Available inventory fields
The Wazuh server stores the data collected by the Wazuh agents in separate databases for each agent. Each database contains tables with distinct inventory information types, such as hardware, software, and network data. This inventory information is then forwarded to the Wazuh indexer, where it is consolidated for querying, visualization, and deeper analysis. The following section details the structure of the tables within the Wazuh server database and the corresponding indices in the Wazuh indexer. The data in these tables depends directly on the scan configuration defined for the Syscollector module.
Hardware
This scan collects baseline hardware information from monitored endpoints, including CPU, memory, and serial number. The data is stored in the sys_hwinfo table on the Wazuh server and is indexed in the Wazuh indexer under the wazuh-states-inventory-hardware-* indices.
The table below maps the fields from the sys_hwinfo table on the Wazuh server to their corresponding fields in the wazuh-states-inventory-hardware-* index on the Wazuh indexer.
Syscollector field |
Wazuh indexer field |
Type |
Description |
Example |
Available |
|---|---|---|---|---|---|
|
N/A |
N/A |
Identifier for the last syscollector scan |
573872577 |
All |
|
N/A |
N/A |
Scan date |
2018/07/31 15:31:26 |
All |
|
|
keyword |
Operating system architecture |
x86_64 |
All |
|
|
ip |
IP address of the agent |
192.168.33.1 |
All |
|
|
keyword |
Name of the agent |
wazuh |
All |
|
|
keyword |
Agent version |
v4.14.0 |
All |
|
|
keyword |
Unique ID of the agent |
001 |
All |
|
|
keyword |
Motherboard serial number |
XDR840TUGM65E03171 |
All |
|
|
keyword |
CPU name |
Intel(R) Core(TM) i7-7700HQ CPU @ 2.80GHz |
All |
|
|
short |
Number of cores of the CPU |
4 |
All |
|
|
long |
Current processor frequency |
2,420 |
All |
|
|
long |
Total RAM |
3.9GB |
All |
|
|
long |
Free RAM |
2.5GB |
All |
N/A |
|
long |
Used memory, in Bytes |
1.4GB |
All |
|
|
scaled_float |
Percentage of RAM in use |
87 |
All |
|
N/A |
N/A |
Integrity synchronization value |
503709147600c8e0023cf2b9995772280eee30 |
All |
|
|
keyword |
Wazuh cluster name |
wazuh |
All |
|
|
keyword |
Wazuh cluster node |
node01 |
All |
|
|
keyword |
Wazuh schema version |
1.0 |
All |
Operating system
This scan collects system-level details about each monitored endpoint, including the operating system, version, hostname, and architecture. This data is stored in the sys_osinfo table on the Wazuh server and is indexed in the Wazuh indexer under the wazuh-states-inventory-system-* indices.
The table below maps the fields from the sys_osinfo table on the Wazuh server to their corresponding fields in the wazuh-states-inventory-system-* index on the Wazuh indexer.
Syscollector field |
Wazuh indexer field |
Type |
Description |
Example |
Available |
|---|---|---|---|---|---|
|
N/A |
N/A |
Identifier for the last syscollector scan |
468455719 |
All |
|
N/A |
N/A |
Scan date |
2018/07/31 15:31:26 |
All |
|
|
keyword |
Operating system architecture. |
x86_64 |
All |
|
|
ip |
IP address of the agent |
192.168.33.1 |
All |
|
|
keyword |
Name of the agent |
wazuh |
All |
|
|
keyword |
Agent version |
v4.14.0 |
All |
|
|
keyword |
Unique ID of the agent |
001 |
All |
|
|
keyword |
Hostname of the machine |
ag-ubuntu-16 |
All |
|
|
keyword |
OS architecture |
x86_64 |
All |
|
|
keyword |
OS name |
Ubuntu |
All |
|
|
keyword |
OS version |
16.04.5 LTS (Xenial Xerus) |
All |
|
|
keyword |
OS version codename |
Xenial Xerus |
All |
|
|
keyword |
Major release version |
16 |
All |
|
|
keyword |
Minor release version |
04 |
All |
|
|
keyword |
Patch release version |
5 |
macOS |
|
|
keyword |
Optional build-specific |
14393 |
Windows |
|
|
keyword |
Windows Release ID |
SP2 |
Windows |
|
|
keyword |
Windows display version |
20H2 |
Windows |
|
|
keyword |
OS platform |
ubuntu |
All |
|
|
keyword |
System name |
Linux |
Linux |
|
|
keyword |
Release name |
4.15.0-29-generic |
Linux |
|
|
keyword |
Release version |
#31~16.04.1-Ubuntu SMP Wed Jul 18 08:54:04 UTC 2018 |
All |
|
N/A |
keyword |
Integrity synchronization value |
503709147600c8e0023cf2b9995772280eee30 |
All |
N/A |
|
keyword |
Which commercial OS family (one of: linux, macos, unix, windows, ios or android) |
All |
|
|
N/A |
keyword |
Unified primary key |
94b6f7b3c1d905aae22a652448df6372da98e5b8 |
All |
|
|
keyword |
Wazuh cluster name |
wazuh |
All |
|
|
keyword |
Wazuh cluster node |
node01 |
All |
|
|
keyword |
Wazuh schema version |
1.0 |
All |
Packages
This scan collects details about the currently installed software on a monitored endpoint, including the package name, installation date, and version. The Vulnerability Detector module uses information from this table to scan and detect vulnerable software. On Linux systems, retrieved packages can be deb, pacman, or rpm. This data is stored in the sys_programs table on the Wazuh server and is indexed in the Wazuh indexer under the wazuh-states-inventory-packages-* indices.
The table below maps the fields from the sys_programs table on the Wazuh server database to their corresponding fields in the wazuh-states-inventory-packages-* index on the Wazuh indexer.
Syscollector field |
Wazuh indexer field |
Type |
Description |
Example |
Available |
|---|---|---|---|---|---|
|
N/A |
N/A |
Identifier for the last syscollector scan |
1454946158 |
All |
|
N/A |
N/A |
Scan date |
2018/07/27 07:27:14 |
All |
|
|
keyword |
Operating system architecture |
x86_64 |
All |
|
|
ip |
IP address of the agent |
192.168.33.1 |
All |
|
|
keyword |
Name of the agent |
wazuh |
All |
|
|
keyword |
Agent version |
v4.14.0 |
All |
|
|
keyword |
Unique ID of the agent |
001 |
All |
|
|
keyword |
Format of the package |
deb |
All |
|
|
keyword |
Name of the package |
linux-headers-generic |
All |
|
|
keyword |
Priority of the package |
optional |
Linux (deb) |
|
N/A |
N/A |
Section of the package |
kernel |
Linux (deb/rpm) and macOS (pkg) |
|
|
long |
Size of the installed package in bytes |
14 |
Linux (deb/rpm/pacman) |
|
|
keyword |
Vendor name |
Ubuntu Kernel Team |
All |
|
|
date |
Install date and time of the package |
2018/02/08 18:45:48 |
Linux (rpm/pacman) |
|
|
keyword |
Version of the package |
4.4.0.130.136 |
All |
|
|
keyword |
Architecture of the package |
amd64 |
All |
|
|
keyword |
Multiarchitecture support |
same |
Linux (deb) |
|
|
keyword |
Source of the package |
linux-meta |
Linux (deb/rpm) and macOS (pkg) |
|
|
keyword |
Description of the package |
Generic Linux kernel headers |
Linux (deb/rpm/pacman) and macOS (pkg) |
|
|
keyword |
Location of the package |
C:\Program Files\VMware\VMware Tools\ |
Windows and macOS (pkg) |
|
N/A |
N/A |
Integrity synchronization value |
78503709147600c8e0023cf2b9995772280eee30 |
All |
|
N/A |
N/A |
Unified primary key |
4323709147600c8e0023cf2b9995772280eef451 |
All |
|
|
keyword |
Wazuh cluster name |
wazuh |
All |
|
|
keyword |
Wazuh cluster node |
node01 |
All |
|
|
keyword |
Wazuh schema version |
1.0 |
All |
Networks
The network scan retrieves information about the network configuration of a monitored endpoint. It includes details about the existing network interfaces (up and down interfaces), IP addresses, and the routing configuration. The information is organized into three categories of network scans, ensuring the data is structured and easy to interpret.
Network interfaces
This scan collects details about the network interfaces on monitored endpoints. This information is stored in the sys_netiface table on the Wazuh server and indexed in the Wazuh indexer under the wazuh-states-inventory-interfaces-* indices.
The table below maps the fields from the sys_netiface table on the Wazuh server database to their corresponding fields in the wazuh-states-inventory-interfaces-* index on the Wazuh indexer.
Syscollector Field |
Wazuh indexer field |
Type |
Description |
Example |
Available |
|---|---|---|---|---|---|
|
N/A |
N/A |
Identifier for the last syscollector scan |
160615720 |
All |
|
N/A |
N/A |
Scan date |
2018/07/31 16:46:20 |
All |
|
|
keyword |
Operating system architecture. |
x86_64 |
All |
|
|
ip |
IP address of the agent |
192.168.33.1 |
All |
|
|
keyword |
Name of the agent |
wazuh |
All |
|
|
keyword |
Agent version |
v4.14.0 |
All |
|
|
keyword |
Unique ID of the agent |
001 |
All |
|
|
keyword |
Interface name |
eth0 |
All |
|
|
keyword |
Physical adapter name |
Intel(R) PRO/1000 MT Desktop Adapter |
Windows |
|
|
keyword |
Network interface adapter |
ethernet |
All |
|
|
keyword |
State of the interface |
up |
All |
|
|
long |
Maximum Transmission Unit |
1500 |
All |
|
|
keyword |
MAC Address |
08:00:27:C0:14:A5 |
All |
|
|
long |
Transmitted packets |
10034626 |
All |
|
|
long |
Received packets |
12754 |
All |
|
|
long |
Transmitted bytes |
10034626 |
All |
|
|
long |
Received bytes |
1111175 |
All |
|
|
long |
Transmission errors |
0 |
All |
|
|
long |
Reception errors |
0 |
All |
|
|
long |
Dropped transmission packets |
0 |
All |
|
|
long |
Dropped reception packets |
0 |
All |
|
N/A |
N/A |
Integrity synchronization value |
8503709147600c8e0023cf2b9995772280eee30 |
All |
|
N/A |
N/A |
Unified primary key |
4323709147600c8e0023cf2b9995772280eef41 |
All |
|
|
keyword |
Wazuh cluster name |
wazuh |
All |
|
|
keyword |
Wazuh cluster node |
node01 |
All |
|
|
keyword |
Wazuh schema version |
1.0 |
All |
Network addresses
Network address scan collects information about the IPv4 and IPv6 addresses assigned to network interfaces on monitored endpoints. This information is stored in the sys_netaddr table on the Wazuh server and indexed in the Wazuh indexer under the wazuh-states-inventory-networks-* indices.
The table below maps the fields from the sys_netaddr table on the Wazuh server database to their corresponding fields in the wazuh-states-inventory-networks-* index on the Wazuh indexer.
Syscollector field |
Wazuh indexer field |
Type |
Description |
Example |
Available |
|---|---|---|---|---|---|
|
N/A |
N/A |
Referenced ID from sys_netiface |
1 |
All |
|
N/A |
N/A |
Identifier for the last syscollector scan |
160615720 |
All |
|
|
keyword |
Operating system architecture |
x86_64 |
All |
|
|
ip |
IP address of the agent |
192.168.33.1 |
All |
|
|
keyword |
Name of the agent |
wazuh |
All |
|
|
keyword |
Agent version |
v4.14.0 |
All |
|
|
keyword |
Unique ID of the agent |
001 |
All |
|
|
keyword |
Network interface name |
eth0 |
All |
|
|
long |
Interface metric for routing decisions |
All |
|
|
|
keyword |
Protocol name |
ipv4 |
All |
|
|
ip |
IPv4/IPv6 address |
192.168.1.87 |
All |
|
|
ip |
Netmask address |
255.255.255.0 |
All |
|
|
boolean |
Indicates whether DHCP is enabled (yes/no). |
All |
|
|
|
ip |
Broadcast address |
192.168.1.255 |
All |
|
N/A |
N/A |
Integrity synchronization value |
78503709147600c8e0023cf2b9995772280eee30 |
All |
|
N/A |
N/A |
Unified primary key |
4323709147600c8e0023cf2b9995772280eef4 |
All |
|
|
keyword |
Wazuh cluster name |
wazuh |
All |
|
|
keyword |
Wazuh cluster node |
node01 |
All |
|
|
keyword |
Wazuh schema version |
1.0 |
All |
Network protocols
This scan stores details about network routing and supported protocols for each interface on monitored endpoints, including protocol types, routing tables, and interface associations. This information is stored in the sys_netproto table on the Wazuh server and indexed in the Wazuh indexer under the wazuh-states-inventory-protocols-* indices.
The table below maps the fields from the sys_netproto table on the Wazuh server database to their corresponding fields in the wazuh-states-inventory-protocols-* index on the Wazuh indexer.
Syscollector Field |
Wazuh indexer field |
Type |
Description |
Example |
Available |
|---|---|---|---|---|---|
|
N/A |
N/A |
Referenced ID from sys_netiface |
1 |
All |
|
N/A |
N/A |
Identifier for the last syscollector scan |
160615720 |
All |
|
|
keyword |
Operating system architecture. |
x86_64 |
All |
|
|
ip |
IP address of the agent |
192.168.33.1 |
All |
|
|
keyword |
Name of the agent |
wazuh |
All |
|
|
keyword |
Agent version |
v4.14.0 |
All |
|
|
keyword |
Unique ID of the agent |
001 |
All |
|
|
keyword |
Protocol of the interface data |
ipv4 |
All |
|
|
ip |
Default gateway |
192.168.1.1 |
Linux/Windows/macOS |
|
|
keyword |
Interface name |
eth0 |
All |
|
|
boolean |
DHCP status |
enabled |
Linux/Windows |
|
|
long |
Routing metric value |
All |
|
|
N/A |
N/A |
Integrity synchronization value |
78503709147600c8e0023cf2b9995772280eee30 |
All |
|
N/A |
N/A |
Unified primary key |
4323709147600c8e0023cf2b9995772280eef4 |
All |
|
|
keyword |
Wazuh cluster name |
wazuh |
All |
|
|
keyword |
Wazuh cluster node |
node01 |
All |
|
|
keyword |
Wazuh schema version |
1.0 |
All |
Ports
This scan retrieves information about the open ports on a monitored endpoint, including the port number, port protocol, associated services, and listening states. This information is stored in the sys_ports table on the Wazuh server and indexed in the Wazuh indexer under the wazuh-states-inventory-ports-* indices.
The table below maps the fields from the sys_ports table on the Wazuh server database to their corresponding fields in the wazuh-states-inventory-ports-* index on the Wazuh indexer.
Syscollector Field |
Wazuh indexer field |
Type |
Description |
Example |
Available |
|---|---|---|---|---|---|
|
N/A |
N/A |
Identifier for the last syscollector scan |
1618114744 |
All |
|
N/A |
N/A |
Scan date |
2018/07/27 07:27:15 |
All |
|
|
keyword |
Operating system architecture. |
x86_64 |
All |
|
|
ip |
IP address of the agent |
192.168.33.1 |
All |
|
|
keyword |
Name of the agent |
wazuh |
All |
|
|
keyword |
Agent version |
v4.14.0 |
All |
|
|
keyword |
Unique ID of the agent |
001 |
All |
|
|
keyword |
Protocol of the port |
tcp |
All |
|
|
ip |
Local IP address |
0.0.0.0 |
All |
|
|
long |
Local port |
22 |
All |
|
|
ip |
Remote IP address |
0.0.0.0 |
All |
|
|
long |
Remote port |
0 |
All |
|
|
long |
Packets pending to be transmitted |
0 |
Linux |
|
|
long |
Packets at the receiver queue |
0 |
Linux |
|
|
keyword |
Inode of the port |
16974 |
Linux |
|
|
keyword |
State of the port |
listening |
All |
|
|
long |
PID owner of the opened port |
4 |
Windows/macOS |
|
|
keyword |
Name of the process using the port |
System |
Windows/macOS |
|
N/A |
N/A |
Integrity synchronization value |
78503709147600c8e0023cf2b9995772280eee30 |
All |
|
N/A |
N/A |
Unified primary key |
4323709147600c8e0023cf2b9995772280eef412 |
All |
|
|
keyword |
Wazuh cluster name |
wazuh |
All |
|
|
keyword |
Wazuh cluster node |
node01 |
All |
|
|
keyword |
Wazuh schema version |
1.0 |
All |
Processes
The processes scan collects details about processes running on monitored endpoints, including the process name, process ID (PID), and the associated user. This information is stored in the sys_processes table on the Wazuh server and indexed in the Wazuh indexer under the wazuh-states-inventory-processes-* indices.
The table below maps the fields from the sys_processes table on the Wazuh server database to their corresponding fields in the wazuh-states-inventory-processes-* index on the Wazuh indexer.
Syscollector Field |
Wazuh indexer field |
Type |
Description |
Example |
Available |
|---|---|---|---|---|---|
|
N/A |
N/A |
Identifier for the last syscollector scan |
215303769 |
All |
|
N/A |
N/A |
Scan date |
2018/08/03 12:57:58 |
All |
|
|
keyword |
Operating system architecture. |
x86_64 |
All |
|
|
ip |
IP address of the agent |
192.168.33.1 |
All |
|
|
keyword |
Name of the agent |
wazuh |
All |
|
|
keyword |
Agent version |
v4.14.0 |
All |
|
|
keyword |
Unique ID of the agent |
001 |
All |
|
|
long |
PID of the process |
603 |
All |
|
|
keyword |
Name of the process |
rsyslogd |
All |
|
|
keyword |
State of the process |
S |
Linux/macOS |
|
|
long |
PPID of the process |
1 |
All |
|
|
long |
Time spent executing user code |
157 |
Linux |
|
|
long |
Time spent executing system code |
221 |
All |
|
|
keyword |
Command executed |
/usr/sbin/rsyslogd |
Linux/Windows |
|
|
keyword |
Arguments of the process |
-n |
Linux |
|
N/A |
N/A |
Effective user |
root |
Linux/macOS |
|
N/A |
N/A |
Real user |
root |
Linux/macOS |
|
N/A |
N/A |
Saved-set user |
root |
Linux |
|
N/A |
N/A |
Effective group |
root |
Linux |
|
N/A |
N/A |
Real group |
root |
Linux/macOS |
|
N/A |
N/A |
Saved-set group |
root |
Linux |
|
N/A |
N/A |
Filesystem group name |
root |
Linux |
|
N/A |
N/A |
Kernel scheduling priority |
20 |
All |
|
N/A |
N/A |
Nice value of the process |
0 |
Linux/macOS |
|
N/A |
N/A |
Size of the process |
53030 |
All |
|
N/A |
N/A |
Total VM size (KB) |
212120 |
All |
|
N/A |
N/A |
Resident set size of the process in bytes |
902 |
Linux |
|
N/A |
N/A |
Shared memory |
814 |
Linux |
|
|
date |
Time when the process started |
1893 |
Linux |
|
N/A |
N/A |
Process group |
603 |
Linux |
|
N/A |
N/A |
Session of the process |
603 |
All |
|
N/A |
N/A |
Number of light weight processes |
3 |
All |
|
N/A |
N/A |
Thread Group ID |
603 |
Linux |
|
N/A |
N/A |
Number of TTY of the process |
0 |
Linux |
|
N/A |
N/A |
Number of the processor |
0 |
Linux |
|
N/A |
N/A |
Integrity synchronization value |
78503709147600c8e0023cf2b9995772280eee30 |
All |
|
|
keyword |
Wazuh cluster name |
wazuh |
All |
|
|
keyword |
Wazuh cluster node |
node01 |
All |
|
|
keyword |
Wazuh schema version |
1.0 |
All |
Windows updates
This scan collects details about the updates installed on Windows endpoints. The Vulnerability Detector module uses the hotfix identifier to discover what vulnerabilities exist on Windows endpoints and the patches you have applied. This information is stored in the sys_hotfixes table on the Wazuh server and indexed in the Wazuh indexer under the wazuh-states-inventory-hotfixes-* indices.
The table below maps the fields from the sys_hotfixes table on the Wazuh server database to their corresponding fields in the wazuh-states-inventory-hotfixes-* index on the Wazuh indexer.
Syscollector Field |
Wazuh indexer field |
Type |
Description |
Example |
Available |
|---|---|---|---|---|---|
|
N/A |
N/A |
Identifier for the last syscollector scan |
1618114744 |
Windows |
|
N/A |
N/A |
Scan date |
2019/08/22 07:27:15 |
Windows |
|
|
keyword |
Operating system architecture. |
x86_64 |
All |
|
|
ip |
IP address of the agent |
192.168.33.1 |
All |
|
|
keyword |
Name of the agent |
wazuh |
All |
|
|
keyword |
Agent version |
v4.14.0 |
All |
|
|
keyword |
Unique ID of the agent |
001 |
All |
|
|
keyword |
Name or identifier of the applied hotfix |
KB4489899 |
Windows |
|
N/A |
N/A |
Integrity synchronization value |
78503709147600c8e0023cf2b9995772280eee30 |
Windows |
|
|
keyword |
Wazuh cluster name |
wazuh |
All |
|
|
keyword |
Wazuh cluster node |
node01 |
All |
|
|
keyword |
Wazuh schema version |
1.0 |
All |
Users
This scan collects user account information on monitored endpoints, including username, login status, and ID. The data is stored in the sys_users table on the Wazuh server and is indexed in the Wazuh indexer under the wazuh-states-inventory-users-* indices.
The table below maps the fields from the sys_users table on the Wazuh server to their corresponding fields in the wazuh-states-inventory-users-* index on the Wazuh indexer.
Syscollector field |
Wazuh indexer field |
Type |
Description |
Example |
Available |
|---|---|---|---|---|---|
|
N/A |
N/A |
Identifier for the last syscollector scan |
573872577 |
All |
|
N/A |
N/A |
Scan date |
2018/07/31 15:31:26 |
All |
|
|
keyword |
Operating system architecture |
x86_64 |
All |
|
|
ip |
IP address of the agent |
192.168.33.1 |
All |
|
|
keyword |
Name of the agent |
wazuh |
All |
|
|
keyword |
Agent version |
v4.14.0 |
All |
|
|
keyword |
Unique ID of the agent |
001 |
All |
|
|
ip |
Host ip addresses |
192.168.1.2 |
All |
|
|
boolean |
Whether the login was successful or the user is currently logged in |
true |
All |
|
|
keyword |
Terminal associated with the login session (e.g., pts/1) |
pts/1 |
All |
|
|
keyword |
Type of login session. Example values: "user", "system", "remote" |
user |
All |
|
|
long |
Process id |
4242 |
All |
|
|
integer |
Number of failed authentication attempts |
3 |
macOS |
|
|
date |
Timestamp of the last authentication failure |
1714067165.0 |
macOS |
|
|
date |
Datetime when the user was created |
2024-04-25T10:15:05.707Z |
macOS |
|
|
keyword |
User's full name, if available |
Albert Einstein |
All |
|
|
unsigned_long |
Group ID |
1001 |
All |
|
|
long |
Signed group ID |
1001 |
All |
|
|
keyword |
List of groups the user belongs to |
Test,Default,Sudo |
All |
|
|
keyword |
Home directory of the user |
/home/wazuh |
All |
|
|
keyword |
Unique identifier of the user |
S-1-5-21-202424912787-2692429404-2351956786-1000 | All |
|
|
|
boolean |
Whether the user is hidden |
false |
macOS |
|
|
boolean |
Whether the user is remote |
true |
Linux |
|
|
date |
Date of the last login |
2025-05-21T12:10:04Z |
All |
|
|
keyword |
Short name or login of the user |
a.einstein |
All |
|
|
date |
Password expiration date (epoch) |
1 |
Linux |
|
|
keyword |
Algorithm used to hash the password |
6 |
Linux |
|
|
integer |
Number of days of inactivity before disabling the password |
1 |
Linux |
|
|
date |
Last time the password was changed (Unix epoch) |
1714057168.4795 |
Linux, macOS |
|
|
integer |
Maximum days between password changes |
99999 |
Linux |
|
|
integer |
Minimum days between password changes |
0 |
Linux |
|
|
keyword |
Password status (e.g., active) |
active |
Linux |
|
|
integer |
Days before expiration to warn user |
7 |
Linux |
|
|
keyword |
Roles assigned to the user |
sudo |
Linux, macOS |
|
|
keyword |
Shell used by the user |
/bin/bash |
All |
|
|
keyword |
Type of user (e.g., "system", "regular") |
local |
Windows |
|
|
long |
Signed user ID |
1001 |
All |
|
|
keyword |
UUID (macOS) or SID (Windows) |
D883AD4F-AF58-4BA6-AE07... |
macOS, Windows |
|
|
keyword |
Wazuh cluster name |
wazuh |
All |
|
|
keyword |
Wazuh cluster node |
node01 |
All |
|
|
keyword |
Wazuh schema version |
1.0 |
All |
Groups
The scan collects details about user account groups on monitored endpoints, such as group identifiers, names, associated users. The data is stored in the sys_groups table on the Wazuh server and is indexed in the Wazuh indexer under the wazuh-states-inventory-groups-* indices.
The table below maps the fields from the sys_groups table on the Wazuh server to their corresponding fields in the wazuh-states-inventory-groups-* index on the Wazuh indexer.
Syscollector field |
Wazuh indexer field |
Type |
Description |
Example |
Available |
|---|---|---|---|---|---|
|
N/A |
N/A |
Identifier for the last syscollector scan |
573872577 |
All |
|
N/A |
N/A |
Scan date |
2018/07/31 15:31:26 |
All |
|
|
keyword |
Operating system architecture |
x86_64 |
All |
|
|
ip |
IP address of the agent |
192.168.33.1 |
All |
|
|
keyword |
Name of the agent |
wazuh |
All |
|
|
keyword |
Agent version |
v4.14.0 |
All |
|
|
keyword |
Unique ID of the agent |
001 |
All |
|
|
keyword |
Description of the group |
Administrative group |
macOS, Windows |
|
|
unsigned_long |
Unsigned Group ID |
80 |
All |
|
|
long |
Signed Group ID |
-80 |
All |
|
|
boolean |
Whether the group is hidden |
false |
All |
|
|
keyword |
Name of the group |
admin |
All |
|
|
keyword |
List of users that belong to the group |
alice |
All |
|
|
keyword |
Unique group ID |
S-1-5-21-3623811015-... |
Windows |
|
|
keyword |
Wazuh cluster name |
wazuh |
All |
|
|
keyword |
Wazuh cluster node |
node01 |
All |
|
|
keyword |
Wazuh schema version |
1.0 |
All |
Services
This scan collects services information from monitored endpoints, including service name, description and state. The data is stored in the sys_services table on the Wazuh server and is indexed in the Wazuh indexer under the wazuh-states-inventory-services-* indices.
The table below maps the fields from the sys_services table on the Wazuh server to their corresponding fields in the wazuh-states-inventory-services-* index on the Wazuh indexer.
Syscollector field |
Wazuh indexer field |
Type |
Description |
Example |
Available |
|---|---|---|---|---|---|
|
N/A |
N/A |
Identifier for the last syscollector scan |
573872577 |
All |
|
N/A |
N/A |
Scan date |
2018/07/31 15:31:26 |
All |
|
|
keyword |
Operating system architecture |
x86_64 |
All |
|
|
ip |
IP address of the agent |
192.168.33.1 |
All |
|
|
keyword |
Name of the agent |
wazuh |
All |
|
|
keyword |
Agent version |
v4.14.0 |
All |
|
|
keyword |
Unique ID of the agent |
001 |
All |
|
|
keyword |
Full path to the log file this event came from |
/var/log/fun-times.log |
All |
|
|
keyword |
Full path to the file, including the file name |
/home/alice/example.png |
Linux / macOS |
|
|
keyword |
Full path to the log file this event came from |
/var/log/fun-times.log |
macOS |
|
|
keyword |
Array of process arguments |
["/usr/bin/ssh", "-l", "user", "10.0.0.16"] |
macOS |
|
|
keyword |
Absolute path to the process executable |
/usr/bin/ssh |
All |
|
|
keyword |
Name of the group |
admin |
macOS |
|
|
long |
Process id |
4242 |
All |
|
|
keyword |
Chroot directory before execution |
macOS |
|
|
|
keyword |
Short name or login of the user |
a.einstein |
All |
|
|
keyword |
The working directory of the process |
/home/alice |
macOS |
|
|
keyword |
Path to the service DLL (ServiceDll) |
172.26.0.2:5432 |
Windows |
|
|
keyword |
Description of the service |
Apache HTTP Server |
Windows / Linux |
|
|
keyword |
Whether the unit file is enabled, masked, disabled, etc |
enabled |
Linux / macOS |
|
|
integer |
Service-specific exit code on failure |
0 |
Windows |
|
|
integer |
Service-specific exit code on failure |
0 |
Windows |
|
|
long |
Frequency in seconds at which the service is run |
3600 |
macOS |
|
|
keyword |
Unique identifier of the running service |
d37e5ebfe0ae6c4972dbe9f0174a1637bb8247f6 |
All |
|
|
boolean |
Run job as if launched from inetd |
FALSE |
macOS |
|
|
keyword |
Name of the service |
elasticsearch-metrics |
Windows / macOS |
|
|
keyword |
D-Bus object path of the service |
/org/freedesktop/systemd1/unit/apache2_2eservice |
Linux |
|
|
keyword |
Restart policy for the service, e.g. always, on-failure, never |
on-failure |
macOS |
|
|
keyword |
Service start type: BOOT_START, SYSTEM_START, AUTO_START, DEMAND_START, DISABLED |
AUTO_START |
Windows / macOS |
|
|
boolean |
Launches every time a filesystem is mounted |
TRUE |
macOS |
|
|
keyword |
Launches when directories become non-empty |
[/var/spool/mail, /tmp/uploads] |
macOS |
|
|
keyword |
Launches on path modification |
['/var/log', '/etc/config'] |
macOS |
|
|
keyword |
Current state of the service. |
inactive |
All |
|
|
keyword |
The low-level unit activation state, values depend on unit type |
running |
All |
|
|
keyword |
Address of this service |
/ |
Linux |
|
|
keyword |
Ephemeral identifier of this service |
8a4f500f |
Linux |
|
|
keyword |
The type of the service |
notify |
Linux |
|
|
keyword |
The type of the service |
SHARE_PROCESS |
Windows / macOS |
|
|
integer |
Win32 exit code on start/stop |
0 |
Windows |
|
|
keyword |
Wazuh cluster name |
wazuh |
All |
|
|
keyword |
Wazuh cluster node name |
node01 |
All |
|
|
keyword |
Wazuh schema version |
1.0 |
All |
Browser extensions
This scan collects browser extensions details from monitored endpoints, including browser name, extension description and status. The data is stored in the sys_browser_extensions table on the Wazuh server and is indexed in the Wazuh indexer under the wazuh-states-inventory-browser-extensions-* indices.
The table below maps the fields from the sys_browser_extensions table on the Wazuh server to their corresponding fields in the wazuh-states-inventory-browser-extensions-* index on the Wazuh indexer.
Syscollector field |
Wazuh indexer field |
Type |
Description |
Example |
Browser / OS |
|---|---|---|---|---|---|
|
N/A |
N/A |
Identifier for the last syscollector scan |
573872577 |
All |
|
N/A |
N/A |
Scan date |
2018/07/31 15:31:26 |
All |
|
|
keyword |
Operating system architecture |
x86_64 |
All |
|
|
ip |
IP address of the agent |
192.168.33.1 |
All |
|
|
keyword |
Name of the agent |
wazuh |
All |
|
|
keyword |
Agent version |
v4.14.0 |
All |
|
|
keyword |
Unique ID of the agent |
001 |
All |
|
|
keyword |
Name of the browser. Valid values: chrome, chromium, opera, yandex, brave, edge, edge_beta. |
chrome |
All |
|
|
keyword |
Name of the browser profile |
default |
Chrome |
|
|
keyword |
Path to the browser profile |
/home/user/.config/google-chrome/Default |
Chrome |
|
|
boolean |
Indicates if the extension is referenced by the Preferences file of the browser profile |
TRUE |
Chrome |
|
|
keyword |
SHA256 hash |
848f07be3c32aa5a4f23670b99b48ff34e7c9eb51af137d61832feb244ba6132 |
Chrome |
|
|
boolean |
Indicates if the browser extension is set to auto-update. |
TRUE |
Firefox |
|
|
keyword |
Build version information |
36f4f7e89dd61b0988b12ee000b98966867710cd |
Safari |
|
|
keyword |
Description of the package |
Open source programming language to build simple/reliable/efficient software |
All |
|
|
boolean |
Indicates if the browser extension is enabled |
TRUE |
Chrome, Firefox |
|
|
boolean |
Indicates if the browser extension was installed from a webstore |
TRUE |
Chrome |
|
|
keyword |
Unique identifier for the browser extension |
com.example.extension |
All |
|
|
date |
Time when package was installed |
Oct 22, 2025 @ 18:16:37.000 |
Chrome |
|
|
keyword |
Package name |
Data Leak Blocker |
All |
|
|
keyword |
Path where the package is installed |
/usr/local/Cellar/go/1.12.9/ |
All |
|
|
keyword |
Permissions required by the browser extension |
["tabs", "storage"] |
Chrome |
|
|
boolean |
Indicates if the browser extension is persistent accross tabs |
TRUE |
Chrome |
|
|
keyword |
Package home page or reference URL |
Chrome |
|
|
|
keyword |
Package type |
theme |
Firefox |
|
|
keyword |
Vendor, author or creator of the browser extension |
Example Inc. |
Chrome, Firefox, Safari |
|
|
keyword |
Package version |
1.12.9 |
All |
|
|
boolean |
Indicates if the browser extension is visible in the toolbar. |
TRUE |
Firefox |
|
|
keyword |
Unique identifier of the user |
S-1-5-21-202424912787-2692429404-2351956786-1000 |
All except IE |
|
|
keyword |
Wazuh cluster name |
wazuh |
All |
|
|
keyword |
Wazuh cluster node name |
node01 |
All |
|
|
keyword |
Wazuh schema version |
1.0 |
All |