Need help with package inventory details for searching and alerting

[Tirtharaj Karbotkar]

Hi Team,

I need some help to fetch the following details from the package inventory.

1. I need to search for a specific package (for example "VLC") from the inventory and list all the agents/hosts with "VLC" package installed on it.

Currently, I tried with "/syscollector/<agent_id>/packages"  API but this won't satisfy my requirements as it will give me details about specific agents rather than a global search on all the agents.

2. I want to create an alert whenever any new package/software is installed on the remote host. 

I tried alerting the rule_id 18147 and 60612 for the Windows host but no luck.

3. I need to search and alert when any package with a specific name is found. For example, a package with the word "torrent" should create an alert.

Note: I have a few other alerts set log levels which are working fine.

Any help or reference to the relevant resources will be great.

[Damian Nicastro]

Hello @ Tirtharaj

I hope you are fine.

1. Global queries to the SysCollector module are still not supporter in Wazuh. However, you can try the Experimental module of the Wazuh API and do:

GET  /experimental/syscollector/packages

For more information, please check the Wazuh API manual:

API reference · Wazuh documentation

2. The rule 60612 will trigger every time the Windows events 11707 or 1033 are generated in Windows. If your application installation generated another event, you can create a custom rule overwritting this one like this:
     # vi /var/ossec/etc/rules/win_packages_custom.xml

        <group name="win_packages_custom",>

           <rule id="60612" level="3" overwrite="yes">
                <if_sid>60609</if_sid>
                <field name="win.system.eventID">^11707$|^1033$</field>
                <options>no_full_log</options>
               <description>Application installed $(win.eventdata.data).</description>
           </rule>
       </group>

  

Please, don't forget to restart wazuh-manager when you create a new rule:

# systemctl restart wazuh-manager  

For more info about creating custom rules, please read:

  Custom rules and decoders - Ruleset · Wazuh documentation

3. In order to check the existence of a particular package in the system, you can create a custom rule like this:

     # vi /var/ossec/etc/rules/win_packages_custom.xml

        <group name="win_packages_custom",>

           <rule id="110000" level="6">
                <if_sid>221</if_sid>
                <field name="data.program.name">torrent</field>
                <options>no_full_log</options>
               <description>Application present $(data.program.name).</description>
           </rule>
       </group>

For more information about triggering alerts with "Syscollector":

Using Syscollector information to trigger alerts - System inventory (wazuh.com)

Note: This option is not available in Wazuh 4.2.x and 4.3.x versions

I hope this helps.

Thanks