How to get and search all agent "System inventory" info from Wazuh manager?
lid...@gmail.com
Francisco Navarro
The agent system inventory is stored in a sqlite database by default at /var/ossec/queue/db/
For example:
[wazuh_testing]# sqlite3 /var/ossec/queue/db/000.db
SQLite version 3.26.0 2018-12-01 12:34:55
Enter ".help" for usage hints.
sqlite> .tables
ciscat_results sca_policy sys_netiface
fim_entry sca_scan_info sys_netproto
metadata scan_info sys_osinfo
pm_event sync_info sys_ports
sca_check sys_hotfixes sys_processes
sca_check_compliance sys_hwinfo sys_programs
sca_check_rules sys_netaddr vuln_metadata
sqlite> select * from sys_programs limit 2;
0|2021/02/22 11:37:33|rpm|NetworkManager||System Environment/Base|6893139|CentOS|Fri 04 Dec 2020 05:38:49 PM UTC|1:1.26.0-9.el8_3|x86_64|||Network connection manager and user applications||0|||80559f695b5e0e559b6d2a2f68e25f666802431c|f190437ab382991e8cfa946c436b3839817d2061
0|2021/02/22 11:37:33|rpm|NetworkManager-libnm||Development/Libraries|9464116|CentOS|Fri 04 Dec 2020 05:38:49 PM UTC|1:1.26.0-9.el8_3|x86_64|||Libraries for adding NetworkManager support to applications.||0|||aedd6523a9281f274ec91f820c0a668fa76e93e3|b5e463800dde2db010ca0ca27c30a93c9472f48a
sqlite> select * from sys_hwinfo;
0|2021/02/22 11:42:22|0|Intel(R) Core(TM) i7-8750H CPU @ 2.20GHz|1|2209.0|992472|75208|93|64fb07a48c02ca64cd493e762403d215fc871bf7
You can make queries to this db using sqlite3.
Also, you can use Wazuh API to make these queries, see https://documentation.wazuh.com/current/user-manual/api/reference.html#tag/Syscollector
For example:
TOKEN=$(curl -u wazuh:wazuh -k -X GET "https://localhost:55000/security/user/authenticate?raw=true")
curl -k -X GET "https://localhost:55000/syscollector/000/hardware" -H "Authorization: Bearer $TOKEN"
{"data": {"affected_items": [{"cpu": {"cores": 1, "mhz": 2209, "name": "Intel(R) Core(TM) i7-8750H CPU @ 2.20GHz"}, "ram": {"free": 75208, "total": 992472, "usage": 93}, "scan": {"id": 0, "time": "2021-02-22T11:42:22Z"}, "board_serial": "0", "agent_id": "000"}], "total_affected_items": 1, "total_failed_items": 0, "failed_items": []}, "message": "All specified syscollector information was returned", "error": 0}
I hope this helps you, please do not hesitate to ask again if you have further questions.
Best regards.
lid...@gmail.com
lid...@gmail.com
Francisco Navarro
Hello,
Just check the Wazuh API reference: https://documentation.wazuh.com/current/user-manual/api/reference.html
You can, for example, list all the agents with this query https://documentation.wazuh.com/current/user-manual/api/reference.html#operation/api.controllers.agent_controller.get_agents
I’m not sure what do you mean by your last question but, again, is everything in the API reference, if you mean getting agent information but only some fields you need to use the select parameter. For example:
{protocol}://{host}:{port}/agents?select={os.name,os.version}if you mean getting information collected by syscollector on the agents (ports open, services, hardware, installed packages…) you should check: https://documentation.wazuh.com/current/user-manual/api/reference.html#operation/api.controllers.agent_controller.get_agents
Best regards,