Using Syscollector information to trigger alerts

You can create rules to trigger alerts based on the information collected by the Syscollector module and display this information in the alert's description. Syscollector uses the rule ID 221, and the rule level is 0, so by default, it is not shown on the Wazuh dashboard. To see Syscollector searchable fields on the Wazuh dashboard, you need a custom rule that inherits the Syscollector rule ID.

Create a custom rule that uses the built-in Syscollector rule 221

You must create custom rules that inherit the parent rule ID 221 with a severity level of 3 or higher. For example, the custom rule in the /var/ossec/etc/rules/local_rules.xml file below is triggered when a port is opened, modified, or closed on a monitored endpoint:

<group name="syscollector,">
  <!-- ports -->
  <rule id="100310" level="3" >
      <if_sid>221</if_sid>
      <field name="type">dbsync_ports</field>
      <description>Syscollector ports event.</description>
  </rule>

  <rule id="100311" level="3" >
      <if_sid>100310</if_sid>
      <field name="operation_type">INSERTED</field>
      <description>The port: $(port.local_port), with local ip: $(port.local_ip) has been opened. Syscollector creation event detected.</description>
  </rule>

  <rule id="100312" level="3" >
      <if_sid>100310</if_sid>
      <field name="operation_type">MODIFIED</field>
      <description>The port: $(port.local_port), with local ip: $(port.local_ip) has been modified. Syscollector modification event detected.</description>
  </rule>

  <rule id="100313" level="3" >
      <if_sid>100310</if_sid>
      <field name="operation_type">DELETED</field>
      <description>The port: $(port.local_port), with local ip: $(port.local_ip) has been closed. Syscollector deletion event detected.</description>
  </rule>
</group>

After adding the configuration, restart the Wazuh manager.

# systemctl restart wazuh-manager

The alerts for a port opening operation are displayed in the Wazuh dashboard as follows:

Port opening operation alert

Note

The initial scan does not generate alerts. Alerts are triggered after a difference in results between the first and second Syscollector scans is detected. This second scan will occur when the configured interval is reached.

New searchable fields on the Wazuh dashboard

You can create Syscollector custom rules using any of the discussed methods, then search for Syscollector alerts on the Wazuh dashboard. The Wazuh indexer saves the Syscollector fields as data.type.value. For example, for hardware type, the cpu_name field is data.hardware.cpu_name. The table lists all searchable fields for the different Syscollector properties.

Type

Fields

Example

Hardware

cpu_name, cpu_cores, cpu_mhz, ram_total, ram_free, ram_usage

data.hardware.cpu_mhz

Operating System

architecture, name, version, codename, major, minor, build, platform, sysname, release, release_version

data.os.codename

Port

local_ip, local_port, remote_ip, remote_port, tx_queue, rx_queue, inode, state, pid, process

data.port.inode

Program

name, priority, section, size, vendor, install_time, version, architecture, multiarch, source, description, location

data.program.name

Process

name, state, ppid, utime, stime, cmd, args, euser, ruser, suser, egroup, sgroup, fgroup, rgroup, priority, nice, size, vm_size, resident, share, start_time, pgrp, session, nlwp, tgid, tty, processor

data.process.state

Network

mac, adapter, type, state, mtu, tx_bytes, rx_bytes, tx_errors, rx_errors, tx_dropped, rx_dropped, tx_packets, rx_packets, ipv4, ipv6

data.netinfo.iface.ipv4.address, data.netinfo.iface.mac

Hotfix

hotfix

data.hotfix

Users

host_ip, login_status, login_tty, login_type, process_pid, user_auth_failures.count, user_auth_failed_timestamp, user_created, user_full_name, user_group_id, user_group_id_signed, user_groups, user_home, user_id, user_is_hidden, user_is_remote, user_last_login, user_name, user_password_expiration_date, user_password_hash_algorithm, user_password_inactive_days, user_password_last_change, user_password_max_days_between_changes, user_password_min_days_between_changes, user_password_status, user_password_warning_days_before_expiration, user_roles, user_shell, user_type, user_uid_signed, user_uuid

data.host_ip

Groups

group_id, group_id_signed, group_is_hidden, group_name, group_users, group_uuid

data.group_id

Services

error_log_file_path, file_path, log_file_path, process_args, process_executable, process_group_name, process_pid, process_root_directory, process_user_name, process_working_directory, service_address, service_description, service_enabled, service_exit_code, services.win32_exit_code, service_frequency, service_id, service_inetd_compatibility, service_name, service_object_path, service_restart, service_start_type, service_starts_on_mount, service_starts_on_not_empty_directory, service_starts_on_path_modified, service_state, service_sub_state, service_target_address, service_target_ephemeral_id, service_target_type, service_type, service_win32_exit_code

data.error_log_file_path

Browser extensions

browser_name, browser_profile_name, browser_profile_path, browser_profile_referenced, file_hash_sha256, package_autoupdate, package_build_version, package_description, package_enabled, package_from_webstore, package_id, package_installed, package_name, package_path, package_permissions, package_persistent, package_reference, package_type, package_vendor, package_version, package_visible, user_id

data.browser_name