Wazuh System Inventory - Asset Discovery and Tracking
The Syscollector module in Wazuh performs endpoint inventory - collecting data on hardware, the operating system, installed packages, network interfaces, open ports, running processes, and user accounts. This data is consumed by the Vulnerability Detector module to cross-reference installed software against known vulnerability databases, and it also supports IT infrastructure reporting. Syscollector operates on all supported platforms: Linux, Windows, and macOS.
Syscollector Configuration
The module is configured via the <wodle name="syscollector"> block in ossec.conf on the agent:
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="no">yes</ports>
<processes>yes</processes>
<hotfixes>yes</hotfixes>
</wodle>Configuration Parameters
| Parameter | Default | Description |
|---|---|---|
disabled | no | Enable or disable the module (yes/no) |
interval | 1h | Interval between scans (s/m/h/d) |
scan_on_start | yes | Run scan on service startup (yes/no) |
hardware | yes | Collect hardware data (yes/no) |
os | yes | Collect operating system data (yes/no) |
network | yes | Collect network configuration (yes/no) |
packages | yes | Collect installed package data (yes/no) |
ports | yes | Monitor open ports (yes/no) |
processes | yes | Inventory running processes (yes/no) |
hotfixes | yes | Check installed Windows updates (yes/no) |
users | yes | Collect user account information (yes/no) |
groups | yes | Collect group information (yes/no) |
services | yes | Collect service data (yes/no) |
browser_extensions | yes | Collect browser extension data (yes/no) |
The ports all Attribute
The <ports all="no">yes</ports> parameter controls which ports are included in the report:
all="no"- only listening (LISTEN) portsall="yes"- all ports, including established connections
Data Synchronization
Syscollector synchronizes inventory data with the Wazuh manager. The max_eps parameter controls the transfer rate:
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<synchronization>
<max_eps>10</max_eps>
</synchronization>
</wodle>The max_eps (events per second) value limits the load on the communication channel between agent and manager. Allowed range: 0 - 1000000.
Collected Data Types
Hardware
- CPU model and manufacturer
- CPU core count
- RAM capacity (total and free)
- Motherboard serial number
- CPU clock speed
Operating System
- OS name and version
- Kernel version
- Architecture (x86_64, ARM)
- Hostname
- Uptime
- Build version
Installed Packages
- Package name and version
- Package architecture
- Vendor
- Description
- Installation date
- Package manager (apt, yum, pacman, MSI)
On Windows, additional data is collected from the registry for installed applications.
Network Interfaces
- Interface name
- IP addresses (IPv4 and IPv6)
- MAC address
- Subnet mask
- Default gateway
- MTU
- Interface state (up/down)
Open Ports
- Port number
- Protocol (TCP/UDP)
- Local and remote address
- Connection state
- PID of the associated process
Running Processes
- PID and PPID
- Process name
- Command line
- User
- CPU and memory consumption
- Priority (nice value)
Services
- Service name
- Status (running, stopped)
- Startup type (automatic, manual, disabled)
- Service process PID
Users and Groups
- Username and UID
- Home directory
- Login shell
- User groups
Windows Hotfixes
- KB update number
- Installation date
Browser Extensions
- Extension name
- Version
- Browser (Chrome, Firefox, Edge)
- Description
Inventory Dashboard
The Wazuh Dashboard provides an interface for viewing each agent’s inventory data. Data is organized in tabs:
- Overview - system summary information
- Hardware - hardware specifications
- Packages - list of installed packages
- Processes - running processes
- Ports - open ports
- Network - network interfaces
Access via: Wazuh Dashboard - Agents - (select agent) - Inventory data.
Inventory and Vulnerability Matching
Syscollector data serves as input for the Vulnerability Detector module. The matching process works as follows:
- Syscollector collects the list of installed packages and their versions
- Vulnerability Detector downloads vulnerability databases (NVD, RHEL, Ubuntu, Debian)
- Each package is matched against CVE entries
- When a vulnerable package is found, an alert is generated with a CVSS score
For the vulnerability detector to function correctly, package and OS data collection must be enabled:
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<packages>yes</packages>
<os>yes</os>
<hotfixes>yes</hotfixes>
</wodle>API Queries for Inventory Data
The Wazuh REST API provides endpoints for programmatic access to inventory data.
Retrieving OS Information
TOKEN=$(curl -sk -u wazuh-wui:password \
-X POST "https://localhost:55000/security/user/authenticate?raw=true")
curl -sk -H "Authorization: Bearer $TOKEN" \
"https://localhost:55000/syscollector/001/os" | jq '.data.affected_items[0]'Retrieving Package List
curl -sk -H "Authorization: Bearer $TOKEN" \
"https://localhost:55000/syscollector/001/packages?limit=10" \
| jq '.data.affected_items[] | {name, version, architecture}'Retrieving Open Ports
curl -sk -H "Authorization: Bearer $TOKEN" \
"https://localhost:55000/syscollector/001/ports?state=listening" \
| jq '.data.affected_items[] | {local_port: .local.port, protocol, pid}'Retrieving Running Processes
curl -sk -H "Authorization: Bearer $TOKEN" \
"https://localhost:55000/syscollector/001/processes?limit=20&sort=-resident_size" \
| jq '.data.affected_items[] | {pid, name, cmd, resident_size}'Retrieving Network Interfaces
curl -sk -H "Authorization: Bearer $TOKEN" \
"https://localhost:55000/syscollector/001/netiface" \
| jq '.data.affected_items[] | {name, mac, state, mtu}'Retrieving Hardware Information
curl -sk -H "Authorization: Bearer $TOKEN" \
"https://localhost:55000/syscollector/001/hardware" \
| jq '.data.affected_items[0] | {cpu_name: .cpu.name, cpu_cores: .cpu.cores, ram_total: .ram.total}'IT Hygiene Reports
Wazuh generates two report types based on inventory data:
- IT Hygiene Report - a comprehensive infrastructure status report covering all collected data types
- Property-Specific Report - a report for a specific data type (for example, only packages or only ports)
Reports are available through the Wazuh Dashboard and can be exported in CSV format.
More about vulnerability detection: Vulnerability Detection
Troubleshooting
Inventory Data Not Updating
- Verify
<disabled>is set tono - Confirm
<interval>is not too large for your requirements - Check
/var/ossec/logs/ossec.logfor Syscollector errors - Verify the agent is connected to the manager with
activestatus in the agent list
Packages Not Displayed
- Confirm
<packages>yes</packages>is enabled in the configuration - On Linux, verify the package manager (dpkg, rpm) is accessible
- Wait for a full scan cycle to complete (check
<interval>)
High Load During Scanning
- Increase
<interval>to reduce scan frequency - Disable unnecessary data types (e.g.,
<browser_extensions>no</browser_extensions>) - Reduce
<max_eps>in the synchronization block - Set
<scan_on_start>no</scan_on_start>to prevent startup load spikes
API Returns Empty Data
- Confirm the agent has completed at least one scan
- Verify the agent ID in the request
- Confirm the JWT token has not expired
- Check that the requested data type is enabled in the agent configuration
More about components: Wazuh Components
More about use cases: Wazuh Use Cases