not installed software

[doc dodo]

Hello, 

Can I find list of not installed software wih Wazuh agent. For example I want to find list devices with not installed Sysmon or Auditd.

[Jorge Eduardo Molas]

Hi,
Wazuh's Syscollector module only stores installed packages, so to find devices without a specific package you need two queries: one to get agents that have it, and another to identify those that don't.

Quick check via Dashboard

Go to Security Operations > IT Hygiene > Software and search for the package name (Sysmon or auditd). Agents not showing up there don't have it installed.

Programmatic approach via DevTools
Open the Wazuh dashboard Dev Tools and run the following queries.
Query 1 — Get agent IDs that have the package:

GET /wazuh-states-inventory-packages-*/_search { "size": 0, "query": { "match": { "package.name": "Sysmon" } }, "aggs": { "agents_with_package": { "terms": { "field": "agent.id", "size": 10000 } } } }

​

Note the agent IDs returned in the buckets array.
Query 2 — Get all agents of the relevant OS, excluding the ones from Query 1:

GET /wazuh-states-inventory-system-*/_search { "_source": ["agent.id", "agent.name", "os.name"], "size": 10000, "query": { "bool": { "filter": [ { "term": { "os.platform": "windows" } } ], "must_not": [ { "terms": { "agent.id": ["001", "002"] } } ] } } }

​

Replace ["001", "002"] with the IDs from Query 1. The result is the list of Windows agents where Sysmon is not installed.
For Auditd on Linux, change "package.name": "auditd" and "os.platform": "linux" accordingly.
To verify the exact field names available in your environment, run GET /wazuh-states-inventory-packages-*/_mapping and GET /wazuh-states-inventory-system-*/_mapping before querying.

References:
  - System Inventory - Viewing system inventory data
  - Available inventory fields