Available inventory fields
The Wazuh server stores the data collected by the Wazuh agents in separate databases for each agent. Each database contains tables for specific inventory information. In this section, you can find a description of the information in each table. The tables in the database are filled based on the scan configuration you have specified.
Hardware
The sys_hwinfo
table in the inventory database stores basic information about the hardware components of an endpoint. The table below describes the fields in the database.
Field |
Description |
Example |
Available |
---|---|---|---|
|
Identifier for the last syscollector scan |
573872577 |
All |
|
Scan date |
2018/07/31 15:31:26 |
All |
|
Motherboard serial number |
XDR840TUGM65E03171 |
All |
|
CPU name |
Intel(R) Core(TM) i7-7700HQ CPU @ 2.80GHz |
All |
|
Number of cores of the CPU |
4 |
All |
|
Current processor frequency |
900.106 |
All |
|
Total RAM (KB) |
16374572 |
All |
|
Free RAM (KB) |
2111928 |
All |
|
Percentage of RAM in use |
87 |
All |
|
Integrity synchronization value |
503709147600c8e0023cf2b9995772280eee30 |
All |
Operating system
The sys_osinfo
system table in the inventory database stores information about the operating system of an endpoint. The table below describes the fields in the database.
Field |
Description |
Example |
Available |
---|---|---|---|
|
Identifier for the last syscollector scan |
468455719 |
All |
|
Scan date |
2018/07/31 15:31:26 |
All |
|
Hostname of the machine |
ag-ubuntu-16 |
All |
|
OS architecture |
x86_64 |
All |
|
OS name |
Ubuntu |
All |
|
OS version |
16.04.5 LTS (Xenial Xerus) |
All |
|
OS version codename |
Xenial Xerus |
All |
|
Major release version |
16 |
All |
|
Minor release version |
04 |
All |
|
Patch release version |
5 |
macOS |
|
Optional build-specific |
14393 |
Windows |
|
Windows Release ID |
SP2 |
Windows |
|
Windows display version |
20H2 |
Windows |
|
OS platform |
ubuntu |
All |
|
System name |
Linux |
Linux |
|
Release name |
4.15.0-29-generic |
Linux |
|
Release version |
#31~16.04.1-Ubuntu SMP Wed Jul 18 08:54:04 UTC 2018 |
All |
|
Integrity synchronization value |
503709147600c8e0023cf2b9995772280eee30 |
All |
|
Unified primary key |
94b6f7b3c1d905aae22a652448df6372da98e5b8 |
All |
Packages
The sys_programs
table in the inventory database stores information about the currently installed software on an endpoint. The Vulnerability Detector module uses information from this table to scan and detect vulnerable software. On Linux systems, the Syscollector module retrieves deb, rpm, pacman, npm, and pypi packages. The table below describes the fields in the database.
Field |
Description |
Example |
Available |
---|---|---|---|
|
Identifier for the last syscollector scan |
1454946158 |
All |
|
Scan date |
2018/07/27 07:27:14 |
All |
|
Format of the package |
deb |
All |
|
Name of the package |
linux-headers-generic |
All |
|
Priority of the package |
optional |
Linux (deb) |
|
Section of the package |
kernel |
Linux (deb/rpm) and macOS (pkg) |
|
Size of the installed package in bytes |
14 |
Linux (deb/rpm/pacman) |
|
Vendor name |
Ubuntu Kernel Team |
All |
|
Install date and time of the package |
2018/02/08 18:45:48 |
Linux (rpm/pacman) and Windows |
|
Version of the package |
4.4.0.130.136 |
All |
|
Architecture of the package |
amd64 |
All |
|
Multiarchitecture support |
same |
Linux (deb) |
|
Source of the package |
linux-meta |
Linux (deb) and macOS (pkg) |
|
Description of the package |
Generic Linux kernel headers |
Linux (deb/rpm/pacman) and macOS (pkg) |
|
Location of the package |
C:\Program Files\VMware\VMware Tools\ |
Windows and macOS (pkg) |
|
Integrity synchronization value |
78503709147600c8e0023cf2b9995772280eee30 |
All |
|
Unified primary key |
4323709147600c8e0023cf2b9995772280eef451 |
All |
Network interfaces
The network interfaces scan retrieves information about the existing network interfaces of an endpoint (up and down interfaces) as well as their routing configuration. It comprises three tables to ensure the information is as structured as possible.
sys_netiface
: This table contains packet transfer information about the interfaces on a monitored endpoint.
Field |
Description |
Example |
Available |
---|---|---|---|
|
Id |
1 |
All |
|
Scan identifier |
160615720 |
All |
|
Scan date |
2018/07/31 16:46:20 |
All |
|
Interface name |
eth0 |
All |
|
Physical adapter name |
Intel(R) PRO/1000 MT Desktop Adapter |
Windows |
|
Network adapter |
ethernet |
All |
|
State of the interface |
up |
All |
|
Maximum Transmission Unit |
1500 |
All |
|
MAC Address |
08:00:27:C0:14:A5 |
All |
|
Transmitted packets |
10034626 |
All |
|
Received packets |
12754 |
All |
|
Transmitted bytes |
10034626 |
All |
|
Received bytes |
1111175 |
All |
|
Transmission errors |
0 |
All |
|
Reception errors |
0 |
All |
|
Dropped transmission packets |
0 |
All |
|
Dropped reception packets |
0 |
All |
|
Integrity synchronization value |
8503709147600c8e0023cf2b9995772280eee30 |
All |
|
Unified primary key |
4323709147600c8e0023cf2b9995772280eef41 |
All |
sys_netaddr
: The entries in this table reference the interfaces in thesys_netiface
table. Thesys_netaddr
table shows the IPv4 and IPv6 addresses associated with those interfaces.
Field |
Description |
Example |
Available |
---|---|---|---|
|
Referenced id from sys_netiface |
1 |
All |
|
Identifier for the last syscollector scan |
160615720 |
All |
|
Protocol name |
ipv4 |
All |
|
IPv4/IPv6 address |
192.168.1.87 |
All |
|
Netmask address |
255.255.255.0 |
All |
|
Broadcast address |
192.168.1.255 |
All |
|
Integrity synchronization value |
78503709147600c8e0023cf2b9995772280eee30 |
All |
|
Unified primary key |
4323709147600c8e0023cf2b9995772280eef4 |
All |
sys_netproto
: The entries in this table reference the interfaces in thesys_netiface
table. Thesys_netproto
table shows the routing configuration associated with those interfaces.
Field |
Description |
Example |
Available |
---|---|---|---|
|
Referenced id from sys_netiface |
1 |
All |
|
Identifier for the last syscollector scan |
160615720 |
All |
|
Interface name |
eth0 |
All |
|
Protocol of the interface data |
ipv4 |
All |
|
Default gateway |
192.168.1.1 |
Linux/Windows/macOS |
|
DHCP status |
enabled |
Linux/Windows |
|
Integrity synchronization value |
78503709147600c8e0023cf2b9995772280eee30 |
All |
|
Unified primary key |
4323709147600c8e0023cf2b9995772280eef4 |
All |
Ports
The sys_ports
table in the inventory database stores basic information about the open ports on a monitored endpoint. The table below describes the fields in the ports database.
Field |
Description |
Example |
Available |
---|---|---|---|
|
Identifier for the last syscollector scan |
1618114744 |
All |
|
Scan date |
2018/07/27 07:27:15 |
All |
|
Protocol of the port |
tcp |
All |
|
Local IP address |
0.0.0.0 |
All |
|
Local port |
22 |
All |
|
Remote IP address |
0.0.0.0 |
All |
|
Remote port |
0 |
All |
|
Packets pending to be transmitted |
0 |
Linux |
|
Packets at the receiver queue |
0 |
Linux |
|
Inode of the port |
16974 |
Linux |
|
State of the port |
listening |
All |
|
PID owner of the opened port |
4 |
All |
|
Name of the PID |
System |
All |
|
Integrity synchronization value |
78503709147600c8e0023cf2b9995772280eee30 |
All |
|
Unified primary key |
4323709147600c8e0023cf2b9995772280eef412 |
All |
Processes
The sys_processes
table in the inventory database stores basic information about the current processes at the time of the last scan on a monitored endpoint. The table below describes the fields in the processes database table.
Field |
Description |
Example |
Available |
---|---|---|---|
|
Identifier for the last syscollector scan |
215303769 |
All |
|
Scan date |
2018/08/03 12:57:58 |
All |
|
PID of the process |
603 |
All |
|
Name of the process |
rsyslogd |
All |
|
State of the process |
S |
Linux/macOS |
|
PPID of the process |
1 |
All |
|
Time spent executing user code |
157 |
Linux |
|
Time spent executing system code |
221 |
All |
|
Command executed |
/usr/sbin/rsyslogd |
Linux/Windows |
|
Arguments of the process |
-n |
Linux |
|
Effective user |
root |
Linux/macOS |
|
Real user |
root |
Linux/macOS |
|
Saved-set user |
root |
Linux |
|
Effective group |
root |
Linux |
|
Real group |
root |
Linux/macOS |
|
Saved-set group |
root |
Linux |
|
Filesystem group name |
root |
Linux |
|
Kernel scheduling priority |
20 |
All |
|
Nice value of the process |
0 |
Linux/macOS |
|
Size of the process |
53030 |
All |
|
Total VM size (KB) |
212120 |
All |
|
Resident set size of the process (KB) |
902 |
Linux |
|
Shared memory |
814 |
Linux |
|
Time when the process started |
1893 |
Linux |
|
Process group |
603 |
Linux |
|
Session of the process |
603 |
All |
|
Number of light weight processes |
3 |
All |
|
Thread Group ID |
603 |
Linux |
|
Number of TTY of the process |
0 |
Linux |
|
Number of the processor |
0 |
Linux |
|
Integrity synchronization value |
78503709147600c8e0023cf2b9995772280eee30 |
All |
Windows updates
The sys_hotfixes
table contains information about the updates installed on Windows endpoints. The Vulnerability Detector module uses the hotfix identifier to discover what vulnerabilities exist on Windows endpoints and the patches you have applied. The table below describes the fields in the sys_hotfixes
table.
Field |
Description |
Example |
Available |
---|---|---|---|
|
Identifier for the last syscollector scan |
1618114744 |
Windows |
|
Scan date |
2019/08/22 07:27:15 |
Windows |
|
Windows update ID |
KB4489899 |
Windows |
|
Integrity synchronization value |
78503709147600c8e0023cf2b9995772280eee30 |
Windows |