the manager side, located at $install_directory/queue/db/:agent_id.db.

# sqlite3 /var/ossec/queue/db/003.db
SQLite version 3.7.17 2013-05-20 00:56:22
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
sqlite>
sqlite> select * from sys_programs where name="wazuh-agent";
696614220|2018/08/06 02:07:30|deb|wazuh-agent|extra|admin|105546|Wazuh, Inc <support@wazuh.com>||3.5.0-1|amd64|||Wazuh helps you to gain security visibility into your infrastructure by monitoring hosts at an operating system and application level. It provides the following capabilities: log analysis, file integrity monitoring, intrusions detection and policy and compliance monitoring||0
# curl -k -X GET "https://localhost:55000/syscollector/003/packages?pretty=true&name=wazuh-agent" -H  "Authorization: Bearer $TOKEN"
{
    "data": {
        "affected_items": [
            {
                "vendor": "Wazuh, Inc <support@wazuh.com>",
                "description": "Wazuh helps you to gain security visibility into your infrastructure by monitoring hosts at an operating system and application level. It provides the following capabilities: log analysis, file integrity monitoring, intrusions detection and policy and compliance monitoring",
                "scan": {"id": 696614220, "time": "2018/08/06 02:07:30"},
                "section": "admin",
                "format": "deb",
                "name": "wazuh-agent",
                "priority": "extra",
                "version": "3.5.0-1",
                "architecture": "amd64",
                "size": 105546,
                "agent_id": "003",
            }
        ],
        "total_affected_items": 1,
        "total_failed_items": 0,
        "failed_items": [],
    },
    "message": "All specified syscollector information was returned",
    "error": 0,
}

Moreover, the same information can be consulted at the Wazuh app, which includes an Inventory tab for each agent. For now, there are available OS, hardware and packages inventories at this tab, which looks like the following screenshot:

The Dev tools tab is also available to query the Wazuh API directly from the Wazuh app as shown below:

You could find more information about how to configure this capability at the Syscollector configuration reference.