diff --git a/CHANGELOG.md b/CHANGELOG.md index 2a02aae990..78c5c5bc82 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -12,6 +12,7 @@ All notable changes to this project will be documented in this file. - **Post-release**: Updated the upgrade guide for Wazuh central components. ([#8934](https://github.com/wazuh/wazuh-documentation/pull/8934)) ([#8941](https://github.com/wazuh/wazuh-documentation/pull/8941)) ([#8944](https://github.com/wazuh/wazuh-documentation/pull/8944)) - **Post-release**: Added indexer connector configuration steps to vulnerability detection documentation and removed troubleshooting section. ([#8942](https://github.com/wazuh/wazuh-documentation/pull/8942)) - **Post-release**: Updated the *Navigating the Wazuh dashboard* section. ([#8950](https://github.com/wazuh/wazuh-documentation/pull/8950)) +- **Post-release**: Updated the System inventory documentation. ([#8955](https://github.com/wazuh/wazuh-documentation/pull/8955)) ### Fixed diff --git a/source/_static/js/redirects.js b/source/_static/js/redirects.js index 12fdef61c1..a6d5b83744 100644 --- a/source/_static/js/redirects.js +++ b/source/_static/js/redirects.js @@ -69,12 +69,6 @@ removedUrls['x.y'] = [ /* *** RELEASE 4.13 ****/ -removedUrls['4.13'] = [ - '/user-manual/capabilities/vulnerability-detection/troubleshooting.html', - '/user-manual/capabilities/vulnerability-detection/FAQ.html', - '/user-manual/capabilities/vulnerability-detection/known-issues.html', -]; - /* Pages added in 4.13 */ newUrls['4.13'] = [ @@ -83,8 +77,17 @@ newUrls['4.13'] = [ '/user-manual/wazuh-dashboard/global-queries.html', '/user-manual/capabilities/system-inventory/global-queries.html', '/user-manual/capabilities/file-integrity/global-queries.html', + '/user-manual/capabilities/system-inventory/use-cases.html', ] +/* Pages no longer available in x.y (this is not required if there is a redirection for this url) */ + +removedUrls['4.13'] = [ + '/user-manual/capabilities/vulnerability-detection/troubleshooting.html', + '/user-manual/capabilities/vulnerability-detection/FAQ.html', + '/user-manual/capabilities/vulnerability-detection/known-issues.html', +]; + /* *** RELEASE 4.12 ****/ /* Pages added in 4.12 */ diff --git a/source/images/manual/system-inventory/dev-tools.png b/source/images/manual/system-inventory/dev-tools.png new file mode 100644 index 0000000000..59ba4ebf6b Binary files /dev/null and b/source/images/manual/system-inventory/dev-tools.png differ diff --git a/source/images/manual/system-inventory/explore-agent.png b/source/images/manual/system-inventory/explore-agent.png new file mode 100644 index 0000000000..5d4719a29f Binary files /dev/null and b/source/images/manual/system-inventory/explore-agent.png differ diff --git a/source/images/manual/system-inventory/export-formatted.png b/source/images/manual/system-inventory/export-formatted.png index a8f1fd2755..b8e1d1cbf7 100644 Binary files a/source/images/manual/system-inventory/export-formatted.png and b/source/images/manual/system-inventory/export-formatted.png differ diff --git a/source/images/manual/system-inventory/generate-report.png b/source/images/manual/system-inventory/generate-report.png index cd8a4d5b3e..ccfa67cc39 100644 Binary files a/source/images/manual/system-inventory/generate-report.png and b/source/images/manual/system-inventory/generate-report.png differ diff --git a/source/images/manual/system-inventory/get-inventory-packages.png b/source/images/manual/system-inventory/get-inventory-packages.png new file mode 100644 index 0000000000..9955124276 Binary files /dev/null and b/source/images/manual/system-inventory/get-inventory-packages.png differ diff --git a/source/images/manual/system-inventory/get-states-inventory-indices.png b/source/images/manual/system-inventory/get-states-inventory-indices.png new file mode 100644 index 0000000000..4069a3efdb Binary files /dev/null and b/source/images/manual/system-inventory/get-states-inventory-indices.png differ diff --git a/source/images/manual/system-inventory/look-up-inventory-packages-on-endpoint.png b/source/images/manual/system-inventory/look-up-inventory-packages-on-endpoint.png new file mode 100644 index 0000000000..9bceac0284 Binary files /dev/null and b/source/images/manual/system-inventory/look-up-inventory-packages-on-endpoint.png differ diff --git a/source/images/manual/system-inventory/look-up-inventory-packages.png b/source/images/manual/system-inventory/look-up-inventory-packages.png new file mode 100644 index 0000000000..8f8c59925e Binary files /dev/null and b/source/images/manual/system-inventory/look-up-inventory-packages.png differ diff --git a/source/images/manual/system-inventory/use-case-it-hygiene-add-package-name.png b/source/images/manual/system-inventory/use-case-it-hygiene-add-package-name.png new file mode 100644 index 0000000000..99a8092afb Binary files /dev/null and b/source/images/manual/system-inventory/use-case-it-hygiene-add-package-name.png differ diff --git a/source/images/manual/system-inventory/use-case-resource-monitoring.png b/source/images/manual/system-inventory/use-case-resource-monitoring.png new file mode 100644 index 0000000000..b433646505 Binary files /dev/null and b/source/images/manual/system-inventory/use-case-resource-monitoring.png differ diff --git a/source/images/manual/system-inventory/use-case-vd-add-package-name.png b/source/images/manual/system-inventory/use-case-vd-add-package-name.png new file mode 100644 index 0000000000..eee181bb6a Binary files /dev/null and b/source/images/manual/system-inventory/use-case-vd-add-package-name.png differ diff --git a/source/user-manual/capabilities/system-inventory/configuration.rst b/source/user-manual/capabilities/system-inventory/configuration.rst index ff24a93815..d7a97d9da5 100644 --- a/source/user-manual/capabilities/system-inventory/configuration.rst +++ b/source/user-manual/capabilities/system-inventory/configuration.rst @@ -6,6 +6,16 @@ Configuration ============= +The Wazuh system inventory requires both Wazuh agent and Wazuh manager configurations to collect, process, and store system inventory data. + +.. contents:: + :local: + :depth: 1 + :backlinks: none + +Wazuh agent configuration +------------------------- + The Syscollector module is enabled by default on all endpoints where the Wazuh agent is installed. You can find the Syscollector configuration in the Wazuh agent configuration file at: - ``/var/ossec/etc/ossec.conf`` for Linux endpoints. @@ -62,4 +72,105 @@ In Windows systems, you can use the ```` option. Check :ref:`wodle_sys .. note:: - Restart the agent when you make any changes to the configuration file. This ensures that the changes take effect. \ No newline at end of file + Restart the agent when you make any changes to the configuration file. This ensures that the changes take effect. + +Wazuh manager configuration +--------------------------- + +The Wazuh Inventory Harvester module on the Wazuh manager processes the collected system inventory data and forwards it to the Wazuh indexer using the :doc:`indexer connector ` setting. The indexer connector setting is enabled by default in the ``/var/ossec/etc/ossec.conf`` file of the Wazuh manager. + +The indexer connector may be missing if the Wazuh manager is using an old configuration file or if vulnerability detection was disabled during installation. In such cases, follow the steps below to add the indexer connector setting. + +#. Add the indexer connector configuration block below to the ``/var/ossec/etc/ossec.conf`` file on the Wazuh manager: + + .. code-block:: xml + + + yes + + https://0.0.0.0:9200 + + + + /etc/filebeat/certs/root-ca.pem + + /etc/filebeat/certs/filebeat.pem + /etc/filebeat/certs/filebeat-key.pem + + + + Ensure: + + - The ```` section contains the IP address or hostname of your Wazuh indexer node. You can find this value in the Filebeat configuration file at ``/etc/filebeat/filebeat.yml``. + - The ````, ````, and ```` names match the files located in ``/etc/filebeat/certs/``. + +#. If you are running a Wazuh indexer cluster infrastructure, add a ```` entry for each one of your Wazuh indexer nodes. For example, in a two-node configuration: + + .. code-block:: xml + + + https://10.0.0.1:9200 + https://10.0.0.2:9200 + + + The Wazuh server will prioritize reporting to the first Wazuh indexer node in the list and switch to the next available node if the first one becomes unavailable. + +#. Save the Wazuh indexer username and password into the Wazuh manager keystore using the :doc:`Wazuh-keystore ` tool: + + .. code-block:: console + + # echo '' | /var/ossec/bin/wazuh-keystore -f indexer -k username + # echo '' | /var/ossec/bin/wazuh-keystore -f indexer -k password + + If you have forgotten your Wazuh indexer password, refer to the :doc:`password management ` guide to reset it. + +#. Run the command below to verify the connection to the Wazuh indexer using the curl command from the Wazuh server. Enter the Wazuh indexer password when prompted: + + .. code-block:: console + + # curl --cacert --cert --key -u -XGET https://:9200/_cluster/health + + Where: + + - ````, ````, ````: Certificate paths. + - ```` and ````: Admin username of the Wazuh indexer. + - ````: IP address of the Wazuh indexer. + + If this command fails, the vulnerability detector module won't be able to connect to the Wazuh indexer. + + To check if the issue is related to certificates, bypass certificate verification using the -k option. Enter the Wazuh indexer password when prompted: + + .. code-block:: console + + # curl -k -u -XGET https://:9200/_cluster/health + + A successful connection returns a result similar to the following: + + .. code-block:: none + :class: output + + { + "cluster_name": "opensearch", + "status": "green", + "timed_out": false, + "number_of_nodes": 1, + "number_of_data_nodes": 1, + "discovered_master": true, + "discovered_cluster_manager": true, + "active_primary_shards": 9, + "active_shards": 9, + "relocating_shards": 0, + "initializing_shards": 0, + "unassigned_shards": 0, + "delayed_unassigned_shards": 0, + "number_of_pending_tasks": 0, + "number_of_in_flight_fetch": 0, + "task_max_waiting_in_queue_millis": 0, + "active_shards_percent_as_number": 100.0 + } + +#. Restart the Wazuh manager to apply the configuration: + + .. code-block:: console + + # sudo systemctl restart wazuh-manager diff --git a/source/user-manual/capabilities/system-inventory/generating-system-inventory-reports.rst b/source/user-manual/capabilities/system-inventory/generating-system-inventory-reports.rst index 77577dba55..18caaabb70 100644 --- a/source/user-manual/capabilities/system-inventory/generating-system-inventory-reports.rst +++ b/source/user-manual/capabilities/system-inventory/generating-system-inventory-reports.rst @@ -1,40 +1,45 @@ .. Copyright (C) 2015, Wazuh, Inc. .. meta:: - :description: You can generate two types of reports from the Wazuh dashboard. Learn more about it in this section of the Wazuh documentation. + :description: You can generate two types of reports from the Wazuh dashboard. Learn more about it in this section of the Wazuh documentation. Generating system inventory reports =================================== -You can generate two types of reports from the Wazuh dashboard. These reports are the property-specific report and the endpoint inventory report. +You can generate two types of reports from the Wazuh dashboard. These reports are the IT Hygiene report and the property-specific report. -Property-specific report ------------------------- +IT Hygiene report +----------------- -This feature allows you to export ``CSV`` reports of a specific property of an endpoint. For example, you can generate a report of the installed software on an endpoint. +This feature allows you to export a summary of the properties collected by the Wazuh Syscollector module for a specific endpoint or all monitored endpoints. This report is generated in PDF format and can serve a variety of uses. To download the IT hygiene report: -To download this report, click **Export formatted** within the specific property you are interested in on the **Inventory Data** page of the endpoint. - -.. thumbnail:: /images/manual/system-inventory/export-formatted.png - :title: Export formatted - :alt: Export formatted - :align: center - :width: 80% +- Click **Generate Report** in the **Dashboard** section of the **IT Hygiene** page. -Endpoint inventory report -------------------------- + .. thumbnail:: /images/manual/system-inventory/generate-report.png + :title: Generate report + :alt: Generate report + :align: center + :width: 80% -This feature allows you to export a full report of all endpoint properties collected by the Wazuh Syscollector module. This report is generated in PDF format and can serve a variety of uses. To download the full endpoint report: +- When the report is ready, click **Open report** to download it immediately, or go to **Dashboard Management** > **Reporting** to download it later. -- Click **Generate report** on the **Inventory Data** page of the Wazuh agent. +Property-specific report +------------------------ -.. thumbnail:: /images/manual/system-inventory/generate-report.png - :title: Generate report - :alt: Generate report - :align: center - :width: 80% +This feature allows you to export ``CSV`` reports of a specific property of an endpoint. For example, you can generate a report of the installed software on an endpoint. This kind of report is only available for system, software, processes, and network categories. -- When the report is ready, navigate to **Dashboard management** > **Reporting** and download the report. +To download this report, click **Export Formatted** in the **IT Hygiene** page for the specific property you are interested in. In the image below, we download the software inventory data for all monitored endpoints. -.. Note:: - Both report types cover the inventory for only the monitored endpoint of interest. +.. thumbnail:: /images/manual/system-inventory/export-formatted.png + :title: Export formatted + :alt: Export formatted + :align: center + :width: 80% + +To streamline the report to a specific endpoint, click **Explore agent** and select an endpoint. In the image below, we download the software inventory data for a Windows 11 endpoint. + +.. thumbnail:: /images/manual/system-inventory/explore-agent.png + :title: Explore agent + :alt: Explore agent + :align: center + :width: 80% diff --git a/source/user-manual/capabilities/system-inventory/how-it-works.rst b/source/user-manual/capabilities/system-inventory/how-it-works.rst index 44c0089591..d1d6f1944f 100644 --- a/source/user-manual/capabilities/system-inventory/how-it-works.rst +++ b/source/user-manual/capabilities/system-inventory/how-it-works.rst @@ -1,17 +1,15 @@ .. Copyright (C) 2015, Wazuh, Inc. .. meta:: - :description: The Wazuh agent uses the Syscollector module to gather relevant information from the monitored endpoint. Learn how Syscollector works in this section. + :description: The Wazuh agent uses the Syscollector module to gather relevant information from the monitored endpoint. Learn how Syscollector works in this section. How it works ============ -As mentioned above, the Wazuh agent uses the Syscollector module to gather relevant information from the monitored endpoint. Once the agent service starts on a monitored endpoint, the Syscollector module runs periodical scans and collects data on the system properties defined in your configuration. The data is first stored in a temporal local database on the endpoint. +The Wazuh agent uses the Syscollector module to gather relevant information from the monitored endpoint. Once the agent service starts on a monitored endpoint, the Syscollector module runs periodic scans and collects data on the system properties defined in your configuration. The data is first stored in a temporary local database on the endpoint. -The agent forwards the newly collected data from its local database to the Wazuh server. Each agent uses a separate database on the Wazuh server. The Wazuh server updates the appropriate tables of the inventory database on the Wazuh server using the information the agent sends. For example, the Wazuh server stores hardware-related information in a table called ``sys_hwinfo``. +The Wazuh agent then forwards the newly collected data from its local database to the Wazuh server. Each agent uses a separate database on the Wazuh server, which updates the appropriate tables of its inventory database using the received information. For example, the Wazuh server stores hardware-related information in a table called ``sys_hwinfo``. -The Wazuh dashboard automatically displays the data stored in the inventory database. However, you can query the database using the Wazuh API or the ``SQLite`` tool. In addition, the :doc:`vulnerability detection ` module uses :ref:`packages ` and :ref:`Windows updates ` information in the inventory to detect vulnerable and patched software on monitored endpoints. +The Wazuh Inventory Harvester module on the Wazuh manager processes this data, standardizes it using Wazuh Common Schemas (WCS), and forwards it to the Wazuh indexer, where it is stored as global state data. This global state data is organized under dedicated indices for each data type, allowing users to efficiently run targeted queries and generate visualizations directly from the Wazuh dashboard. For example, the packages inventory is indexed as ``wazuh-states-inventory-packages-*`` in the Wazuh indexer. - - - \ No newline at end of file +You can query and visualize centralized system inventory data from all monitored endpoints in the IT Hygiene section on the Wazuh dashboard. In addition, you can query the system inventory data using the Wazuh indexer API, the Wazuh server API, or the ``SQLite`` tool. The :doc:`Vulnerability Detector ` module uses :ref:`packages ` and :ref:`Windows updates ` information in the inventory to detect vulnerable and patched software on monitored endpoints. diff --git a/source/user-manual/capabilities/system-inventory/index.rst b/source/user-manual/capabilities/system-inventory/index.rst index 6678e46563..8361eba51b 100644 --- a/source/user-manual/capabilities/system-inventory/index.rst +++ b/source/user-manual/capabilities/system-inventory/index.rst @@ -27,4 +27,5 @@ Users can generate system inventory reports from the Wazuh dashboard, which can available-inventory-fields compatibility-matrix using-syscollector-information-to-trigger-alerts - osquery \ No newline at end of file + osquery + use-cases \ No newline at end of file diff --git a/source/user-manual/capabilities/system-inventory/use-cases.rst b/source/user-manual/capabilities/system-inventory/use-cases.rst new file mode 100644 index 0000000000..7d2101951e --- /dev/null +++ b/source/user-manual/capabilities/system-inventory/use-cases.rst @@ -0,0 +1,60 @@ +.. Copyright (C) 2015, Wazuh, Inc. + +.. meta:: + :description: The following use cases show practical applications of visualizing system inventory data for security operations on the Wazuh dashboard. + +Use cases +========= + +The following use cases show practical applications of visualizing system inventory data for security operations on the Wazuh dashboard. + +Use case 1. Resource monitoring +------------------------------- + +Monitor memory usage across all endpoints to assess system performance and find devices with low available memory. + +#. Navigate to the **Security operations** tab and select **IT Hygiene**. +#. Select the **System** tab and then **Hardware**. +#. Click **+ Add filter** and configure it as follows: + + - **Field**: ``host.memory.free`` + - **Operator**: ``exists`` + +.. thumbnail:: /images/manual/system-inventory/use-case-resource-monitoring.png + :title: Resource monitoring + :alt: Resource monitoring + :align: center + :width: 80% + +Use case 2: Vulnerability management +------------------------------------ + +Identify all endpoints running a specific software package to assess vulnerability exposure. In this example, we identify all endpoints running a vulnerable version of ``systemd ( CVE-2025-4598)``. + +#. Click the **☰** icon and navigate to the **Security operations** tab and select **IT Hygiene**. +#. Select the **Software** tab and then **Packages**. +#. Click **+ Add filter** and configure it as follows: + + - **Field**: ``package.name`` + - **Operator**: ``is`` + - **Value** is ``systemd`` + + .. thumbnail:: /images/manual/system-inventory/use-case-it-hygiene-add-package-name.png + :title: Add package + :alt: Add package + :align: center + :width: 80% + +#. Click the **☰** icon at the top left corner and navigate to **Threat intelligence** and select **Vulnerability Detection**. +#. Select the **Inventory** tab. +#. Click **+ Add filter** and configure it as follows: + + - **Field**: ``package.name`` + - **Operator**: ``is`` + - **Value** is ``systemd`` + + .. thumbnail:: /images/manual/system-inventory/use-case-vd-add-package-name.png + :title: Add package name + :alt: Add package name + :align: center + :width: 80% diff --git a/source/user-manual/capabilities/system-inventory/viewing-system-inventory-data.rst b/source/user-manual/capabilities/system-inventory/viewing-system-inventory-data.rst index fb0624d7cf..bbc4820e05 100644 --- a/source/user-manual/capabilities/system-inventory/viewing-system-inventory-data.rst +++ b/source/user-manual/capabilities/system-inventory/viewing-system-inventory-data.rst @@ -71,8 +71,8 @@ Contains an overview of software packages and Windows KBs on monitored endpoints :align: center :width: 80% -Processess ----------- +Processes +--------- Displays running processes, process start times, and a summary data table containing process details for the monitored endpoints. @@ -127,20 +127,594 @@ Contains the **Addresses**, **Interfaces**, **Protocols**, **Services**, and **T :align: center :width: 80% -Query the agent inventory database ----------------------------------- +Query the agent inventory data +------------------------------ + +The Syscollector module runs periodic scans and sends the updated data in JSON format to the Wazuh server. The Wazuh server analyzes and stores this data in a separate database for each endpoint. The databases contain tables that store each type of system information. The system inventory databases on the Wazuh server are then processed and forwarded to the Wazuh indexer, where it is stored as the global state data. You can query the system inventory data for specific information using the Wazuh indexer API, Wazuh server API, or the ``SQLite`` tool. + +Using the Wazuh indexer API +^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +The :doc:`Wazuh indexer API ` enables you to perform actions such as adding new indices, querying existing indices, and modifying the Wazuh indexer settings. It can retrieve system inventory data from global state indices for selected or multiple monitored endpoints and display it in a human‑readable format. You can perform these queries through the Wazuh indexer API interface on the dashboard or by using command‑line tools such as ``cURL``. + +Wazuh indexer API GUI +~~~~~~~~~~~~~~~~~~~~~ + +Follow these steps to access the Wazuh indexer API from the Wazuh dashboard. + +#. On the Wazuh dashboard, click the hamburger icon from the top left side and navigate to **Indexer management** > **Dev Tools**. + + .. thumbnail:: /images/manual/system-inventory/dev-tools.png + :title: Indexer management > Dev Tools + :alt: Indexer management > Dev Tools + :align: center + :width: 80% + +#. Type the following command in the console and click the play icon to run the query: + + .. code-block:: none + + GET /_cat/indices/wazuh-states-inventory-*?v + + The command retrieves information about the system inventory indices + + .. thumbnail:: /images/manual/system-inventory/get-states-inventory-indices.png + :title: Get inventory indices + :alt: Get inventory indices + :align: center + :width: 80% + +#. Use the command below to query the system inventory index for installed packages within your infrastructure. After typing, click the **play** icon to run the query. + + .. code-block:: none + + GET /wazuh-states-inventory-packages-*/_search?pretty + + .. thumbnail:: /images/manual/system-inventory/get-inventory-packages.png + :title: Get inventory packages + :alt: Get inventory packages + :align: center + :width: 80% + +#. You can query the system inventory index to look up specific details, such as whether a particular package is installed on any monitored endpoints. For example, the following command checks the package inventory for the presence of the ``wazuh-agent`` package. + + .. code-block:: none + + GET /wazuh-states-inventory-packages-*/_search?pretty + { + "query": { + "match": { + "package.name": "wazuh-agent" + } + } + } + + .. thumbnail:: /images/manual/system-inventory/look-up-inventory-packages.png + :title: Look up inventory packages + :alt: Look up inventory packages + :align: center + :width: 80% + +#. Furthermore, you can check whether a package is installed on a specific endpoint. In the command below, we check if the Wazuh agent is installed on a Windows endpoint. Replace ```` with the name of the Wazuh endpoint. + + .. code-block:: console + + GET /wazuh-states-inventory-packages-*/_search?pretty + { + "query": { + "bool": { + "must": [ + { "term": { "agent.name": "" }}, + { "match": { "package.name": "Wazuh Agent" }} + ] + } + } + } + + .. thumbnail:: /images/manual/system-inventory/look-up-inventory-packages-on-endpoint.png + :title: Look up inventory packages + :alt: Look up inventory packages + :align: center + :width: 80% + +cURL +~~~~ + +Follow the steps below to query the system inventory indices from the command line using ``cURL``. + +#. Run the command below to retrieve information about the system inventory indices. Replace ```` with the Wazuh indexer username and type the Wazuh indexer password when prompted: + + .. code-block:: console + + # curl -k -u "" https://:9200/_cat/indices/wazuh-states-inventory-*?v + + .. code-block:: none + :class: output + + health status index uuid pri rep docs.count docs.deleted store.size pri.store.size + green open wazuh-states-inventory-system-wazuh-vmware-virtual-platform quLOzlY1RFGsDSrTHo-MFw 1 0 3 4 61.7kb 61.7kb + green open wazuh-states-inventory-protocols-wazuh-vmware-virtual-platform jnhsOwQyTlW-RYnaS7D7RQ 1 0 14 0 25.3kb 25.3kb + green open wazuh-states-inventory-processes-wazuh-vmware-virtual-platform -8IsddyrQp6r8erH54MFxw 1 0 690 655 253.3kb 253.3kb + green open wazuh-states-inventory-networks-wazuh-vmware-virtual-platform W8iWE0G_QqKiDID9cgPnqA 1 0 14 0 26.8kb 26.8kb + green open wazuh-states-inventory-packages-wazuh-vmware-virtual-platform zPc4yGKsRxCfxqbB0QuSjQ 1 0 1585 8 972.8kb 972.8kb + green open wazuh-states-inventory-interfaces-wazuh-vmware-virtual-platform KiXJsZfaSO2kZvFFahYbIw 1 0 9 5 80.2kb 80.2kb + green open wazuh-states-inventory-hardware-wazuh-vmware-virtual-platform TNAH5VcUTHKQz-3e4EXBig 1 0 3 5 76.8kb 76.8kb + green open wazuh-states-inventory-ports-wazuh-vmware-virtual-platform J9_a35ZgTFu2S7XvVHUDwQ 1 0 84 10 99.8kb 99.8kb + green open wazuh-states-inventory-hotfixes-wazuh-vmware-virtual-platform BeJOrf4cTlOEM_VCWmeDIw 1 0 18 0 7.3kb 7.3kb + +#. Use the command below to query the system inventory index for the packages on the endpoints. Replace ```` with the Wazuh indexer username and type the Wazuh indexer password when prompted. + + .. code-block:: console + + # curl -k -u "" https://:9200/wazuh-states-inventory-packages-*/_search?pretty + + .. code-block:: none + :class: output -The Syscollector module runs periodic scans and sends the updated data in JSON format to the Wazuh server. The Wazuh server analyzes and stores this data in a separate database for each endpoint. The databases contain tables that store each type of system information. You can query the database for specific information using the Wazuh API or the ``SQLite`` tool. + { + "took" : 1, + "timed_out" : false, + "_shards" : { + "total" : 1, + "successful" : 1, + "skipped" : 0, + "failed" : 0 + }, + "hits" : { + "total" : { + "value" : 1585, + "relation" : "eq" + }, + "max_score" : 1.0, + "hits" : [ + { + "_index" : "wazuh-states-inventory-packages-wazuh-vmware-virtual-platform", + "_id" : "006_041f8e6a4f5473b6ad05a32d8cbcc6fba389cabb", + "_score" : 1.0, + "_source" : { + "agent" : { + "id" : "006", + "name" : "Cent_Stream", + "version" : "v4.13.0" + }, + "package" : { + "architecture" : "x86_64", + "description" : "A library that wraps other spell checking backends.", + "installed" : "2025-06-30T19:18:17.000Z", + "name" : "enchant2", + "size" : 167594, + "type" : "rpm", + "vendor" : "CentOS", + "version" : "2.2.15-6.el9" + }, + "wazuh" : { + "cluster" : { + "name" : "wazuh-VMware-Virtual-Platform" + }, + "schema" : { + "version" : "1.0" + } + } + } + }, + { + "_index" : "wazuh-states-inventory-packages-wazuh-vmware-virtual-platform", + "_id" : "006_044fc408c207df2320ea52d29231919b2616f4ce", + "_score" : 1.0, + "_source" : { + "agent" : { + "id" : "006", + "name" : "Cent_Stream", + "version" : "v4.13.0" + }, + "package" : { + "architecture" : "x86_64", + "description" : "The ATK library provides a set of interfaces for adding accessibility\nsupport to applications and graphical user interface toolkits. By\nsupporting the ATK interfaces, an application or toolkit can be used\nwith tools such as screen readers, magnifiers, and alternative input\ndevices.", + "installed" : "2025-06-30T19:18:17.000Z", + "name" : "atk", + "size" : 1304627, + "type" : "rpm", + "vendor" : "CentOS", + "version" : "2.36.0-5.el9" + }, + "wazuh" : { + "cluster" : { + "name" : "wazuh-VMware-Virtual-Platform" + }, + "schema" : { + "version" : "1.0" + } + } + } + }, + { + "_index" : "wazuh-states-inventory-packages-wazuh-vmware-virtual-platform", + "_id" : "006_045d1c99dc4f5c48377352432af35e0cd2c2451c", + "_score" : 1.0, + "_source" : { + "agent" : { + "id" : "006", + "name" : "Cent_Stream", + "version" : "v4.13.0" + }, + "package" : { + "architecture" : "x86_64", + "description" : "A backend implementation for xdg-desktop-portal that is using various pieces of\nGNOME infrastructure, such as the org.gnome.Shell.Screenshot or\norg.gnome.SessionManager D-Bus interfaces.", + "installed" : "2025-06-30T19:31:26.000Z", + "name" : "xdg-desktop-portal-gnome", + "size" : 568978, + "type" : "rpm", + "vendor" : "CentOS", + "version" : "41.2-3.el9" + }, + "wazuh" : { + "cluster" : { + "name" : "wazuh-VMware-Virtual-Platform" + }, + "schema" : { + "version" : "1.0" + } + } + } + }, + { + "_index" : "wazuh-states-inventory-packages-wazuh-vmware-virtual-platform", + "_id" : "006_0467d452f839f61a318267d502b6c81154316e40", + "_score" : 1.0, + "_source" : { + "agent" : { + "id" : "006", + "name" : "Cent_Stream", + "version" : "v4.13.0" + }, + "package" : { + "architecture" : "x86_64", + "description" : "This package contains the shared library for sqlite.", + "installed" : "2025-06-30T19:30:06.000Z", + "name" : "sqlite-libs", + "size" : 1368872, + "type" : "rpm", + "vendor" : "CentOS", + "version" : "3.34.1-8.el9" + }, + "wazuh" : { + "cluster" : { + "name" : "wazuh-VMware-Virtual-Platform" + }, + "schema" : { + "version" : "1.0" + } + } + } + }, + { + "_index" : "wazuh-states-inventory-packages-wazuh-vmware-virtual-platform", + "_id" : "006_0480a23ae60e573ec6b243b3a6068723fda63ee2", + "_score" : 1.0, + "_source" : { + "agent" : { + "id" : "006", + "name" : "Cent_Stream", + "version" : "v4.13.0" + }, + "package" : { + "architecture" : "x86_64", + "description" : "Cheese is a Photobooth-inspired GNOME application for taking pictures and\nvideos from a webcam. It can also apply fancy graphical effects.", + "installed" : "2025-06-30T19:19:07.000Z", + "name" : "cheese", + "size" : 378533, + "type" : "rpm", + "vendor" : "CentOS", + "version" : "2:3.38.0-6.el9" + }, + "wazuh" : { + "cluster" : { + "name" : "wazuh-VMware-Virtual-Platform" + }, + "schema" : { + "version" : "1.0" + } + } + } + }, + { + "_index" : "wazuh-states-inventory-packages-wazuh-vmware-virtual-platform", + "_id" : "006_048923b45c38753ce27dc4346d16612a6e9fa6bc", + "_score" : 1.0, + "_source" : { + "agent" : { + "id" : "006", + "name" : "Cent_Stream", + "version" : "v4.13.0" + }, + "package" : { + "architecture" : "x86_64", + "description" : "The filesystem package is one of the basic packages that is installed\non a Linux system. Filesystem contains the basic directory layout\nfor a Linux operating system, including the correct permissions for\nthe directories.", + "installed" : "2025-06-30T19:30:05.000Z", + "name" : "filesystem", + "size" : 106, + "type" : "rpm", + "vendor" : "CentOS", + "version" : "3.16-5.el9" + }, + "wazuh" : { + "cluster" : { + "name" : "wazuh-VMware-Virtual-Platform" + }, + "schema" : { + "version" : "1.0" + } + } + } + }, + { + "_index" : "wazuh-states-inventory-packages-wazuh-vmware-virtual-platform", + "_id" : "006_04c8813e7928463fee47e0006c90e16e5d924ca6", + "_score" : 1.0, + "_source" : { + "agent" : { + "id" : "006", + "name" : "Cent_Stream", + "version" : "v4.13.0" + }, + "package" : { + "architecture" : "x86_64", + "description" : "The POSIX module permits you to access all (or nearly all) the standard POSIX\n1003.1 identifiers. Many of these identifiers have been given Perl interfaces.", + "installed" : "2025-07-17T14:42:06.000Z", + "name" : "perl-POSIX", + "size" : 240020, + "type" : "rpm", + "vendor" : "CentOS", + "version" : "1.94-483.el9" + }, + "wazuh" : { + "cluster" : { + "name" : "wazuh-VMware-Virtual-Platform" + }, + "schema" : { + "version" : "1.0" + } + } + } + }, + { + "_index" : "wazuh-states-inventory-packages-wazuh-vmware-virtual-platform", + "_id" : "006_0507d1d203a41466eddaf4e8ea773427f6137e4b", + "_score" : 1.0, + "_source" : { + "agent" : { + "id" : "006", + "name" : "Cent_Stream", + "version" : "v4.13.0" + }, + "package" : { + "architecture" : "x86_64", + "description" : "A library to handle bidirectional scripts (for example Hebrew, Arabic),\nso that the display is done in the proper way; while the text data itself\nis always written in logical order.", + "installed" : "2025-06-30T19:18:13.000Z", + "name" : "fribidi", + "size" : 347380, + "type" : "rpm", + "vendor" : "CentOS", + "version" : "1.0.10-6.el9.2" + }, + "wazuh" : { + "cluster" : { + "name" : "wazuh-VMware-Virtual-Platform" + }, + "schema" : { + "version" : "1.0" + } + } + } + }, + { + "_index" : "wazuh-states-inventory-packages-wazuh-vmware-virtual-platform", + "_id" : "006_050946eb0960e99615ecf95988f96aa67b278099", + "_score" : 1.0, + "_source" : { + "agent" : { + "id" : "006", + "name" : "Cent_Stream", + "version" : "v4.13.0" + }, + "package" : { + "architecture" : "x86_64", + "description" : "lxml is a Pythonic, mature binding for the libxml2 and libxslt libraries. It\nprovides safe and convenient access to these libraries using the ElementTree It\nextends the ElementTree API significantly to offer support for XPath, RelaxNG,\nXML Schema, XSLT, C14N and much more.To contact the project, go to the project\nhome page < or see our bug tracker at case you want to use the current ...\n\nPython 3 version.", + "installed" : "2025-06-30T19:18:20.000Z", + "name" : "python3-lxml", + "size" : 4351883, + "type" : "rpm", + "vendor" : "CentOS", + "version" : "4.6.5-3.el9" + }, + "wazuh" : { + "cluster" : { + "name" : "wazuh-VMware-Virtual-Platform" + }, + "schema" : { + "version" : "1.0" + } + } + } + }, + { + "_index" : "wazuh-states-inventory-packages-wazuh-vmware-virtual-platform", + "_id" : "006_054268e7568db7e74481fec3f76cabba9612d810", + "_score" : 1.0, + "_source" : { + "agent" : { + "id" : "006", + "name" : "Cent_Stream", + "version" : "v4.13.0" + }, + "package" : { + "architecture" : "noarch", + "description" : "Python3 bindings for firewalld.", + "installed" : "2025-06-30T19:30:16.000Z", + "name" : "python3-firewall", + "size" : 2193288, + "type" : "rpm", + "vendor" : "CentOS", + "version" : "1.3.4-9.el9" + }, + "wazuh" : { + "cluster" : { + "name" : "wazuh-VMware-Virtual-Platform" + }, + "schema" : { + "version" : "1.0" + } + } + } + } + ] + } + } -Using the Wazuh API -^^^^^^^^^^^^^^^^^^^ +#. You can query the system inventory index to look up specific details, such as whether a particular package is installed on any monitored endpoints. For example, the following command checks the package inventory for the presence of the ``wazuh-agent`` package. Replace ```` with the Wazuh indexer username and type the Wazuh indexer password when prompted: -You can query the Wazuh inventory data using the `Wazuh API `_, which retrieves nested data in JSON format. You can use the Wazuh API GUI on the dashboard or a command line tool like ``cURL`` to query the inventory database. + .. code-block:: bash -Wazuh API GUI -~~~~~~~~~~~~~ + curl -k -u "" "https://:9200/wazuh-states-inventory-packages-*/_search?pretty" \ + -H 'Content-Type: application/json' \ + -d '{ + "query": { + "term": { + "package.name": "wazuh-agent" + } + } + }' -On the Wazuh dashboard, navigate to **Server management** > **Dev Tools**. On the **Console**, type the following: + .. code-block:: none + :class: output + + { + "took" : 1, + "timed_out" : false, + "_shards" : { + "total" : 1, + "successful" : 1, + "skipped" : 0, + "failed" : 0 + }, + "hits" : { + "total" : { + "value" : 1, + "relation" : "eq" + }, + "max_score" : 6.9660244, + "hits" : [ + { + "_index" : "wazuh-states-inventory-packages-wazuh-vmware-virtual-platform", + "_id" : "006_1cdcea1b59fb2fd59b3de004d393bcbcfea352ee", + "_score" : 6.9660244, + "_source" : { + "agent" : { + "id" : "006", + "name" : "Cent_Stream", + "version" : "v4.13.0" + }, + "package" : { + "architecture" : "x86_64", + "description" : "Wazuh helps you to gain security visibility into your infrastructure by monitoring\nhosts at an operating system and application level. It provides the following capabilities:\nlog analysis, file integrity monitoring, intrusions detection and policy and compliance monitoring", + "installed" : "2025-09-12T18:04:48.000Z", + "name" : "wazuh-agent", + "size" : 31169915, + "type" : "rpm", + "vendor" : "Wazuh", + "version" : "4.13.0-1" + }, + "wazuh" : { + "cluster" : { + "name" : "wazuh-VMware-Virtual-Platform" + }, + "schema" : { + "version" : "1.0" + } + } + } + } + ] + } + } + +#. Furthermore, you can check whether a package is installed on a specific endpoint. In the command below, we check if the Wazuh agent is installed on a Windows endpoint. Replace ```` with the Wazuh indexer username, ```` with the name of the Wazuh endpoint, and type the Wazuh indexer password when prompted. + + .. code-block:: bash + + curl -k -u "" "https://:9200/wazuh-states-inventory-packages-*/_search?pretty" \ + -H 'Content-Type: application/json' \ + -d '{ + "query": { + "bool": { + "must": [ + { "term": { "agent.name": "Windows-11" }}, + { "match": { "package.name": "Wazuh Agent" }} + ] + } + } + }' + + .. code-block:: none + :class: output + + { + "took" : 2, + "timed_out" : false, + "_shards" : { + "total" : 1, + "successful" : 1, + "skipped" : 0, + "failed" : 0 + }, + "hits" : { + "total" : { + "value" : 1, + "relation" : "eq" + }, + "max_score" : 10.26218, + "hits" : [ + { + "_index" : "wazuh-states-inventory-packages-wazuh-vmware-virtual-platform", + "_id" : "005_717e026c55c0e6b98d7a00d73963ca70cba8609f", + "_score" : 10.26218, + "_source" : { + "agent" : { + "id" : "005", + "name" : "Windows-11", + "version" : "v4.13.0" + }, + "package" : { + "architecture" : "i686", + "name" : "Wazuh Agent", + "size" : 0, + "type" : "win", + "vendor" : "Wazuh", + "version" : "4.13.0" + }, + "wazuh" : { + "cluster" : { + "name" : "wazuh-VMware-Virtual-Platform" + }, + "schema" : { + "version" : "1.0" + } + } + } + } + ] + } + } + +Using the Wazuh server API +^^^^^^^^^^^^^^^^^^^^^^^^^^ + +You can query the Wazuh inventory data using the `Wazuh server API `__, which retrieves nested data in JSON format. You can use the Wazuh server API GUI on the dashboard or a command-line tool like ``cURL`` to query the inventory database of a Wazuh agent. + +Wazuh server API GUI +~~~~~~~~~~~~~~~~~~~~ + +On the Wazuh dashboard, navigate to **Wazuh** > **Tools** > **API Console**. On the **Console**, type the following: .. code-block:: none @@ -151,46 +725,51 @@ Where ```` corresponds to the agent ID of the endpoint. The Wazuh dashboard will suggest a list of available tables that you can query via the API. .. thumbnail:: /images/manual/system-inventory/api-console.png - :title: Server management > Dev Tools - :alt: Server management > Dev Tools - :align: center - :width: 80% + :title: Server management > Dev Tools + :alt: Server management > Dev Tools + :align: center + :width: 80% -For example, you can use the command ``GET /syscollector//packages`` to query the inventory data for installed packages on the endpoint. After typing, click the play icon to run the query. +For example, you can use the command ``GET /syscollector//packages`` to query the inventory data for installed packages on the endpoint. After typing, click the **play** icon to run the query. -Furthermore, you can query the inventory data for specific information about any property. For example, the command below queries the package inventory to check for the ``wazuh-agent`` package: +Furthermore, you can query the inventory data for specific information about any property. For example, the command below queries the package inventory to check for the ``wazuh-agent`` package: .. code-block:: none - GET /syscollector//packages?pretty=true&name=wazuh-agent + GET /syscollector//packages?pretty=true&name=wazuh-agent -Where: +Where: -- ``packages`` reference the package table in the inventory database, which stores information about the currently installed software on an endpoint. You can reference the table of your interest. -- ``name=wazuh-agent`` specifies the ``wazuh-agent`` package name. You can use different properties and values. -- ``pretty=true`` ensures the output is properly formatted and easy to read. +- ``packages`` reference the package table in the inventory database, which stores information about the currently installed software on an endpoint. You can reference the table of your interest. +- ``name=wazuh-agent`` specifies the ``wazuh-agent`` package name. You can use different properties and values. +- ``pretty=true`` ensures the output is properly formatted and easy to read. .. thumbnail:: /images/manual/system-inventory/query-the-inventory-data.png - :title: Query the inventory data - :alt: Query the inventory data - :align: center - :width: 80% + :title: Query the inventory data + :alt: Query the inventory data + :align: center + :width: 80% .. _inventory_wazuh_api_curl: cURL ~~~~ -Follow the steps below to query the endpoint database from the command line using ``cURL``: +Follow the steps below to query the system inventory indices from the command line using ``cURL``: -- Generate a JSON Web Token (JWT) for authenticating to the Wazuh server by running the following command. The default API credentials are ``wazuh:wazuh``. Replace ```` with your Wazuh server IP address. +- Generate a JSON Web Token (JWT) for authenticating to the Wazuh server by running the following command. Enter the Wazuh server API password when prompted: .. code-block:: console - TOKEN=$(curl -u : -k -X GET "https://:55000/security/user/authenticate?raw=true") + TOKEN=$(curl -u -k -X GET "https://:55000/security/user/authenticate?raw=true") + + Where: + + - ```` is the Wazuh server API username. The default username is ``wazuh``. + - ```` is the Wazuh server IP address. Run the command ``echo $TOKEN`` to confirm that you successfully generated the token. The output should be like this: - + .. code-block:: console :class: output @@ -268,7 +847,7 @@ Follow the steps below to query the endpoint database from the command line usin "architecture": "amd64", "agent_id": "010" }, - … + … Furthermore, you can query the inventory data to find specific information about any property. For example, the command below queries the package inventory to check if the ``wazuh-agent`` package is present. @@ -328,7 +907,7 @@ Where ```` corresponds to the agent ID of the monitored endpoint. SQLite version 3.7.17 2013-05-20 00:56:22 Enter ".help" for instructions Enter SQL statements terminated with a ";" - sqlite> + sqlite> After connecting to the database, you can query the list of tables in it using the command below: @@ -339,14 +918,14 @@ After connecting to the database, you can query the list of tables in it using t .. code-block:: console :class: output - ciscat_results sca_scan_info sys_osinfo - fim_entry scan_info sys_ports - metadata sync_info sys_processes - pm_event sys_hotfixes sys_programs - sca_check sys_hwinfo vuln_cves - sca_check_compliance sys_netaddr vuln_metadata - sca_check_rules sys_netiface - sca_policy sys_netproto + ciscat_results sca_scan_info sys_osinfo + fim_entry scan_info sys_ports + metadata sync_info sys_processes + pm_event sys_hotfixes sys_programs + sca_check sys_hwinfo + sca_check_compliance sys_netaddr + sca_check_rules sys_netiface + sca_policy sys_netproto You can further query the tables for any information you are interested in. For example, if you want to know if a particular software is present on an endpoint, you can query the ``sys_programs`` table using ``sqlite>select * from sys_programs where name="";``. The command below checks whether the ``wazuh-agent`` program is present on a monitored Linux endpoint and shows the captured details: