Configuration
The Syscollector module is enabled by default on all endpoints where the Wazuh agent is installed. You can find the Syscollector configuration in the Wazuh agent configuration file at:
/var/ossec/etc/ossec.conf
for Linux endpoints.C:\Program Files (x86)\ossec-agent\ossec.conf
for Windows endpoints./Library/Ossec/ossec.conf
for macOS endpoints.
You can also use the centralized configuration file to make changes to the Syscollector module across multiple monitored endpoints that belong to the same agent group. For example, the default
group uses the configuration file, which you can find at /var/ossec/etc/shared/default/agent.conf
on the Wazuh server. Any setting done with the centralized configuration will take precedence over the local agent configuration.
The block below is the default Syscollector configuration present in the Wazuh agent configuration file:
<!-- System inventory -->
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="no">yes</ports>
<processes>yes</processes>
<!-- Database synchronization settings -->
<synchronization>
<max_eps>10</max_eps>
</synchronization>
</wodle>
Where:
<disabled>
specifies whether the Syscollector module is enabled or not. The default value isno
. The allowed values areyes
andno
.
<interval>
specifies the time between system scans. The default value is 1 hour. The allowed value is a positive number that should contain a suffix character indicating a time unit, such ass
(seconds),m
(minutes),h
(hours), andd
(days).<scan_on_start>
initiates a system scan immediately after you restart the Wazuh service on the endpoint. The default value isyes
. The allowed values areyes
andno
.<hardware>
option enables or disables the hardware information collection by Syscollector. The default value isyes
. The allowed values areyes
andno
.<os>
option enables or disables the operating system scan. The default value isyes
. The allowed values areyes
andno
.<network>
enables or disables the network scan. The default value isyes
. The allowed values areyes
andno
.<packages>
enables or disables the scanning of packages with a default value ofyes
. The allowed values areyes
andno
.<ports all="no">
enables or disables the port scan. The default value isyes
. You can configure two allowed values ofyes
andno
. This option also accepts an additional parameterall
, with which you can restrict the scan to only listening ports using<ports all="no">
. If you want Syscollector to scan all ports, then you change the value toyes
.<processes>
enables or disables the scanning for running processes on a monitored endpoint. The default value isyes
. The allowed values areyes
andno
.<max_eps>
allows you to set the maximum event reporting throughput. The default value is 10, which signifies 10 events per second. The allowed value is an Integer number between 0 and 1000000.
In Windows systems, you can use the <hotfixes>
option. Check hotfixes for the details.
Note
Restart the agent when you make any changes to the configuration file. This ensures that the changes take effect.