Available inventory fields

The Wazuh server stores the data collected by the Wazuh agents in separate databases for each agent. Each database contains tables for specific inventory information. In this section, you can find a description of the information in each table. The tables in the database are filled based on the scan configuration you have specified.

Hardware

The sys_hwinfo table in the inventory database stores basic information about the hardware components of an endpoint. The table below describes the fields in the database.

Field

Description

Example

Available

scan_id

Identifier for the last syscollector scan

573872577

All

scan_time

Scan date

2018/07/31 15:31:26

All

board_serial

Motherboard serial number

XDR840TUGM65E03171

All

cpu_name

CPU name

Intel(R) Core(TM) i7-7700HQ CPU @ 2.80GHz

All

cpu_cores

Number of cores of the CPU

4

All

cpu_mhz

Current processor frequency

900.106

All

ram_total

Total RAM (KB)

16374572

All

ram_free

Free RAM (KB)

2111928

All

ram_usage

Percentage of RAM in use

87

All

checksum

Integrity synchronization value

503709147600c8e0023cf2b9995772280eee30

All

Operating system

The sys_osinfo system table in the inventory database stores information about the operating system of an endpoint. The table below describes the fields in the database.

Field

Description

Example

Available

scan_id

Identifier for the last syscollector scan

468455719

All

scan_time

Scan date

2018/07/31 15:31:26

All

hostname

Hostname of the machine

ag-ubuntu-16

All

architecture

OS architecture

x86_64

All

os_name

OS name

Ubuntu

All

os_version

OS version

16.04.5 LTS (Xenial Xerus)

All

os_codename

OS version codename

Xenial Xerus

All

os_major

Major release version

16

All

os_minor

Minor release version

04

All

os_patch

Patch release version

5

macOS

os_build

Optional build-specific

14393

Windows

os_release

Windows Release ID

SP2

Windows

os_display_version

Windows display version

20H2

Windows

os_platform

OS platform

ubuntu

All

sysname

System name

Linux

Linux

release

Release name

4.15.0-29-generic

Linux

version

Release version

#31~16.04.1-Ubuntu SMP Wed Jul 18 08:54:04 UTC 2018

All

checksum

Integrity synchronization value

503709147600c8e0023cf2b9995772280eee30

All

item_id

Unified primary key

94b6f7b3c1d905aae22a652448df6372da98e5b8

All

Packages

The sys_programs table in the inventory database stores information about the currently installed software on an endpoint. The Vulnerability Detector module uses information from this table to scan and detect vulnerable software. On Linux systems, the Syscollector module retrieves deb, rpm, pacman, npm, and pypi packages. The table below describes the fields in the database.

Field

Description

Example

Available

scan_id

Identifier for the last syscollector scan

1454946158

All

scan_time

Scan date

2018/07/27 07:27:14

All

format

Format of the package

deb

All

name

Name of the package

linux-headers-generic

All

priority

Priority of the package

optional

Linux (deb)

section

Section of the package

kernel

Linux (deb/rpm) and macOS (pkg)

size

Size of the installed package in bytes

14

Linux (deb/rpm/pacman)

vendor

Vendor name

Ubuntu Kernel Team

All

install_time

Install date and time of the package

2018/02/08 18:45:48

Linux (rpm/pacman) and Windows

version

Version of the package

4.4.0.130.136

All

architecture

Architecture of the package

amd64

All

multiarch

Multiarchitecture support

same

Linux (deb)

source

Source of the package

linux-meta

Linux (deb) and macOS (pkg)

description

Description of the package

Generic Linux kernel headers

Linux (deb/rpm/pacman) and macOS (pkg)

location

Location of the package

C:\Program Files\VMware\VMware Tools\

Windows and macOS (pkg)

checksum

Integrity synchronization value

78503709147600c8e0023cf2b9995772280eee30

All

item_id

Unified primary key

4323709147600c8e0023cf2b9995772280eef451

All

Network interfaces

The network interfaces scan retrieves information about the existing network interfaces of an endpoint (up and down interfaces) as well as their routing configuration. It comprises three tables to ensure the information is as structured as possible.

  • sys_netiface: This table contains packet transfer information about the interfaces on a monitored endpoint.

Field

Description

Example

Available

id

Id

1

All

scan_id

Scan identifier

160615720

All

scan_time

Scan date

2018/07/31 16:46:20

All

name

Interface name

eth0

All

adapter

Physical adapter name

Intel(R) PRO/1000 MT Desktop Adapter

Windows

type

Network adapter

ethernet

All

state

State of the interface

up

All

mtu

Maximum Transmission Unit

1500

All

mac

MAC Address

08:00:27:C0:14:A5

All

tx_packets

Transmitted packets

10034626

All

rx_packets

Received packets

12754

All

tx_bytes

Transmitted bytes

10034626

All

rx_bytes

Received bytes

1111175

All

tx_errors

Transmission errors

0

All

rx_errors

Reception errors

0

All

tx_dropped

Dropped transmission packets

0

All

rx_dropped

Dropped reception packets

0

All

checksum

Integrity synchronization value

8503709147600c8e0023cf2b9995772280eee30

All

item_id

Unified primary key

4323709147600c8e0023cf2b9995772280eef41

All

  • sys_netaddr: The entries in this table reference the interfaces in the sys_netiface table. The sys_netaddr table shows the IPv4 and IPv6 addresses associated with those interfaces.

Field

Description

Example

Available

id

Referenced id from sys_netiface

1

All

scan_id

Identifier for the last syscollector scan

160615720

All

proto

Protocol name

ipv4

All

address

IPv4/IPv6 address

192.168.1.87

All

netmask

Netmask address

255.255.255.0

All

broadcast

Broadcast address

192.168.1.255

All

checksum

Integrity synchronization value

78503709147600c8e0023cf2b9995772280eee30

All

item_id

Unified primary key

4323709147600c8e0023cf2b9995772280eef4

All

  • sys_netproto: The entries in this table reference the interfaces in the sys_netiface table. The sys_netproto table shows the routing configuration associated with those interfaces.

Field

Description

Example

Available

id

Referenced id from sys_netiface

1

All

scan_id

Identifier for the last syscollector scan

160615720

All

iface

Interface name

eth0

All

type

Protocol of the interface data

ipv4

All

gateway

Default gateway

192.168.1.1

Linux/Windows/macOS

dhcp

DHCP status

enabled

Linux/Windows

checksum

Integrity synchronization value

78503709147600c8e0023cf2b9995772280eee30

All

item_id

Unified primary key

4323709147600c8e0023cf2b9995772280eef4

All

Ports

The sys_ports table in the inventory database stores basic information about the open ports on a monitored endpoint. The table below describes the fields in the ports database.

Field

Description

Example

Available

scan_id

Identifier for the last syscollector scan

1618114744

All

scan_time

Scan date

2018/07/27 07:27:15

All

protocol

Protocol of the port

tcp

All

local_ip

Local IP address

0.0.0.0

All

local_port

Local port

22

All

remote_ip

Remote IP address

0.0.0.0

All

remote_port

Remote port

0

All

tx_queue

Packets pending to be transmitted

0

Linux

rx_queue

Packets at the receiver queue

0

Linux

inode

Inode of the port

16974

Linux

state

State of the port

listening

All

PID

PID owner of the opened port

4

All

process

Name of the PID

System

All

checksum

Integrity synchronization value

78503709147600c8e0023cf2b9995772280eee30

All

item_id

Unified primary key

4323709147600c8e0023cf2b9995772280eef412

All

Processes

The sys_processes table in the inventory database stores basic information about the current processes at the time of the last scan on a monitored endpoint. The table below describes the fields in the processes database table.

Field

Description

Example

Available

scan_id

Identifier for the last syscollector scan

215303769

All

scan_time

Scan date

2018/08/03 12:57:58

All

pid

PID of the process

603

All

name

Name of the process

rsyslogd

All

state

State of the process

S

Linux/macOS

ppid

PPID of the process

1

All

utime

Time spent executing user code

157

Linux

stime

Time spent executing system code

221

All

cmd

Command executed

/usr/sbin/rsyslogd

Linux/Windows

argvs

Arguments of the process

-n

Linux

euser

Effective user

root

Linux/macOS

ruser

Real user

root

Linux/macOS

suser

Saved-set user

root

Linux

egroup

Effective group

root

Linux

rgroup

Real group

root

Linux/macOS

sgroup

Saved-set group

root

Linux

fgroup

Filesystem group name

root

Linux

priority

Kernel scheduling priority

20

All

nice

Nice value of the process

0

Linux/macOS

size

Size of the process

53030

All

vm_size

Total VM size (KB)

212120

All

resident

Resident set size of the process (KB)

902

Linux

share

Shared memory

814

Linux

start_time

Time when the process started

1893

Linux

pgrp

Process group

603

Linux

session

Session of the process

603

All

nlwp

Number of light weight processes

3

All

tgid

Thread Group ID

603

Linux

tty

Number of TTY of the process

0

Linux

processor

Number of the processor

0

Linux

checksum

Integrity synchronization value

78503709147600c8e0023cf2b9995772280eee30

All

Windows updates

The sys_hotfixes table contains information about the updates installed on Windows endpoints. The Vulnerability Detector module uses the hotfix identifier to discover what vulnerabilities exist on Windows endpoints and the patches you have applied. The table below describes the fields in the sys_hotfixes table.

Field

Description

Example

Available

scan_id

Identifier for the last syscollector scan

1618114744

Windows

scan_time

Scan date

2019/08/22 07:27:15

Windows

hotfix

Windows update ID

KB4489899

Windows

checksum

Integrity synchronization value

78503709147600c8e0023cf2b9995772280eee30

Windows