Update system inventory section

CHANGELOG.md

@@ -12,6 +12,7 @@ All notable changes to this project will be documented in this file.
 - **Post-release**: Updated the upgrade guide for Wazuh central components. ([#8934](https://github.com/wazuh/wazuh-documentation/pull/8934)) ([#8941](https://github.com/wazuh/wazuh-documentation/pull/8941)) ([#8944](https://github.com/wazuh/wazuh-documentation/pull/8944))
 - **Post-release**: Added indexer connector configuration steps to vulnerability detection documentation and removed troubleshooting section. ([#8942](https://github.com/wazuh/wazuh-documentation/pull/8942))
 - **Post-release**: Updated the *Navigating the Wazuh dashboard* section. ([#8950](https://github.com/wazuh/wazuh-documentation/pull/8950))
+- **Post-release**: Updated the System inventory documentation. ([#8955](https://github.com/wazuh/wazuh-documentation/pull/8955))
 
 ### Fixed
 

source/_static/js/redirects.js

@@ -69,12 +69,6 @@ removedUrls['x.y'] = [
 
 /* *** RELEASE 4.13 ****/
 
-removedUrls['4.13'] = [
-  '/user-manual/capabilities/vulnerability-detection/troubleshooting.html',
-  '/user-manual/capabilities/vulnerability-detection/FAQ.html',
-  '/user-manual/capabilities/vulnerability-detection/known-issues.html',
-];
-
 /* Pages added in 4.13 */
 
 newUrls['4.13'] = [
@@ -83,8 +77,17 @@ newUrls['4.13'] = [
   '/user-manual/wazuh-dashboard/global-queries.html',
   '/user-manual/capabilities/system-inventory/global-queries.html',
   '/user-manual/capabilities/file-integrity/global-queries.html',
+  '/user-manual/capabilities/system-inventory/use-cases.html',
 ]
 
+/* Pages no longer available in x.y (this is not required if there is a redirection for this url) */
+
+removedUrls['4.13'] = [
+  '/user-manual/capabilities/vulnerability-detection/troubleshooting.html',
+  '/user-manual/capabilities/vulnerability-detection/FAQ.html',
+  '/user-manual/capabilities/vulnerability-detection/known-issues.html',
+];
+
 /* *** RELEASE 4.12 ****/
 
 /* Pages added in 4.12 */

source/user-manual/capabilities/system-inventory/configuration.rst

@@ -6,6 +6,16 @@
 Configuration
 =============
 
+The Wazuh system inventory requires both Wazuh agent and Wazuh manager configurations to collect, process, and store system inventory data.
+
+.. contents::
+   :local:
+   :depth: 1
+   :backlinks: none
+
+Wazuh agent configuration
+-------------------------
+
 The Syscollector module is enabled by default on all endpoints where the Wazuh agent is installed. You can find the Syscollector configuration in the Wazuh agent configuration file at:
 
 - ``/var/ossec/etc/ossec.conf`` for Linux endpoints.
@@ -62,4 +72,105 @@ In Windows systems, you can use the ``<hotfixes>`` option. Check :ref:`wodle_sys
 
 .. note::
 
-   Restart the agent when you make any changes to the configuration file. This ensures that the changes take effect.
+   Restart the agent when you make any changes to the configuration file. This ensures that the changes take effect.
+
+Wazuh manager configuration
+---------------------------
+
+The Wazuh Inventory Harvester module on the Wazuh manager processes the collected system inventory data and forwards it to the Wazuh indexer using the :doc:`indexer connector </user-manual/reference/ossec-conf/indexer>` setting. The indexer connector setting is enabled by default in the ``/var/ossec/etc/ossec.conf`` file of the Wazuh manager.
+
+The indexer connector may be missing if the Wazuh manager is using an old configuration file or if vulnerability detection was disabled during installation. In such cases,  follow the steps below to add the indexer connector setting.
+
+#. Add the indexer connector configuration block below to the ``/var/ossec/etc/ossec.conf`` file on the Wazuh manager:
+
+   .. code-block:: xml
+
+      <indexer>
+        <enabled>yes</enabled>
+        <hosts>
+          <host>https://0.0.0.0:9200</host>
+        </hosts>
+        <ssl>
+          <certificate_authorities>
+            <ca>/etc/filebeat/certs/root-ca.pem</ca>
+          </certificate_authorities>
+          <certificate>/etc/filebeat/certs/filebeat.pem</certificate>
+          <key>/etc/filebeat/certs/filebeat-key.pem</key>
+        </ssl>
+      </indexer>
+
+   Ensure:
+
+   -  The ``<hosts>`` section contains the IP address or hostname of your Wazuh indexer node. You can find this value in the Filebeat configuration file at ``/etc/filebeat/filebeat.yml``.
+   -  The ``<ca>``, ``<certificate>``, and ``<key>`` names match the files located in ``/etc/filebeat/certs/``.
+
+#. If you are running a Wazuh indexer cluster infrastructure, add a ``<hosts>`` entry for each one of your Wazuh indexer nodes. For example, in a two-node configuration:
+
+   .. code-block:: xml
+
+      <hosts>
+        <host>https://10.0.0.1:9200</host>
+        <host>https://10.0.0.2:9200</host>
+      </hosts>
+
+   The Wazuh server will prioritize reporting to the first Wazuh indexer node in the list and switch to the next available node if the first one becomes unavailable.
+
+#. Save the Wazuh indexer username and password into the Wazuh manager keystore using the :doc:`Wazuh-keystore </user-manual/reference/tools/wazuh-keystore>` tool:
+
+   .. code-block:: console
+
+      # echo '<WAZUH_INDEXER_USERNAME>' | /var/ossec/bin/wazuh-keystore -f indexer -k username
+      # echo '<WAZUH_INDEXER_PASSWORD>' | /var/ossec/bin/wazuh-keystore -f indexer -k password
+
+   If you have forgotten your Wazuh indexer password, refer to the :doc:`password management </user-manual/user-administration/password-management>` guide to reset it.
+
+#. Run the command below to verify the connection to the Wazuh indexer using the curl command from the Wazuh server. Enter the Wazuh indexer password when prompted:
+
+   .. code-block:: console
+
+      # curl --cacert <ROOT_CA> --cert <CERTIFICATE_PEM> --key <CERTIFICATE_KEY> -u <WAZUH_INDEXER_USER> -XGET https://<INDEXER_IP_ADDRESS>:9200/_cluster/health
+
+   Where:
+
+   -  ``<ROOT_CA>``, ``<CERTIFICATE_PEM>``, ``<CERTIFICATE_KEY>``: Certificate paths.
+   -  ``<USER>`` and ``<PASS>``: Admin username of the Wazuh indexer.
+   -  ``<WAZUH_INDEXER_IP_ADDRESS>``: IP address of the Wazuh indexer.
+
+   If this command fails, the vulnerability detector module won't be able to connect to the Wazuh indexer.
+
+   To check if the issue is related to certificates, bypass certificate verification using the -k option. Enter the Wazuh indexer password when prompted:
+
+   .. code-block:: console
+
+      # curl -k -u <WAZUH_INDEXER_USERNAME> -XGET https://<INDEXER_IP_ADDRESS>:9200/_cluster/health
+
+   A successful connection returns a result similar to the following:
+
+   .. code-block:: none
+      :class: output
+
+      {
+          "cluster_name": "opensearch",
+          "status": "green",
+          "timed_out": false,
+          "number_of_nodes": 1,
+          "number_of_data_nodes": 1,
+          "discovered_master": true,
+          "discovered_cluster_manager": true,
+          "active_primary_shards": 9,
+          "active_shards": 9,
+          "relocating_shards": 0,
+          "initializing_shards": 0,
+          "unassigned_shards": 0,
+          "delayed_unassigned_shards": 0,
+          "number_of_pending_tasks": 0,
+          "number_of_in_flight_fetch": 0,
+          "task_max_waiting_in_queue_millis": 0,
+          "active_shards_percent_as_number": 100.0
+      }
+
+#. Restart the Wazuh manager to apply the configuration:
+
+   .. code-block:: console
+
+      # sudo systemctl restart wazuh-manager

source/user-manual/capabilities/system-inventory/generating-system-inventory-reports.rst

@@ -1,40 +1,45 @@
 .. Copyright (C) 2015, Wazuh, Inc.
 
 .. meta::
-  :description: You can generate two types of reports from the Wazuh dashboard. Learn more about it in this section of the Wazuh documentation. 
+   :description: You can generate two types of reports from the Wazuh dashboard. Learn more about it in this section of the Wazuh documentation.
 
 Generating system inventory reports
 ===================================
 
-You can generate two types of reports from the Wazuh dashboard. These reports are the property-specific report and the endpoint inventory report. 
+You can generate two types of reports from the Wazuh dashboard. These reports are the IT Hygiene report and the property-specific report.
 
-Property-specific report
-------------------------
+IT Hygiene report
+-----------------
 
-This feature allows you to export ``CSV`` reports of a specific property of an endpoint. For example, you can generate a report of the installed software on an endpoint. 
+This feature allows you to export a summary of the properties collected by the Wazuh Syscollector module for a specific endpoint or all monitored endpoints. This report is generated in PDF format and can serve a variety of uses. To download the IT hygiene report:
 
-To download this report, click **Export formatted** within the specific property you are interested in on the **Inventory Data** page of the endpoint.
-
-.. thumbnail:: /images/manual/system-inventory/export-formatted.png
-  :title: Export formatted
-  :alt: Export formatted
-  :align: center
-  :width: 80%
+-  Click **Generate Report** in the **Dashboard** section of the **IT Hygiene** page.
 
-Endpoint inventory report
--------------------------
+   .. thumbnail:: /images/manual/system-inventory/generate-report.png
+      :title: Generate report
+      :alt: Generate report
+      :align: center
+      :width: 80%
 
-This feature allows you to export a full report of all endpoint properties collected by the Wazuh Syscollector module. This report is generated in PDF format and can serve a variety of uses. To download the full endpoint report:
+-  When the report is ready, click **Open report** to download it immediately, or go to **Dashboard Management** > **Reporting** to download it later.
 
-- Click **Generate report** on the **Inventory Data** page of the Wazuh agent.
+Property-specific report
+------------------------
 
-.. thumbnail:: /images/manual/system-inventory/generate-report.png
-  :title: Generate report
-  :alt: Generate report
-  :align: center
-  :width: 80%
+This feature allows you to export ``CSV`` reports of a specific property of an endpoint. For example, you can generate a report of the installed software on an endpoint. This kind of report is only available for system, software, processes, and network categories.
 
-- When the report is ready, navigate to **Dashboard management** > **Reporting** and download the report.
+To download this report, click **Export Formatted** in the **IT Hygiene** page for the specific property you are interested in. In the image below, we download the software inventory data for all monitored endpoints.
 
-.. Note::
-   Both report types cover the inventory for only the monitored endpoint of interest.
+.. thumbnail:: /images/manual/system-inventory/export-formatted.png
+   :title: Export formatted
+   :alt: Export formatted
+   :align: center
+   :width: 80%
+
+To streamline the report to a specific endpoint, click **Explore agent** and select an endpoint. In the image below, we download the software inventory data for a Windows 11 endpoint.
+
+.. thumbnail:: /images/manual/system-inventory/explore-agent.png
+   :title: Explore agent
+   :alt: Explore agent
+   :align: center
+   :width: 80%

source/user-manual/capabilities/system-inventory/how-it-works.rst

@@ -1,17 +1,15 @@
 .. Copyright (C) 2015, Wazuh, Inc.
 
 .. meta::
-  :description: The Wazuh agent uses the Syscollector module to gather relevant information from the monitored endpoint. Learn how Syscollector works in this section.
+   :description: The Wazuh agent uses the Syscollector module to gather relevant information from the monitored endpoint. Learn how Syscollector works in this section.
 
 How it works
 ============
 
-As mentioned above, the Wazuh agent uses the Syscollector module to gather relevant information from the monitored endpoint. Once the agent service starts on a monitored endpoint, the Syscollector module runs periodical scans and collects data on the system properties defined in your configuration. The data is first stored in a temporal local database on the endpoint. 
+The Wazuh agent uses the Syscollector module to gather relevant information from the monitored endpoint. Once the agent service starts on a monitored endpoint, the Syscollector module runs periodic scans and collects data on the system properties defined in your configuration. The data is first stored in a temporary local database on the endpoint.
 
-The agent forwards the newly collected data from its local database to the Wazuh server. Each agent uses a separate database on the Wazuh server. The Wazuh server updates the appropriate tables of the inventory database on the Wazuh server using the information the agent sends. For example, the Wazuh server stores hardware-related information in a table called ``sys_hwinfo``.
+The Wazuh agent then forwards the newly collected data from its local database to the Wazuh server. Each agent uses a separate database on the Wazuh server, which updates the appropriate tables of its inventory database using the received information. For example, the Wazuh server stores hardware-related information in a table called ``sys_hwinfo``.
 
-The Wazuh dashboard automatically displays the data stored in the inventory database. However, you can query the database using the Wazuh API or the ``SQLite`` tool. In addition, the :doc:`vulnerability detection </user-manual/capabilities/vulnerability-detection/index>` module uses :ref:`packages <syscollector_packages>` and :ref:`Windows updates <syscollector_hotfixes>` information in the inventory to detect vulnerable and patched software on monitored endpoints.
+The Wazuh Inventory Harvester module on the Wazuh manager processes this data, standardizes it using Wazuh Common Schemas (WCS), and forwards it to the Wazuh indexer, where it is stored as global state data. This global state data is organized under dedicated indices for each data type, allowing users to efficiently run targeted queries and generate visualizations directly from the Wazuh dashboard. For example, the packages inventory is indexed as ``wazuh-states-inventory-packages-*`` in the Wazuh indexer.
 
-
-
-
+You can query and visualize centralized system inventory data from all monitored endpoints in the IT Hygiene section on the Wazuh dashboard. In addition, you can query the system inventory data using the Wazuh indexer API, the Wazuh server API, or the ``SQLite`` tool. The :doc:`Vulnerability Detector </user-manual/capabilities/vulnerability-detection/index>` module uses :ref:`packages <syscollector_packages>` and :ref:`Windows updates <syscollector_hotfixes>` information in the inventory to detect vulnerable and patched software on monitored endpoints.

source/user-manual/capabilities/system-inventory/index.rst

@@ -27,4 +27,5 @@ Users can generate system inventory reports from the Wazuh dashboard, which can
       available-inventory-fields
       compatibility-matrix
       using-syscollector-information-to-trigger-alerts
-      osquery
+      osquery
+      use-cases

source/user-manual/capabilities/system-inventory/use-cases.rst

@@ -0,0 +1,60 @@
+.. Copyright (C) 2015, Wazuh, Inc.
+
+.. meta::
+   :description: The following use cases show practical applications of visualizing system inventory data for security operations on the Wazuh dashboard.
+
+Use cases
+=========
+
+The following use cases show practical applications of visualizing system inventory data for security operations on the Wazuh dashboard.
+
+Use case 1. Resource monitoring
+-------------------------------
+
+Monitor memory usage across all endpoints to assess system performance and find devices with low available memory.
+
+#. Navigate to the **Security operations** tab and select **IT Hygiene**.
+#. Select the **System** tab and then **Hardware**.
+#. Click **+ Add filter** and configure it as follows:
+
+   -  **Field**: ``host.memory.free``
+   -  **Operator**: ``exists``
+
+.. thumbnail:: /images/manual/system-inventory/use-case-resource-monitoring.png
+   :title: Resource monitoring
+   :alt: Resource monitoring
+   :align: center
+   :width: 80%
+
+Use case 2: Vulnerability management
+------------------------------------
+
+Identify all endpoints running a specific software package to assess vulnerability exposure. In this example, we identify all endpoints running a vulnerable version of ``systemd ( CVE-2025-4598)``.
+
+#. Click the **☰** icon and navigate to the **Security operations** tab and select **IT Hygiene**.
+#. Select the **Software** tab and then **Packages**.
+#. Click **+ Add filter** and configure it as follows:
+
+   -  **Field**: ``package.name``
+   -  **Operator**: ``is``
+   -  **Value** is ``systemd``
+
+   .. thumbnail:: /images/manual/system-inventory/use-case-it-hygiene-add-package-name.png
+      :title: Add package
+      :alt: Add package
+      :align: center
+      :width: 80%
+
+#. Click the **☰** icon at the top left corner and navigate to **Threat intelligence** and select **Vulnerability Detection**.
+#. Select the **Inventory** tab.
+#. Click **+ Add filter** and configure it as follows:
+
+   -  **Field**: ``package.name``
+   -  **Operator**: ``is``
+   -  **Value** is ``systemd``
+
+   .. thumbnail:: /images/manual/system-inventory/use-case-vd-add-package-name.png
+      :title: Add package name
+      :alt: Add package name
+      :align: center
+      :width: 80%