The Wazuh core uses list-based databases to store information related to agent keys, and FIM/Rootcheck event data.
Note
Each agent has a database which name is the id
of the agent registered in the manager
-d | Basic debug mode. |
-dd | Verbose debug mode. |
-f | Run in foreground. |
-h | Display the help message. |
-V | Version and license message. |
-t | Test configuration. |
Data from FIM records reported by the agent
Field | Description | Example |
---|---|---|
file | File name | /test/file |
type | Type (file or registry) | file |
date | Event timestamp | 1538556788 |
changes | Successive file changes | 0 |
size | File size | 28179 |
perm | File permissions | 100664 |
uid | User ID | 1000 |
gid | Group ID (Unix) | 1000 |
md5 | File MD5 | 6d9bd718faff778bbeabada6f07f5c2f |
sha1 | File SHA1 | 3ad067d8949ab0e20c220d7b1acb338190967acc |
uname | Unix name | root |
gname | Group name | root |
mtime | Modify time | 1536059852 |
inode | Inode number | 14946484 |
sha256 | File SHA256 | 09aaf47929660c513332aa2349bc66ce7ae710d030888530e0ae27646c9e6f5d |
attributes | File attrs mask (Windows) | 32 |
symbolic_path | Path of the monitored sym link | /test/link |
checksum | SHA1 of all file attributes | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
3.12.0
It stores the information related to the synchronization between the databases of the agents and the manager
Field | Description | Example |
---|---|---|
component | Module name | fim |
last_attempt | Unix timestamp of the last synchronization attempt | 1580906939 |
last_completion | Unix timestamp of the last successful synchronization | 1580906939 |
n_attempts | Number of synchronization attempts | 32 |
n_completions | Number of successful synchronizations | 29 |
It stores the begin and end times of each scan of an agent (used for agents prior to 3.12)
Field | Description | Example |
---|---|---|
module | Module name | fim |
first_start | First scan begin date | 1538558233 |
first_end | First scan end date | 1538556788 |
start_scan | Last scan start date | 1538558233 |
end_scan | Last scan end date | 1538558192 |
fim_first_check | Start date of first scan | 1538558233 |
fim_second_check | Start date of two scans ago | 1538556779 |
fim_third_check | Start date of three scans ago | 1538555325 |
Note
Fields fim_first_check
, fim_second_check
and fim_third_check
are only used on FIM scans
Data needed to upgrade the agent's database
Field | Description | Example |
---|---|---|
key | Field name | db_version |
value | Field value | 3 |
Table | Description |
---|---|
sys_hwinfo <syscollector_hardware> |
Stores information about the hardware of the system |
sys_netiface <syscollector_interfaces> |
Stores information about the existing network interfaces of the system |
sys_netaddr <syscollector_netaddr> |
Stores information about the IPv4 and IPv6 of the existing network interfaces |
sys_netproto <syscollector_netproto> |
Stores information about routing configuration for each interface |
sys_osinfo <syscollector_system> |
Stores information about the operating system |
sys_ports <syscollector_ports> |
Stores information about the opened ports of a system |
sys_processes <syscollector_processes> |
Stores information about the current processes running in the system |
sys_programs <syscollector_packages> |
Stores information about the packages installed in the system |
sys_hotfixes <syscollector_hotfixes> |
Stores information about the Windows updates installed on the agent |
Results of a CIS-CAT scan of an agent
Field | Description | Example |
---|---|---|
id | Unique identifier | 12372 |
scan_id | Scan identifier | 1701467600 |
scan_time | Scan time | 2018-02-08T11:47:28.066-08:00 |
benchmark | Executed benchmark | CIS Ubuntu Linux 16.04 LTS Benchmark |
profile | Profile inside benchmark executed | xccdf_org.cisecurity.benchmarks_profile_Level_2_-_Server |
pass | Number of checks passed | 98 |
fail | Number of fails | 85 |
error | Number of errors | 0 |
notchecked | Number of not checked | 36 |
unknown | Number of unknown | 1 |
score | Final score | 53% |