Closed chemamartinez closed 4 years ago
I installed Windows agent from the vuln-windows
branch, compiled the agent in Linux and generated the MSI installer in Windows from the related branch.
Example Syscollector configuration:
<!-- System inventory -->
<wodle name="syscollector">
<disabled>no</disabled>
<interval>2m</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="no">yes</ports>
<processes>yes</processes>
</wodle>
Logs:
2019/10/03 16:38:26 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/03 16:38:28 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2019/10/03 16:40:26 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/03 16:40:30 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2019/10/03 16:42:26 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/03 16:42:28 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2019/10/03 16:44:26 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/03 16:44:27 wazuh-modulesd:syscollector: INFO: Evaluation finished.
As we can see, we get a log report every 2 minutes as I have specified on the configuration.
On /var/ossec/queue/db/Agent_ID.db
we can consult datas:
root@Vela-PC:/var/ossec/queue/db# sqlite3 002.db
SQLite version 3.22.0 2018-01-22 18:45:57
Enter ".help" for usage hints.
sqlite> select * from sys_osinfo;
1499646275|2019/10/03 16:50:26|WIN-087251A1RP6|x86_64|Microsoft Windows Server 2019 Standard Evaluation|10.0.17763||10|0|17763||||6.2|1809
In this case, I consulted Agent's OS version.
2 minutes after, information has been updated:
sqlite> select * from sys_osinfo;
201478398|2019/10/03 16:52:27|WIN-087251A1RP6|x86_64|Microsoft Windows Server 2019 Standard Evaluation|10.0.17763||10|0|17763||||6.2|1809
Until two minutes pass, we won't see it updated:
590786551|2019/10/03 16:54:26|WIN-087251A1RP6|x86_64|Microsoft Windows Server 2019 Standard Evaluation|10.0.17763||10|0|17763||||6.2|1809
sqlite> select * from sys_osinfo;
590786551|2019/10/03 16:54:26|WIN-087251A1RP6|x86_64|Microsoft Windows Server 2019 Standard Evaluation|10.0.17763||10|0|17763||||6.2|1809
sqlite> select * from sys_osinfo;
590786551|2019/10/03 16:54:26|WIN-087251A1RP6|x86_64|Microsoft Windows Server 2019 Standard Evaluation|10.0.17763||10|0|17763||||6.2|1809
sqlite> select * from sys_osinfo;
742871911|2019/10/03 16:56:26|WIN-087251A1RP6|x86_64|Microsoft Windows Server 2019 Standard Evaluation|10.0.17763||10|0|17763||||6.2|1809
We are going to modify syscollector configuration changing interval option by <interval>3m</interval>
.
As expected, we get a log report on the agent's log every 3 minutes:
2019/10/03 17:10:35 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/03 17:10:39 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2019/10/03 17:13:35 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/03 17:13:38 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2019/10/03 17:16:35 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/03 17:16:37 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2019/10/03 17:19:35 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/03 17:19:37 wazuh-modulesd:syscollector: INFO: Evaluation finished.
Also, we get our tables updated every 3 minutes on our manager:
sqlite> select * from sys_osinfo;
88309208|2019/10/03 17:25:35|WIN-087251A1RP6|x86_64|Microsoft Windows Server 2019 Standard Evaluation|10.0.17763||10|0|17763||||6.2|1809
sqlite> select * from sys_osinfo;
491023145|2019/10/03 17:28:36|WIN-087251A1RP6|x86_64|Microsoft Windows Server 2019 Standard Evaluation|10.0.17763||10|0|17763||||6.2|1809
sqlite> select * from sys_osinfo;
1066222077|2019/10/03 17:31:35|WIN-087251A1RP6|x86_64|Microsoft Windows Server 2019 Standard Evaluation|10.0.17763||10|0|17763||||6.2|1809
If we configure a minor interval than 1 minute, such as <interval>5s</interval>
, we effectivelly are going to see a log report every 5 second:
2019/10/03 17:40:30 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/03 17:40:35 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2019/10/03 17:40:35 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/03 17:40:37 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2019/10/03 17:40:40 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/03 17:40:43 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2019/10/03 17:40:45 wazuh-modulesd:syscollector: INFO: Starting evaluation.
However, we are not going to be able to see our tables updated from the manager terminal because the database hasn't got enough time to "commit" updates.
We can see it from the Wazuh-API or stopping and restarting the manager.
In shorts, it works as expected.
To do this test, my Windows agent belongs to the default group, so I edited the /var/ossec/shared/default/agent.conf
file as follows:
<agent_config>
<wodle name="syscollector">
<disabled>no</disabled>
<interval>2m</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="no">yes</ports>
<processes>yes</processes>
</wodle>
</agent_config>
Actually, on the agent's ossec.conf, I have the interval option in 1 hours.
First, I checked if the file had any error:
verify-agent-conf: Verifying [/var/ossec/etc/shared/default/agent.conf]
verify-agent-conf: OK
I restarted the manager in addition to get agent.conf file available to the agents more quickly. I verified if the agent was synchronized:
root@Vela-PC:/home/vela# /var/ossec/bin/agent_groups -S -i 001
Agent '001' is synchronized.
I restarted the agent:
root@Vela-PC:/home/vela# /var/ossec/bin/agent_control -R -u 001
Wazuh agent_control: Restarting agent: 001
Syscollector new configuration supposed to be updated, let's see if it worked:
Agent log report:
2019/10/04 09:05:12 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/04 09:05:16 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2019/10/04 09:07:12 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/04 09:07:14 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2019/10/04 09:09:12 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/04 09:09:13 wazuh-modulesd:syscollector: INFO: Evaluation finished.
Manager database consult:
sqlite> select * from sys_osinfo;
2143634295|2019/10/04 09:05:14|WIN-087251A1RP6|x86_64|Microsoft Windows Server 2019 Standard Evaluation|10.0.17763||10|0|17763||||6.2|1809
sqlite> select * from sys_osinfo; 1866113568|2019/10/04 09:07:12|WIN-087251A1RP6|x86_64|Microsoft Windows Server 2019 Standard Evaluation|10.0.17763||10|0|17763||||6.2|1809
sqlite> select * from sys_osinfo; 491103323|2019/10/04 09:09:12|WIN-087251A1RP6|x86_64|Microsoft Windows Server 2019 Standard Evaluation|10.0.17763||10|0|17763||||6.2|1809
As we can see, previously we had a diferent Syscollector configuration which has been updated remotelly with the `agent.conf`.
---
It worked as expected.
---
sqlite> select * from sys_osinfo;
1866242968|2019/10/04 08:17:41|WIN-087251A1RP6|x86_64|Microsoft Windows Server 2019 Standard Evaluation|10.0.17763||10|0|17763||||6.2|1809
sqlite> select * from sys_hwinfo;
1451099873|2019/10/04 08:17:41|0|Intel(R) Core(TM) i5-5200U CPU @ 2.20GHz|1|2195.0|2096692|1111604|46
sqlite> select * from sys_programs;
307247529|2019/10/04 12:13:53|win|Oracle VM VirtualBox Guest Additions 5.2.32||||Oracle Corporation||5.2.32.0|x86_64|||||0||
307247529|2019/10/04 12:13:53|win|WiX Toolset v3.11 X64||||.NET Foundation|20191003|3.11.4516|x86_64|||||0||
307247529|2019/10/04 12:13:53|win|WiX Toolset v3.11 Native 2015 SDK||||.NET Foundation|20191003|3.11.4516|i686|||||0||
307247529|2019/10/04 12:13:53|win|Wazuh Agent||||Wazuh, Inc.|20191004|3.11.0|i686|||||||
307247529|2019/10/04 12:13:53|win|WiX Toolset v3.11 Native 2013 SDK||||.NET Foundation|20191003|3.11.4516|i686|||||0||
307247529|2019/10/04 12:13:53|win|WiX Toolset v3.11 Core||||.NET Foundation|20191003|3.11.4516|i686|||||0||
307247529|2019/10/04 12:13:53|win|WiX Toolset v3.11.2.4516||||.NET Foundation||3.11.2.4516|i686|||||0||
307247529|2019/10/04 12:13:53|win|WiX Toolset v3.11 Managed SDK||||.NET Foundation|20191003|3.11.4516|i686|||||0||
307247529|2019/10/04 12:13:53|win|WiX Toolset v3.11 Native 2012 SDK||||.NET Foundation|20191003|3.11.4516|i686|||||0||
307247529|2019/10/04 12:13:53|win|WiX Toolset v3.11 Native 2017 SDK||||.NET Foundation|20191003|3.11.4516|i686|||||0||
307247529|2019/10/04 12:13:53|win|WiX Toolset v3.11 Native 2010 SDK||||.NET Foundation|20191003|3.11.4516|i686|||||0||
sqlite> select * from sys_netiface;
1474284526|2019/10/04 08:17:41|Ethernet|Intel(R) PRO/1000 MT Desktop Adapter|ethernet|up|1500|08:00:27:7B:76:06|7351|17177|1039250|13320743|0|0|0|0
sqlite> select * from sys_ports;
33856924|2019/10/04 08:17:42|tcp|0.0.0.0|135|0.0.0.0|0||||listening|788|svchost.exe
33856924|2019/10/04 08:17:42|tcp|0.0.0.0|445|0.0.0.0|0||||listening|4|System
33856924|2019/10/04 08:17:42|tcp|0.0.0.0|5357|0.0.0.0|0||||listening|4|System
33856924|2019/10/04 08:17:42|tcp|0.0.0.0|5985|0.0.0.0|0||||listening|4|System
33856924|2019/10/04 08:17:42|tcp|0.0.0.0|47001|0.0.0.0|0||||listening|4|System
33856924|2019/10/04 08:17:42|tcp|0.0.0.0|49664|0.0.0.0|0||||listening|456|wininit.exe
33856924|2019/10/04 08:17:42|tcp|0.0.0.0|49665|0.0.0.0|0||||listening|584|lsass.exe
33856924|2019/10/04 08:17:42|tcp|0.0.0.0|49666|0.0.0.0|0||||listening|1000|svchost.exe
33856924|2019/10/04 08:17:42|tcp|0.0.0.0|49667|0.0.0.0|0||||listening|304|svchost.exe
33856924|2019/10/04 08:17:42|tcp|0.0.0.0|49668|0.0.0.0|0||||listening|1640|spoolsv.exe
33856924|2019/10/04 08:17:42|tcp|0.0.0.0|49669|0.0.0.0|0||||listening|576|services.exe
33856924|2019/10/04 08:17:42|tcp|10.0.2.15|139|0.0.0.0|0||||listening|4|System
33856924|2019/10/04 08:17:42|tcp6|::|135|::|0||||listening|788|svchost.exe
33856924|2019/10/04 08:17:42|tcp6|::|445|::|0||||listening|4|System
33856924|2019/10/04 08:17:42|tcp6|::|5357|::|0||||listening|4|System
33856924|2019/10/04 08:17:42|tcp6|::|5985|::|0||||listening|4|System
33856924|2019/10/04 08:17:42|tcp6|::|47001|::|0||||listening|4|System
33856924|2019/10/04 08:17:42|tcp6|::|49664|::|0||||listening|456|wininit.exe
33856924|2019/10/04 08:17:42|tcp6|::|49665|::|0||||listening|584|lsass.exe
33856924|2019/10/04 08:17:42|tcp6|::|49666|::|0||||listening|1000|svchost.exe
33856924|2019/10/04 08:17:42|tcp6|::|49667|::|0||||listening|304|svchost.exe
33856924|2019/10/04 08:17:42|tcp6|::|49668|::|0||||listening|1640|spoolsv.exe
33856924|2019/10/04 08:17:42|tcp6|::|49669|::|0||||listening|576|services.exe
sqlite> select * from sys_processes;
166122210|2019/10/04 08:17:42|0|System Idle Process||0|0|0|none|||||||||0|0|0|0|||||0|1|||
166122210|2019/10/04 08:17:42|4|System||0|0|0|none|||||||||8|0|0|0|||||0|93|||
166122210|2019/10/04 08:17:42|68|Registry||4|0|0||||||||||8|0|0|0|||||0|4|||
166122210|2019/10/04 08:17:42|280|smss.exe||4|0|0||||||||||11|0|0|0|||||0|2|||
166122210|2019/10/04 08:17:42|368|csrss.exe||360|0|0||||||||||13|0|0|0|||||0|11|||
166122210|2019/10/04 08:17:42|440|csrss.exe||432|0|0||||||||||13|0|0|0|||||0|10|||
166122210|2019/10/04 08:17:42|456|wininit.exe||360|0|0||||||||||13|0|0|0|||||0|1|||
166122210|2019/10/04 08:17:42|492|winlogon.exe||432|0|0|C:\Windows\System32\winlogon.exe|||||||||13|0|2494464|13635584|||||1|4|||
166122210|2019/10/04 08:17:42|576|services.exe||456|0|0||||||||||9|0|0|0|||||0|6|||
166122210|2019/10/04 08:17:42|584|lsass.exe||456|0|0|C:\Windows\System32\lsass.exe|||||||||9|0|6090752|21151744|||||0|7|||
166122210|2019/10/04 08:17:42|688|svchost.exe||576|0|0|C:\Windows\System32\svchost.exe|||||||||8|0|7348224|34500608|||||0|10|||
166122210|2019/10/04 08:17:42|712|fontdrvhost.exe||492|0|0|C:\Windows\System32\fontdrvhost.exe|||||||||8|0|1871872|6901760|||||1|5|||
166122210|2019/10/04 08:17:42|720|fontdrvhost.exe||456|0|0|C:\Windows\System32\fontdrvhost.exe|||||||||8|0|1454080|5009408|||||0|5|||
166122210|2019/10/04 08:17:42|788|svchost.exe||576|0|0|C:\Windows\System32\svchost.exe|||||||||8|0|4907008|16044032|||||0|8|||
166122210|2019/10/04 08:17:42|872|dwm.exe||492|0|0|C:\Windows\System32\dwm.exe|||||||||13|0|44105728|118587392|||||1|14|||
166122210|2019/10/04 08:17:42|976|svchost.exe||576|0|0|C:\Windows\System32\svchost.exe|||||||||8|0|13111296|35807232|||||0|19|||
166122210|2019/10/04 08:17:42|1000|svchost.exe||576|0|0|C:\Windows\System32\svchost.exe|||||||||8|0|14454784|39518208|||||0|16|||
166122210|2019/10/04 08:17:42|316|svchost.exe||576|0|0|C:\Windows\System32\svchost.exe|||||||||8|0|5603328|13004800|||||0|7|||
166122210|2019/10/04 08:17:42|860|svchost.exe||576|0|0|C:\Windows\System32\svchost.exe|||||||||8|0|7503872|31330304|||||0|18|||
166122210|2019/10/04 08:17:42|304|svchost.exe||576|4|2|C:\Windows\System32\svchost.exe|||||||||8|0|49082368|134283264|||||0|47|||
166122210|2019/10/04 08:17:42|1044|VBoxService.exe||576|0|0|C:\Windows\System32\VBoxService.exe|||||||||8|0|2293760|9895936|||||0|10|||
166122210|2019/10/04 08:17:42|1080|svchost.exe||576|0|0|C:\Windows\System32\svchost.exe|||||||||8|0|8626176|30289920|||||0|19|||
166122210|2019/10/04 08:17:42|1368|svchost.exe||576|0|0|C:\Windows\System32\svchost.exe|||||||||8|0|1925120|9744384|||||0|4|||
166122210|2019/10/04 08:17:42|1432|svchost.exe||576|0|0|C:\Windows\System32\svchost.exe|||||||||8|0|7958528|24629248|||||0|13|||
166122210|2019/10/04 08:17:42|1640|spoolsv.exe||576|0|0|C:\Windows\System32\spoolsv.exe|||||||||8|0|5820416|22085632|||||0|6|||
166122210|2019/10/04 08:17:42|1660|svchost.exe||576|0|0|C:\Windows\System32\svchost.exe|||||||||8|0|2744320|12341248|||||0|4|||
166122210|2019/10/04 08:17:42|1728|svchost.exe||576|0|0|C:\Windows\System32\svchost.exe|||||||||8|0|12083200|39694336|||||0|12|||
166122210|2019/10/04 08:17:42|1812|svchost.exe||576|0|0|C:\Windows\System32\svchost.exe|||||||||8|0|1847296|9441280|||||0|4|||
166122210|2019/10/04 08:17:42|1860|wlms.exe||576|0|0|C:\Windows\System32\wlms\wlms.exe|||||||||8|0|724992|3809280|||||0|2|||
166122210|2019/10/04 08:17:42|1896|MsMpEng.exe||576|0|0||||||||||8|0|0|0|||||0|25|||
166122210|2019/10/04 08:17:42|1932|svchost.exe||576|0|0|C:\Windows\System32\svchost.exe|||||||||8|0|2236416|10395648|||||0|5|||
166122210|2019/10/04 08:17:42|2420|NisSrv.exe||576|0|0||||||||||8|0|0|0|||||0|6|||
166122210|2019/10/04 08:17:42|2632|svchost.exe||576|0|0|C:\Windows\System32\svchost.exe|||||||||8|0|5349376|20664320|||||0|5|||
166122210|2019/10/04 08:17:42|2676|sihost.exe||304|0|0|C:\Windows\System32\sihost.exe|||||||||8|0|5083136|29970432|||||1|8|||
166122210|2019/10/04 08:17:42|2716|svchost.exe||576|0|0|C:\Windows\System32\svchost.exe|||||||||8|0|7438336|42061824|||||1|5|||
166122210|2019/10/04 08:17:42|2736|taskhostw.exe||304|0|0|C:\Windows\System32\taskhostw.exe|||||||||8|0|4300800|17108992|||||1|4|||
166122210|2019/10/04 08:17:42|2908|ctfmon.exe||976|0|0|C:\Windows\System32\ctfmon.exe|||||||||13|0|4534272|20557824|||||1|8|||
166122210|2019/10/04 08:17:42|384|explorer.exe||3068|4|6|C:\Windows\explorer.exe|||||||||8|0|39829504|151351296|||||1|58|||
166122210|2019/10/04 08:17:42|2560|ShellExperienceHost.exe||688|0|0|C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe|||||||||8|0|21655552|82788352|||||1|26|||
166122210|2019/10/04 08:17:42|1976|SearchUI.exe||688|2|0|C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe|||||||||8|0|79085568|158146560|||||1|35|||
166122210|2019/10/04 08:17:42|2312|RuntimeBroker.exe||688|0|0|C:\Windows\System32\RuntimeBroker.exe|||||||||8|0|3436544|17887232|||||1|2|||
166122210|2019/10/04 08:17:42|2628|RuntimeBroker.exe||688|0|0|C:\Windows\System32\RuntimeBroker.exe|||||||||8|0|7090176|30420992|||||1|5|||
166122210|2019/10/04 08:17:42|448|RuntimeBroker.exe||688|0|0|C:\Windows\System32\RuntimeBroker.exe|||||||||8|0|2408448|14897152|||||1|2|||
166122210|2019/10/04 08:17:42|1764|smartscreen.exe||688|0|0|C:\Windows\System32\smartscreen.exe|||||||||8|0|8073216|31313920|||||1|5|||
166122210|2019/10/04 08:17:42|3112|VBoxTray.exe||384|0|0|C:\Windows\System32\VBoxTray.exe|||||||||8|0|2592768|13602816|||||1|10|||
166122210|2019/10/04 08:17:42|3404|msdtc.exe||576|0|0|C:\Windows\System32\msdtc.exe|||||||||8|0|3141632|13385728|||||0|10|||
166122210|2019/10/04 08:17:42|2464|dllhost.exe||688|0|0|C:\Windows\System32\dllhost.exe|||||||||8|0|3379200|14958592|||||1|6|||
166122210|2019/10/04 08:17:42|2364|ApplicationFrameHost.exe||688|0|0|C:\Windows\System32\ApplicationFrameHost.exe|||||||||8|0|7135232|35409920|||||1|3|||
166122210|2019/10/04 08:17:42|2004|SystemSettings.exe||688|1|0|C:\Windows\ImmersiveControlPanel\SystemSettings.exe|||||||||8|0|21213184|95342592|||||1|21|||
166122210|2019/10/04 08:17:42|3368|WmiPrvSE.exe||688|0|0|C:\Windows\System32\wbem\WmiPrvSE.exe|||||||||8|0|2134016|10452992|||||0|4|||
166122210|2019/10/04 08:17:42|1576|win32ui.exe||3548|0|0|C:\Program Files (x86)\ossec-agent\win32ui.exe|||||||||8|0|2359296|13271040|||||1|3|||
166122210|2019/10/04 08:17:42|312|svchost.exe||576|0|0||||||||||8|0|0|0|||||0|9|||
166122210|2019/10/04 08:17:42|3876|ossec-agent.exe||576|0|0|C:\Program Files (x86)\ossec-agent\ossec-agent.exe|||||||||8|0|6942720|19132416|||||0|18|||
sqlite> select * from sys_hotfixes;
1317886166|2019/10/04 08:17:42|KB4489899
1317886166|2019/10/04 08:17:42|KB4470788
1317886166|2019/10/04 08:17:42|KB4483452
1317886166|2019/10/04 08:17:42|DotNetRollup
1317886166|2019/10/04 08:17:42|RollupFix
To do this test, I have installed Wazuh manager 3.7.
Wazuh v3.7.3 (Rev. 3728) Installation Script - http://www.wazuh.com
You are about to start the installation process of Wazuh.
You must have a C compiler pre-installed in your system.
- System: Linux Vela-PC 4.15.0-64-generic (linuxmint 19.2)
- User: root
- Host: Vela-PC
I had to install Wazuh agent 3.7 too in Windows.
Here, we can see the DB:
root@Vela-PC:/var/ossec/queue/db# ls -l --full-time
total 5020
-rw-r----- 1 ossec ossec 2256896 2019-10-04 11:05:59.698816866 +0200 000.db
-rw-r----- 1 ossec ossec 32768 2019-10-04 11:08:41.525487126 +0200 000.db-shm
-rw-r----- 1 ossec ossec 2517352 2019-10-04 11:08:41.349484258 +0200 000.db-wal
-rw-r----- 1 ossec ossec 147456 2019-10-04 11:13:02.621677721 +0200 001.db
-rw-r----- 1 ossec ossec 32768 2019-10-04 11:16:53.845309245 +0200 001.db-shm
-rw-r----- 1 ossec ossec 148352 2019-10-04 11:16:58.033374529 +0200 001.db-wal
srw-rw---- 1 ossec ossec 0 2019-10-04 11:06:00.770834794 +0200 wdb
Now I'm going to update the manager to the related brach and check if the DB is updated.
root@Vela-PC:/var/ossec/queue/db# ls
000.db 000.db-shm 000.db-wal 001.db 001.db-shm 001.db-wal wdb
root@Vela-PC:/var/ossec/queue/db# sqlite3 001.db
SQLite version 3.22.0 2018-01-22 18:45:57
Enter ".help" for usage hints.
sqlite> .tables
ciscat_results sca_policy sys_netproto
fim_entry sca_scan_info sys_osinfo
metadata scan_info sys_ports
pm_event sys_hotfixes sys_processes
sca_check sys_hwinfo sys_programs
sca_check_compliance sys_netaddr vuln_metadata
sca_check_rules sys_netiface
As we can see, we have the DB created and we have vuln_metadata table into our agent's DB, it means that the DB has been updated correctly.
In the previous tests, we have seen how it works:
root@Vela-PC:/var/ossec/queue/db# /var/ossec/bin/agent_control -l
Wazuh agent_control. List of available agents:
ID: 000, Name: Vela-PC (server), IP: 127.0.0.1, Active/Local
ID: 001, Name: WIN-087251A1RP6, IP: 192.168.0.150, Active
List of agentless devices:
root@Vela-PC:/var/ossec/queue/db# ls
000.db 000.db-shm 000.db-wal 001.db 001.db-shm 001.db-wal wdb
We have our Windows agent which ID is 001 and how Syscollector info has been stored in the agent's DB. 001.db 001.db-shm 001.db-wal
.
sqlite> select scan_id from sys_hwinfo;
1561502522
sqlite> select scan_id from sys_hwinfo;
1962231651
As we can see, a new scan deletes the previous scan.
root@Vela-PC:/var/ossec/queue/db# ls
000.db 000.db-shm 000.db-wal 001.db 001.db-shm 001.db-wal wdb
root@Vela-PC:/var/ossec/queue/db# rm 001*
root@Vela-PC:/var/ossec/queue/db# ls
000.db 000.db-shm 000.db-wal wdb
root@Vela-PC:/var/ossec/queue/db# systemctl restart wazuh-manager
root@Vela-PC:/var/ossec/queue/db# ls
000.db 000.db-shm 000.db-wal 001.db 001.db-shm 001.db-wal wdb
root@Vela-PC:/var/ossec/queue/db# sqlite3 001.db
SQLite version 3.22.0 2018-01-22 18:45:57
Enter ".help" for usage hints.
sqlite> select * from sys_hwinfo;
769101749|2019/10/04 10:35:02|0|Intel(R) Core(TM) i5-5200U CPU @ 2.20GHz|1|2195.0|2096692|1068284|49
As we can see, after removing agent's DB and restanting the manager, the scan is received and the DB restored.
It worked as expected.
I installed Windows agent from the vuln-windows branch, compiled the agent in Linux and generated the MSI installer in Windows from the related branch.
Example Syscollector configuration:
<!-- System inventory -->
<wodle name="syscollector">
<disabled>no</disabled>
<interval>2m</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="no">yes</ports>
<processes>yes</processes>
</wodle>
Agent's logs:
2019/10/07 03:33:02 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/07 03:33:09 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2019/10/07 03:35:02 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/07 03:35:06 wazuh-modulesd:syscollector: INFO: Evaluation finished.
Consult to the DB:
sqlite> select * from sys_osinfo;
5327162|2019/10/07 03:33:04|VELA-346A03F82A|i686|Microsoft Windows XP|5.1.2600||5|1|2600||||5.1
sqlite> select * from sys_osinfo;
206238926|2019/10/07 03:35:02|VELA-346A03F82A|i686|Microsoft Windows XP|5.1.2600||5|1|2600||||5.1
As we can see, we get updated DB's tables every two minutes as we have specified in the configuration.
We are going to modify syscollector configuration changing interval option by
As expected, we get a log report on the agent's log every 3 minutes:
2019/10/07 03:48:36 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/07 03:48:40 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2019/10/07 03:51:36 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/07 03:51:42 wazuh-modulesd:syscollector: INFO: Evaluation finished.
Also, we get our tables updated every 3 minutes on our manager:
sqlite> select * from sys_osinfo;
998799179|2019/10/07 03:48:36|VELA-346A03F82A|i686|Microsoft Windows XP|5.1.2600||5|1|2600||||5.1
sqlite> select * from sys_osinfo;
190887807|2019/10/07 03:51:36|VELA-346A03F82A|i686|Microsoft Windows XP|5.1.2600||5|1|2600||||5.1
It works as expected. Interval option works well more than the very first time.
Actually, on the agent's ossec.conf, this is my syscollector configuration:
<!-- System inventory -->
<wodle name="syscollector">
<disabled>yes</disabled>
<interval>5m</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="no">yes</ports>
<processes>yes</processes>
</wodle>
Syscollector is disabled. Let's enable it from the manager and change the interval option from 5m to 2m.
agent.conf
file configuration:
<wodle name="syscollector">
<disabled>no</disabled>
<interval>2m</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="no">yes</ports>
<processes>yes</processes>
</wodle>
Syscollector new configuration supposed to be updated, let's see if it worked: Agent's logs:
2019/10/07 03:57:32 wazuh-modulesd:syscollector: INFO: Module disabled. Exiting...
...
2019/10/07 04:02:52 wazuh-modulesd:syscollector: INFO: Module started.
2019/10/07 04:06:53 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/07 04:06:59 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2019/10/07 04:08:53 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/07 04:08:58 wazuh-modulesd:syscollector: INFO: Evaluation finished.
Consult to the DB:
sqlite> select * from sys_osinfo;
181796598|2019/10/07 04:06:53|VELA-346A03F82A|i686|Microsoft Windows XP|5.1.2600||5|1|2600||||5.1
sqlite> select * from sys_osinfo;
122096704|2019/10/07 04:08:53|VELA-346A03F82A|i686|Microsoft Windows XP|5.1.2600||5|1|2600||||5.1
As we can see, we have enabled syscollector remotelly by the shared conf. It works as expected.
Operating system:
sqlite> select * from sys_osinfo;
148033178|2019/10/07 04:10:53|VELA-346A03F82A|i686|Microsoft Windows XP|5.1.2600||5|1|2600||||5.1
Hardware:
sqlite> select * from sys_hwinfo;
162875094|2019/10/07 04:12:53|0|Intel(R) Core(TM) i5-5200U CPU @ 2.20GHz|1|2195.0|523760|338412|35
Packages:
sqlite> select * from sys_programs;
1168856537|2019/10/07 04:12:53|win|Security Update for CAPICOM (KB931906)||||Microsoft Corporation||2.1.0.2|i686|||||0
1168856537|2019/10/07 04:12:53|win|Oracle VM VirtualBox Guest Additions 5.2.32||||Oracle Corporation||5.2.32.0|i686|||||0
1168856537|2019/10/07 04:12:53|win|Wazuh Agent||||Wazuh, Inc.|20191007|3.11.0|i686|||||0
1168856537|2019/10/07 04:12:53|win|WebFldrs XP||||Microsoft Corporation|20191004|9.50.7523|i686|||||0
Network interface:
sqlite> select * from sys_netiface;
999558218|2019/10/07 04:12:53|Local Area Connection|AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport|ethernet|up|1500|08:00:27:89:33:50|30904|4441|8562483|2036459|0|0|0|0
999558218|2019/10/07 04:12:53|Teredo Tunneling Pseudo-Interface|Teredo Tunneling Pseudo-Interface|tunnel|down|1280|FF:FF:FF:FF:FF:FF:FF:FF||||||||
999558218|2019/10/07 04:12:53|6to4 Pseudo-Interface|6to4 Pseudo-Interface|tunnel|up|1280|FF:FF:FF:FF||||||||
999558218|2019/10/07 04:12:53|Automatic Tunneling Pseudo-Interface|Automatic Tunneling Pseudo-Interface|tunnel|up|1280|0A:00:02:0F||||||||
Ports:
sqlite> select * from sys_ports;
295952037|2019/10/07 04:12:59|tcp|0.0.0.0|135|0.0.0.0|16469||||listening|760|svchost.exe
295952037|2019/10/07 04:12:59|tcp|0.0.0.0|445|0.0.0.0|12342||||listening|4|System
295952037|2019/10/07 04:12:59|tcp|10.0.2.15|139|0.0.0.0|49381||||listening|4|System
295952037|2019/10/07 04:12:59|tcp|127.0.0.1|1025|0.0.0.0|57443||||listening|1800|alg.exe
Processes:
sqlite> select * from sys_processes;
561513671|2019/10/07 04:14:57|0|System Idle Process||0|0|0|none|||||||||0|0|0|0|||||0|1|||
561513671|2019/10/07 04:14:57|4|System||0|0|0|none|||||||||8|0|0|0|||||0|54|||
561513671|2019/10/07 04:14:57|320|smss.exe||4|0|0|\Device\HarddiskVolume1\WINDOWS\system32\smss.exe|||||||||11|0|176128|614400|||||0|3|||
561513671|2019/10/07 04:14:57|416|csrss.exe||320|1|5|\Device\HarddiskVolume1\WINDOWS\system32\csrss.exe|||||||||13|0|1867776|6078464|||||0|12|||
561513671|2019/10/07 04:14:57|440|winlogon.exe||320|0|1|\Device\HarddiskVolume1\WINDOWS\system32\winlogon.exe|||||||||13|0|14491648|27881472|||||0|19|||
561513671|2019/10/07 04:14:57|484|services.exe||440|1|7|\Device\HarddiskVolume1\WINDOWS\system32\services.exe|||||||||9|0|9601024|23277568|||||0|21|||
561513671|2019/10/07 04:14:57|496|lsass.exe||440|0|0|\Device\HarddiskVolume1\WINDOWS\system32\lsass.exe|||||||||9|0|4198400|11337728|||||0|22|||
561513671|2019/10/07 04:14:57|644|VBoxService.exe||484|0|0|\Device\HarddiskVolume1\WINDOWS\system32\VBoxService.exe|||||||||8|0|1470464|5337088|||||0|8|||
561513671|2019/10/07 04:14:57|680|svchost.exe||484|0|0|\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe|||||||||8|0|3375104|8704000|||||0|20|||
561513671|2019/10/07 04:14:57|760|svchost.exe||484|0|0|\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe|||||||||8|0|2093056|7004160|||||0|11|||
561513671|2019/10/07 04:14:57|800|svchost.exe||484|1|7|\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe|||||||||8|0|14221312|39464960|||||0|77|||
561513671|2019/10/07 04:14:57|848|svchost.exe||484|0|0|\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe|||||||||8|0|1413120|5238784|||||0|4|||
561513671|2019/10/07 04:14:57|880|svchost.exe||484|0|0|\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe|||||||||8|0|1781760|6250496|||||0|12|||
561513671|2019/10/07 04:14:57|1156|explorer.exe||1136|4|10|\Device\HarddiskVolume1\WINDOWS\explorer.exe|||||||||8|0|19001344|47013888|||||0|14|||
561513671|2019/10/07 04:14:57|1264|spoolsv.exe||484|0|0|\Device\HarddiskVolume1\WINDOWS\system32\spoolsv.exe|||||||||8|0|3260416|8216576|||||0|10|||
561513671|2019/10/07 04:14:57|1336|svchost.exe||484|0|0|\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe|||||||||8|0|1482752|5554176|||||0|5|||
561513671|2019/10/07 04:14:57|1800|alg.exe||484|0|0|\Device\HarddiskVolume1\WINDOWS\system32\alg.exe|||||||||8|0|1310720|5197824|||||0|5|||
561513671|2019/10/07 04:14:57|1888|VBoxTray.exe||1156|0|0|\Device\HarddiskVolume1\WINDOWS\system32\VBoxTray.exe|||||||||8|0|1802240|6766592|||||0|11|||
561513671|2019/10/07 04:14:57|1896|ctfmon.exe||1156|0|0|\Device\HarddiskVolume1\WINDOWS\system32\ctfmon.exe|||||||||8|0|1081344|4829184|||||0|1|||
561513671|2019/10/07 04:14:57|156|wscntfy.exe||800|0|0|\Device\HarddiskVolume1\WINDOWS\system32\wscntfy.exe|||||||||8|0|708608|3403776|||||0|1|||
561513671|2019/10/07 04:14:57|2648|wuauclt.exe||800|0|0|\Device\HarddiskVolume1\WINDOWS\system32\wuauclt.exe|||||||||8|0|2379776|6733824|||||0|3|||
561513671|2019/10/07 04:14:57|3268|win32ui.exe||3216|0|0|\Device\HarddiskVolume1\Program Files\ossec-agent\win32ui.exe|||||||||8|0|1429504|5988352|||||0|1|||
561513671|2019/10/07 04:14:57|832|ossec-agent.exe||484|16|2|\Device\HarddiskVolume1\Program Files\ossec-agent\ossec-agent.exe|||||||||8|0|12701696|27680768|||||0|18|||
561513671|2019/10/07 04:14:57|788|notepad.exe||3268|0|0|\Device\HarddiskVolume1\WINDOWS\system32\notepad.exe|||||||||8|0|1482752|5996544|||||0|1|||
561513671|2019/10/07 04:14:57|2056|wmiprvse.exe||680|0|0|\Device\HarddiskVolume1\WINDOWS\system32\wbem\wmiprvse.exe|||||||||8|0|2691072|8912896|||||0|7|||
Hotfixes:
sqlite> select * from sys_hotfixes;
710525376|2019/10/07 23:30:50|KB2115168
710525376|2019/10/07 23:30:50|KB2124261
710525376|2019/10/07 23:30:50|KB2229593
710525376|2019/10/07 23:30:50|KB2264107
710525376|2019/10/07 23:30:50|KB2270406
710525376|2019/10/07 23:30:50|KB2290570
710525376|2019/10/07 23:30:50|KB2296011
710525376|2019/10/07 23:30:50|KB2345886
710525376|2019/10/07 23:30:50|KB2347290
710525376|2019/10/07 23:30:50|KB2378111_WM9
710525376|2019/10/07 23:30:50|KB2387149
710525376|2019/10/07 23:30:50|KB2393802
710525376|2019/10/07 23:30:50|KB2419632
710525376|2019/10/07 23:30:50|KB2423089
710525376|2019/10/07 23:30:50|KB2440591
710525376|2019/10/07 23:30:50|KB2443105
710525376|2019/10/07 23:30:50|KB2454533-v2
710525376|2019/10/07 23:30:50|KB2467659
710525376|2019/10/07 23:30:50|KB2478960
710525376|2019/10/07 23:30:50|KB2478971
710525376|2019/10/07 23:30:50|KB2479943
710525376|2019/10/07 23:30:50|KB2483185
710525376|2019/10/07 23:30:50|KB2485663
710525376|2019/10/07 23:30:50|KB2491683
710525376|2019/10/07 23:30:50|KB2492386
710525376|2019/10/07 23:30:50|KB2498072
710525376|2019/10/07 23:30:50|KB2508429
710525376|2019/10/07 23:30:50|KB2509553
710525376|2019/10/07 23:30:50|KB2510531-IE8
710525376|2019/10/07 23:30:50|KB2510581
710525376|2019/10/07 23:30:50|KB2535512
710525376|2019/10/07 23:30:50|KB2536276-v2
710525376|2019/10/07 23:30:50|KB2544893
710525376|2019/10/07 23:30:50|KB2544893-v2
710525376|2019/10/07 23:30:50|KB2564958
710525376|2019/10/07 23:30:50|KB2566454
710525376|2019/10/07 23:30:50|KB2570947
710525376|2019/10/07 23:30:50|KB2584146
710525376|2019/10/07 23:30:50|KB2584577
710525376|2019/10/07 23:30:50|KB2585542
710525376|2019/10/07 23:30:50|KB2592799
710525376|2019/10/07 23:30:50|KB2598479
710525376|2019/10/07 23:30:50|KB2598845-IE8
710525376|2019/10/07 23:30:50|KB2603381
710525376|2019/10/07 23:30:50|KB2619339
710525376|2019/10/07 23:30:50|KB2620712
710525376|2019/10/07 23:30:50|KB2629462
710525376|2019/10/07 23:30:50|KB2631813
710525376|2019/10/07 23:30:50|KB2632503-IE8
710525376|2019/10/07 23:30:50|KB2653956
710525376|2019/10/07 23:30:50|KB2655992
710525376|2019/10/07 23:30:50|KB2659262
710525376|2019/10/07 23:30:50|KB2661637
710525376|2019/10/07 23:30:50|KB2686509
710525376|2019/10/07 23:30:50|KB2691442
710525376|2019/10/07 23:30:50|KB2698365
710525376|2019/10/07 23:30:50|KB2705219-v2
710525376|2019/10/07 23:30:50|KB2712808
710525376|2019/10/07 23:30:50|KB2719985
710525376|2019/10/07 23:30:50|KB2723135-v2
710525376|2019/10/07 23:30:50|KB2727528
710525376|2019/10/07 23:30:50|KB2749655
710525376|2019/10/07 23:30:50|KB2757638
710525376|2019/10/07 23:30:50|KB2758857
710525376|2019/10/07 23:30:50|KB2770660
710525376|2019/10/07 23:30:50|KB2780091
710525376|2019/10/07 23:30:50|KB2802968
710525376|2019/10/07 23:30:50|KB2803821-v2
710525376|2019/10/07 23:30:50|KB2807986
710525376|2019/10/07 23:30:50|KB2808679
710525376|2019/10/07 23:30:50|KB2813347-v2
710525376|2019/10/07 23:30:50|KB2820917
710525376|2019/10/07 23:30:50|KB2828030
710525376|2019/10/07 23:30:50|KB2834886
710525376|2019/10/07 23:30:50|KB2836198
710525376|2019/10/07 23:30:50|KB2845187
710525376|2019/10/07 23:30:50|KB2847311
710525376|2019/10/07 23:30:50|KB2849470
710525376|2019/10/07 23:30:50|KB2850869
710525376|2019/10/07 23:30:50|KB2859537
710525376|2019/10/07 23:30:50|KB2862152
710525376|2019/10/07 23:30:50|KB2862330
710525376|2019/10/07 23:30:50|KB2862335
710525376|2019/10/07 23:30:50|KB2864063
710525376|2019/10/07 23:30:50|KB2868038
710525376|2019/10/07 23:30:50|KB2868626
710525376|2019/10/07 23:30:50|KB2876217
710525376|2019/10/07 23:30:50|KB2876331
710525376|2019/10/07 23:30:50|KB2883150
710525376|2019/10/07 23:30:50|KB2884256
710525376|2019/10/07 23:30:50|KB2888505
710525376|2019/10/07 23:30:50|KB2888505-IE8
710525376|2019/10/07 23:30:50|KB2890882
710525376|2019/10/07 23:30:50|KB2892734
710525376|2019/10/07 23:30:50|KB2900986
710525376|2019/10/07 23:30:50|KB898461
710525376|2019/10/07 23:30:50|KB909520
710525376|2019/10/07 23:30:50|KB916157-v6
710525376|2019/10/07 23:30:50|KB922120-v6
710525376|2019/10/07 23:30:50|KB932578
710525376|2019/10/07 23:30:50|KB932716-v2
710525376|2019/10/07 23:30:50|KB942213
710525376|2019/10/07 23:30:50|KB942288-v3
710525376|2019/10/07 23:30:50|KB943232-v2
710525376|2019/10/07 23:30:50|KB944043
710525376|2019/10/07 23:30:50|KB946648
710525376|2019/10/07 23:30:50|KB947460
710525376|2019/10/07 23:30:50|KB948046-v2
710525376|2019/10/07 23:30:50|KB948101
710525376|2019/10/07 23:30:50|KB948720
710525376|2019/10/07 23:30:50|KB949127
710525376|2019/10/07 23:30:50|KB949900
710525376|2019/10/07 23:30:50|KB950616
710525376|2019/10/07 23:30:50|KB950974
710525376|2019/10/07 23:30:50|KB951126
710525376|2019/10/07 23:30:50|KB951376
710525376|2019/10/07 23:30:50|KB951531
710525376|2019/10/07 23:30:50|KB951618-v2
710525376|2019/10/07 23:30:50|KB951624
710525376|2019/10/07 23:30:50|KB951709
710525376|2019/10/07 23:30:50|KB951978
710525376|2019/10/07 23:30:50|KB952004
710525376|2019/10/07 23:30:50|KB952011
710525376|2019/10/07 23:30:50|KB952069_WM9
710525376|2019/10/07 23:30:50|KB952954
710525376|2019/10/07 23:30:50|KB953024
710525376|2019/10/07 23:30:50|KB953028
710525376|2019/10/07 23:30:50|KB953155
710525376|2019/10/07 23:30:50|KB953609
710525376|2019/10/07 23:30:50|KB953761
710525376|2019/10/07 23:30:50|KB954155_WM9
710525376|2019/10/07 23:30:50|KB954193
710525376|2019/10/07 23:30:50|KB954232
710525376|2019/10/07 23:30:50|KB954708
710525376|2019/10/07 23:30:50|KB954920
710525376|2019/10/07 23:30:50|KB955109
710525376|2019/10/07 23:30:50|KB955356
710525376|2019/10/07 23:30:50|KB955417
710525376|2019/10/07 23:30:50|KB955567
710525376|2019/10/07 23:30:50|KB955576
710525376|2019/10/07 23:30:50|KB955704
710525376|2019/10/07 23:30:50|KB955830-v2
710525376|2019/10/07 23:30:50|KB955988
710525376|2019/10/07 23:30:50|KB956048
710525376|2019/10/07 23:30:50|KB956391
710525376|2019/10/07 23:30:50|KB956572
710525376|2019/10/07 23:30:50|KB956844
710525376|2019/10/07 23:30:50|KB957931
710525376|2019/10/07 23:30:50|KB958149
710525376|2019/10/07 23:30:50|KB958244
710525376|2019/10/07 23:30:50|KB958347
710525376|2019/10/07 23:30:50|KB958817
710525376|2019/10/07 23:30:50|KB959267
710525376|2019/10/07 23:30:50|KB959334
710525376|2019/10/07 23:30:50|KB959465
710525376|2019/10/07 23:30:50|KB960071
710525376|2019/10/07 23:30:50|KB960417
710525376|2019/10/07 23:30:50|KB960680
710525376|2019/10/07 23:30:50|KB960859
710525376|2019/10/07 23:30:50|KB961118
710525376|2019/10/07 23:30:50|KB961187-v2
710525376|2019/10/07 23:30:50|KB961451-v2
710525376|2019/10/07 23:30:50|KB961503
710525376|2019/10/07 23:30:50|KB961605
710525376|2019/10/07 23:30:50|KB961742-v3
710525376|2019/10/07 23:30:50|KB967048-v2
710525376|2019/10/07 23:30:50|KB967756
710525376|2019/10/07 23:30:50|KB968389
710525376|2019/10/07 23:30:50|KB969084
710525376|2019/10/07 23:30:50|KB969557
710525376|2019/10/07 23:30:50|KB970254
710525376|2019/10/07 23:30:50|KB970430
710525376|2019/10/07 23:30:50|KB970483
710525376|2019/10/07 23:30:50|KB970553
710525376|2019/10/07 23:30:50|KB971029
710525376|2019/10/07 23:30:50|KB971165
710525376|2019/10/07 23:30:50|KB971234-v2
710525376|2019/10/07 23:30:50|KB971314
710525376|2019/10/07 23:30:50|KB971345
710525376|2019/10/07 23:30:50|KB971657
710525376|2019/10/07 23:30:50|KB972270
710525376|2019/10/07 23:30:50|KB972422
710525376|2019/10/07 23:30:50|KB972435
710525376|2019/10/07 23:30:50|KB972878
710525376|2019/10/07 23:30:50|KB973502
710525376|2019/10/07 23:30:50|KB973507
710525376|2019/10/07 23:30:50|KB973540_WM9
710525376|2019/10/07 23:30:50|KB973624
710525376|2019/10/07 23:30:50|KB973815
710525376|2019/10/07 23:30:50|KB973869
710525376|2019/10/07 23:30:50|KB973904
710525376|2019/10/07 23:30:50|KB974112
710525376|2019/10/07 23:30:50|KB974266
710525376|2019/10/07 23:30:50|KB974318
710525376|2019/10/07 23:30:50|KB974571
710525376|2019/10/07 23:30:50|KB975025
710525376|2019/10/07 23:30:50|KB975467
710525376|2019/10/07 23:30:50|KB975558_WM8
710525376|2019/10/07 23:30:50|KB975560
710525376|2019/10/07 23:30:50|KB975713
710525376|2019/10/07 23:30:50|KB975791
710525376|2019/10/07 23:30:50|KB976002-v5
710525376|2019/10/07 23:30:50|KB976323
710525376|2019/10/07 23:30:50|KB977816
710525376|2019/10/07 23:30:50|KB977914
710525376|2019/10/07 23:30:50|KB978338
710525376|2019/10/07 23:30:50|KB978542
710525376|2019/10/07 23:30:50|KB978695_WM9
710525376|2019/10/07 23:30:50|KB978706
710525376|2019/10/07 23:30:50|KB978835
710525376|2019/10/07 23:30:50|KB979099
710525376|2019/10/07 23:30:50|KB979309
710525376|2019/10/07 23:30:50|KB979482
710525376|2019/10/07 23:30:50|KB979687
710525376|2019/10/07 23:30:50|KB981073-v3
710525376|2019/10/07 23:30:50|KB981997
710525376|2019/10/07 23:30:50|KB982132
710525376|2019/10/07 23:30:50|KB982316
710525376|2019/10/07 23:30:50|KB982665
710525376|2019/10/07 23:30:50|KB983234-v2
710525376|2019/10/07 23:30:50|Q147222
sqlite> .tables
ciscat_results pm_event sys_netaddr sys_osinfo sys_programs
fim_entry scan_info sys_netiface sys_ports
metadata sys_hwinfo sys_netproto sys_processes
In this version we don't have vuln_metadata
table in our DB.
Let's upgrade our manager and agent to the related branch version.
sqlite> .tables
ciscat_results sca_policy sys_netproto
fim_entry sca_scan_info sys_osinfo
metadata scan_info sys_ports
pm_event sys_hotfixes sys_processes
sca_check sys_hwinfo sys_programs
sca_check_compliance sys_netaddr vuln_metadata
sca_check_rules sys_netiface
Now we have vuln_metadata table, so the DB has been updated correctly.
root@Vela-PC:/var/ossec/queue/db# /var/ossec/bin/manage_agents -l
Available agents:
ID: 003, Name: vela-346a03f82a, IP: 192.168.0.99
root@Vela-PC:/var/ossec/queue/db# ls
000.db 000.db-shm 000.db-wal 003.db 003.db-shm 003.db-wal wdb
Syscollector info has been stored in 003.db
which is the DB of our agent.
sqlite> select scan_id from sys_ports;
970693641
970693641
970693641
970693641
970693641
sqlite> select scan_id from sys_ports;
1606040628
1606040628
1606040628
1606040628
1606040628
A new scan deletes the previous one.
root@Vela-PC:/var/ossec/queue/db# ls
000.db 000.db-shm 000.db-wal 003.db 003.db-shm 003.db-wal wdb
root@Vela-PC:/var/ossec/queue/db# rm 003.db*
root@Vela-PC:/var/ossec/queue/db# ls
000.db 000.db-shm 000.db-wal wdb
root@Vela-PC:/var/ossec/queue/db# systemctl restart wazuh-manager
root@Vela-PC:/var/ossec/queue/db# ls
000.db 000.db-shm 000.db-wal 003.db 003.db-shm 003.db-wal wdb
root@Vela-PC:/var/ossec/queue/db# sqlite3 003.db
SQLite version 3.22.0 2018-01-22 18:45:57
Enter ".help" for usage hints.
sqlite> select * from sys
sys_hotfixes sys_netaddr sys_netproto sys_ports sys_programs
sys_hwinfo sys_netiface sys_osinfo sys_processes sysname
sqlite> select * from sys_hwinfo;
481523585|2019/10/07 23:38:48|0|Intel(R) Core(TM) i5-5200U CPU @ 2.20GHz|1|2194.0|523760|372588|28
The scan is received after deleting the agent's DB and restarting the manager.
Test worked as expected.
I installed Windows agent from the vuln-windows branch, compiled the agent in Linux and generated the MSI installer in Windows from the related branch.
Example Syscollector configuration:
<wodle name="syscollector">
<disabled>no</disabled>
<interval>2m</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="no">yes</ports>
<processes>yes</processes>
</wodle>
Logs:
2019/10/08 10:49:43 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/08 10:49:44 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2019/10/08 10:51:43 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/08 10:51:46 wazuh-modulesd:syscollector: INFO: Evaluation finished.
DB:
sqlite> select * from sys_osinfo;
1664284770|2019/10/08 10:49:43|VELA-WS2003|i686|Microsoft Windows Server 2003|5.2.3790||5|2|3790||||5.2|sp1
sqlite> select * from sys_osinfo;
216318917|2019/10/08 10:51:43|VELA-WS2003|i686|Microsoft Windows Server 2003|5.2.3790||5|2|3790||||5.2|sp1
We are going to modify syscollector configuration changing interval option by
As expected, we get a log report on the agent's log every 3 minutes:
2019/10/08 11:00:06 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/08 11:00:07 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2019/10/08 11:03:06 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/08 11:03:07 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2019/10/08 11:06:06 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/08 11:06:07 wazuh-modulesd:syscollector: INFO: Evaluation finished.
Also, we get our tables updated every 3 minutes on our manager:
sqlite> select * from sys_osinfo;
79339549|2019/10/08 11:00:06|VELA-WS2003|i686|Microsoft Windows Server 2003|5.2.3790||5|2|3790||||5.2|sp1
sqlite> select * from sys_osinfo;
1153414919|2019/10/08 11:03:06|VELA-WS2003|i686|Microsoft Windows Server 2003|5.2.3790||5|2|3790||||5.2|sp1
sqlite> select * from sys_osinfo;
34495637|2019/10/08 11:06:06|VELA-WS2003|i686|Microsoft Windows Server 2003|5.2.3790||5|2|3790||||5.2|sp1
Interval option runs as expected more than the very first time.
Actually, on the agent's ossec.conf, this is my syscollector configuration:
<wodle name="syscollector">
<disabled>yes</disabled>
<interval>3m</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="no">yes</ports>
<processes>yes</processes>
</wodle>
Syscollector is disabled. Let's enable it from the manager and change the interval option from 3m to 2m.
2019/10/08 11:10:45 wazuh-modulesd:syscollector: INFO: Module disabled. Exiting...
agent.conf file configuration:
<agent_config>
<!-- Shared agent configuration here -->
<wodle name="syscollector">
<disabled>no</disabled>
<interval>2m</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="no">yes</ports>
<processes>yes</processes>
</wodle>
</agent_config>
After restart the agent from the manager:
2019/10/08 11:13:18 wazuh-modulesd:syscollector: INFO: Module started.
2019/10/08 11:15:19 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/08 11:15:21 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2019/10/08 11:17:19 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/08 11:17:20 wazuh-modulesd:syscollector: INFO: Evaluation finished.
sqlite> select * from sys_hwinfo;
572775596|2019/10/08 11:15:21|0|Intel(R) Core(TM) i5-5200U CPU @ 2.20GHz|1|2195.0|523736|383576|26
sqlite> select * from sys_hwinfo;
712453476|2019/10/08 11:17:19|0|Intel(R) Core(TM) i5-5200U CPU @ 2.20GHz|1|2195.0|523736|383028|26
As we can see, previously we had a diferent Syscollector configuration which has been updated remotelly with the agent.conf.
It worked as expected.
Operating system:
sqlite> select * from sys_osinfo;
579758372|2019/10/08 11:23:19|VELA-WS2003|i686|Microsoft Windows Server 2003|5.2.3790||5|2|3790||||5.2|sp1
Hardware:
sqlite> select * from sys_hwinfo;
266409670|2019/10/08 11:23:19|0|Intel(R) Core(TM) i5-5200U CPU @ 2.20GHz|1|2195.0|523736|383708|26
Packages:
sqlite> select * from sys_programs;
1875678664|2019/10/08 11:23:19|win|Oracle VM VirtualBox Guest Additions 5.2.32||||Oracle Corporation||5.2.32.0|i686|||||||
1875678664|2019/10/08 11:23:19|win|Wazuh Agent||||Wazuh, Inc.|20191008|3.11.0|i686|||||||
Network interface:
sqlite> select * from sys_netiface;
1591552450|2019/10/08 11:23:19|Conexi�n de �rea local|Adaptador de escritorio MT PRO/1000 de Intel�|ethernet|up|1500|08:00:27:4D:9C:62|20229|2496|5919083|942339|1|0|0|0
1591552450|2019/10/08 11:23:19|Teredo Tunneling Pseudo-Interface|Teredo Tunneling Pseudo-Interface|tunnel|down|1280|FF:FF:FF:FF:FF:FF:FF:FF||||||||
1591552450|2019/10/08 11:23:19|6to4 Pseudo-Interface|6to4 Pseudo-Interface|tunnel|up|1280|FF:FF:FF:FF||||||||
1591552450|2019/10/08 11:23:19|Automatic Tunneling Pseudo-Interface|Automatic Tunneling Pseudo-Interface|tunnel|up|1280|0A:00:02:0F||||||||
Ports:
sqlite> select * from sys_ports;
808165481|2019/10/08 11:23:19|tcp|0.0.0.0|135|0.0.0.0|33021||||listening|876|svchost.exe
808165481|2019/10/08 11:23:19|tcp|0.0.0.0|445|0.0.0.0|2048||||listening|4|System
808165481|2019/10/08 11:23:19|tcp|0.0.0.0|1025|0.0.0.0|28822||||listening|552|lsass.exe
808165481|2019/10/08 11:23:19|tcp|10.0.2.15|139|0.0.0.0|34962||||listening|4|System
808165481|2019/10/08 11:23:19|tcp6|::|445|::|63561||||listening|4|System
Processes:
sqlite> select * from sys_processes;
1216213495|2019/10/08 11:23:19|0|System Idle Process||0|0|0|none|||||||||0|0|0|0|||||0|1|||
1216213495|2019/10/08 11:23:19|4|System||0|0|0|none|||||||||8|0|0|0|||||0|62|||
1216213495|2019/10/08 11:23:19|356|smss.exe||4|0|0|\Device\HarddiskVolume1\WINDOWS\system32\smss.exe|||||||||11|0|147456|618496|||||0|3|||
1216213495|2019/10/08 11:23:19|472|csrss.exe||356|0|6|\Device\HarddiskVolume1\WINDOWS\system32\csrss.exe|||||||||13|0|1781760|6168576|||||0|13|||
1216213495|2019/10/08 11:23:19|496|winlogon.exe||356|0|0|\Device\HarddiskVolume1\WINDOWS\system32\winlogon.exe|||||||||13|0|6090752|8704000|||||0|17|||
1216213495|2019/10/08 11:23:19|540|services.exe||496|0|1|\Device\HarddiskVolume1\WINDOWS\system32\services.exe|||||||||9|0|9281536|16596992|||||0|21|||
1216213495|2019/10/08 11:23:19|552|lsass.exe||496|0|0|\Device\HarddiskVolume1\WINDOWS\system32\lsass.exe|||||||||9|0|6774784|13475840|||||0|33|||
1216213495|2019/10/08 11:23:19|752|VBoxService.exe||540|0|0|\Device\HarddiskVolume1\WINDOWS\system32\VBoxService.exe|||||||||8|0|1224704|4747264|||||0|8|||
1216213495|2019/10/08 11:23:19|800|svchost.exe||540|0|0|\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe|||||||||8|0|749568|3272704|||||0|5|||
1216213495|2019/10/08 11:23:19|876|svchost.exe||540|0|0|\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe|||||||||8|0|1146880|4366336|||||0|11|||
1216213495|2019/10/08 11:23:19|928|svchost.exe||540|0|0|\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe|||||||||8|0|5128192|11018240|||||0|12|||
1216213495|2019/10/08 11:23:19|972|svchost.exe||540|0|0|\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe|||||||||8|0|1015808|4075520|||||0|13|||
1216213495|2019/10/08 11:23:19|1008|svchost.exe||540|1|0|\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe|||||||||8|0|12029952|28991488|||||0|44|||
1216213495|2019/10/08 11:23:19|1440|spoolsv.exe||540|0|0|\Device\HarddiskVolume1\WINDOWS\system32\spoolsv.exe|||||||||8|0|3162112|7528448|||||0|13|||
1216213495|2019/10/08 11:23:19|1464|msdtc.exe||540|0|0|\Device\HarddiskVolume1\WINDOWS\system32\msdtc.exe|||||||||8|0|1490944|5332992|||||0|13|||
1216213495|2019/10/08 11:23:19|1588|svchost.exe||540|0|0|\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe|||||||||8|0|462848|2461696|||||0|2|||
1216213495|2019/10/08 11:23:19|1624|svchost.exe||540|0|0|\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe|||||||||8|0|266240|1597440|||||0|2|||
1216213495|2019/10/08 11:23:19|1944|svchost.exe||540|0|0|\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe|||||||||8|0|1404928|5255168|||||0|16|||
1216213495|2019/10/08 11:23:19|448|explorer.exe||432|0|1|\Device\HarddiskVolume1\WINDOWS\explorer.exe|||||||||8|0|10240000|29503488|||||0|12|||
1216213495|2019/10/08 11:23:19|924|VBoxTray.exe||448|0|0|\Device\HarddiskVolume1\WINDOWS\system32\VBoxTray.exe|||||||||8|0|995328|4591616|||||0|11|||
1216213495|2019/10/08 11:23:19|968|ctfmon.exe||448|0|0|\Device\HarddiskVolume1\WINDOWS\system32\ctfmon.exe|||||||||8|0|417792|2973696|||||0|1|||
1216213495|2019/10/08 11:23:19|1296|wmiprvse.exe||800|0|0|\Device\HarddiskVolume1\WINDOWS\system32\wbem\wmiprvse.exe|||||||||8|0|1601536|6643712|||||0|4|||
1216213495|2019/10/08 11:23:19|364|win32ui.exe||1940|0|0|\Device\HarddiskVolume1\Archivos de programa\ossec-agent\win32ui.exe|||||||||8|0|1118208|4698112|||||0|1|||
1216213495|2019/10/08 11:23:19|836|cmd.exe||448|0|0|\Device\HarddiskVolume1\WINDOWS\system32\cmd.exe|||||||||8|0|1454080|3153920|||||0|1|||
1216213495|2019/10/08 11:23:19|1656|wmiprvse.exe||800|0|0|\Device\HarddiskVolume1\WINDOWS\system32\wbem\wmiprvse.exe|||||||||8|0|1507328|6705152|||||0|7|||
1216213495|2019/10/08 11:23:19|2764|ossec-agent.exe||540|4|1|\Device\HarddiskVolume1\Archivos de programa\ossec-agent\ossec-agent.exe|||||||||8|0|11698176|24932352|||||0|19|||
Hotfixes:
sqlite> select * from sys_hotfixes;
1874783208|2019/10/08 11:25:19|Q147222
sqlite> .tables
ciscat_results pm_event sys_netaddr sys_osinfo sys_programs
fim_entry scan_info sys_netiface sys_ports
metadata sys_hwinfo sys_netproto sys_processes
In this version we don't have vuln_metadata table in our DB. Let's upgrade our manager and agent to the related branch version.
sqlite> .tables
ciscat_results sca_policy sys_netproto
fim_entry sca_scan_info sys_osinfo
metadata scan_info sys_ports
pm_event sys_hotfixes sys_processes
sca_check sys_hwinfo sys_programs
sca_check_compliance sys_netaddr vuln_metadata
sca_check_rules sys_netiface
Now we have vuln_metadata table, so the DB has been updated correctly.
root@Vela-PC:/var/ossec/queue/db# /var/ossec/bin/agent_control -l
Wazuh agent_control. List of available agents:
ID: 000, Name: Vela-PC (server), IP: 127.0.0.1, Active/Local
ID: 001, Name: vela-ws2003, IP: 192.168.0.99, Active
List of agentless devices:
root@Vela-PC:/var/ossec/queue/db# ls
000.db 000.db-shm 000.db-wal 001.db 001.db-shm 001.db-wal wdb
root@Vela-PC:/var/ossec/queue/db# sqlite3 001.db
SQLite version 3.22.0 2018-01-22 18:45:57
Enter ".help" for usage hints.
sqlite> select * from sys_hwinfo;
515554477|2019/10/08 11:31:19|0|Intel(R) Core(TM) i5-5200U CPU @ 2.20GHz|1|2195.0|523736|381444|27
sqlite> select scan_id from sys_osinfo;
1331196117
sqlite> select scan_id from sys_osinfo;
159005284
root@Vela-PC:/var/ossec/queue/db# ls
000.db 000.db-shm 000.db-wal 001.db 001.db-shm 001.db-wal wdb
root@Vela-PC:/var/ossec/queue/db# rm 001*
root@Vela-PC:/var/ossec/queue/db# ls
000.db 000.db-shm 000.db-wal wdb
root@Vela-PC:/var/ossec/queue/db# systemctl restart wazuh-manager
root@Vela-PC:/var/ossec/queue/db# ls
000.db 000.db-shm 000.db-wal 001.db 001.db-shm 001.db-wal wdb
sqlite> select * from sys_osinfo;
1331196117|2019/10/08 11:29:19|VELA-WS2003|i686|Microsoft Windows Server 2003|5.2.3790||5|2|3790||||5.2|sp1
after removing agent's DB and restanting the manager, the scan is received and the DB restored.
It worked as expected.
Example Syscollector configuration:
<!-- System inventory -->
<wodle name="syscollector">
<disabled>no</disabled>
<interval>2m</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="no">yes</ports>
<processes>yes</processes>
</wodle>
Logs:
2019/10/09 12:10:49 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/09 12:10:53 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2019/10/09 12:12:49 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/09 12:12:52 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2019/10/09 12:14:49 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/09 12:14:53 wazuh-modulesd:syscollector: INFO: Evaluation finished.
Consults:
1875027997|2019/10/09 12:10:49|centos5|x86_64|CentOS Linux|5.11||5|11||centos|Linux|2.6.18-419.el5.centos.plus|#1 SMP Sat Feb 25 15:50:12 UTC 2017|
sqlite> select * from sys_osinfo;
66869581|2019/10/09 12:12:49|centos5|x86_64|CentOS Linux|5.11||5|11||centos|Linux|2.6.18-419.el5.centos.plus|#1 SMP Sat Feb 25 15:50:12 UTC 2017|
sqlite> select * from sys_osinfo;
904897234|2019/10/09 12:14:49|centos5|x86_64|CentOS Linux|5.11||5|11||centos|Linux|2.6.18-419.el5.centos.plus|#1 SMP Sat Feb 25 15:50:12 UTC 2017|
Change interval option from 2m
to 3m
.
Logs:
2019/10/09 12:18:02 wazuh-modulesd:syscollector: INFO: Module started.
2019/10/09 12:18:03 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/09 12:18:06 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2019/10/09 12:21:03 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/09 12:21:08 wazuh-modulesd:syscollector: INFO: Evaluation finished.
Consults:
sqlite> select * from sys_osinfo;
88335618|2019/10/09 12:18:03|centos5|x86_64|CentOS Linux|5.11||5|11||centos|Linux|2.6.18-419.el5.centos.plus|#1 SMP Sat Feb 25 15:50:12 UTC 2017|
105581116|2019/10/09 12:21:04|centos5|x86_64|CentOS Linux|5.11||5|11||centos|Linux|2.6.18-419.el5.centos.plus|#1 SMP Sat Feb 25 15:50:12 UTC 2017|
It worked as expected.
ossec.conf configuration:
<!-- System inventory -->
<wodle name="syscollector">
<disabled>yes</disabled>
<interval>3m</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="no">yes</ports>
<processes>yes</processes>
</wodle>
As we can see, syscollector is disabled:
2019/10/09 12:24:03 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/09 12:24:07 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2019/10/09 12:24:28 wazuh-modulesd:syscollector: INFO: Module finished.
2019/10/09 12:24:30 wazuh-modulesd:syscollector: INFO: Module disabled. Exiting...
agent.conf configuration:
<agent_config>
<!-- Shared agent configuration here -->
<wodle name="syscollector">
<disabled>no</disabled>
<interval>2m</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="no">yes</ports>
<processes>yes</processes>
</wodle>
</agent_config>
Logs:
2019/10/09 12:27:27 wazuh-modulesd:syscollector: INFO: Module started.
2019/10/09 12:27:28 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/09 12:27:36 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2019/10/09 12:29:28 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/09 12:29:33 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2019/10/09 12:31:28 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/09 12:31:32 wazuh-modulesd:syscollector: INFO: Evaluation finished.
Consults:
sqlite> select * from sys_osinfo;
1569118939|2019/10/09 12:29:28|centos5|x86_64|CentOS Linux|5.11||5|11||centos|Linux|2.6.18-419.el5.centos.plus|#1 SMP Sat Feb 25 15:50:12 UTC 2017|
158280889|2019/10/09 12:31:28|centos5|x86_64|CentOS Linux|5.11||5|11||centos|Linux|2.6.18-419.el5.centos.plus|#1 SMP Sat Feb 25 15:50:12 UTC 2017|
It worked as expected.
Operating system:
sqlite> select * from sys_osinfo;
1615966422|2019/10/09 12:49:28|centos5|x86_64|CentOS Linux|5.11||5|11||centos|Linux|2.6.18-419.el5.centos.plus|#1 SMP Sat Feb 25 15:50:12 UTC 2017|
Hardware:
sqlite> select * from sys_hwinfo;
1137136219|2019/10/09 12:51:28|unknown|Intel(R) Core(TM) i5-5200U CPU @ 2.20GHz|2|2194.918|509660|6412|99
Packages:
sqlite> select * from sys_programs;
1134082791|2019/10/09 12:51:28|rpm|nash||System Environment/Base|2397|CentOS|2018/12/27 21:34:50|5.1.19.6-82.el5|x86_64|||nash shell||||
1134082791|2019/10/09 12:51:28|rpm|filesystem||System Environment/Base|0|CentOS|2018/12/27 21:34:50|2.4.0-3.el5.centos|x86_64|||The basic directory layout for a Linux system.||||
1134082791|2019/10/09 12:51:28|rpm|termcap||System Environment/Base|788|CentOS|2018/12/27 21:34:51|1:5.5-1.20060701.1|noarch|||The terminal feature database used by certain applications.||||
1134082791|2019/10/09 12:51:28|rpm|zlib||System Environment/Libraries|86|CentOS|2018/12/27 21:34:59|1.2.3-7.el5|x86_64|||The zlib compression and decompression library.||||
1134082791|2019/10/09 12:51:28|rpm|mktemp||System Environment/Base|15|CentOS|2018/12/27 21:34:59|3:1.5-24.el5|x86_64|||A small utility for safely making /tmp files.||||
1134082791|2019/10/09 12:51:28|rpm|audit-libs||Development/Libraries|152|CentOS|2018/12/27 21:34:59|1.8-2.el5|x86_64|||Dynamic library for libaudit||||
1134082791|2019/10/09 12:51:28|rpm|libtermcap||System Environment/Libraries|13|CentOS|2018/12/27 21:34:59|2.0.8-46.1|x86_64|||A basic system library for accessing the termcap database.||||
1134082791|2019/10/09 12:51:28|rpm|info||System Environment/Base|279|CentOS|2018/12/27 21:35:00|4.8-14.el5|x86_64|||A stand-alone TTY-based reader for GNU texinfo documentation.||||
1134082791|2019/10/09 12:51:28|rpm|ncurses||System Environment/Libraries|2951|CentOS|2018/12/27 21:35:02|5.5-24.20060715|x86_64|||A terminal handling library||||
1134082791|2019/10/09 12:51:28|rpm|sqlite||Applications/Databases|401|CentOS|2018/12/27 21:35:02|3.3.6-7|x86_64|||Library that implements an embeddable SQL database engine||||
1134082791|2019/10/09 12:51:28|rpm|sed||Applications/Text|327|CentOS|2018/12/27 21:35:02|4.1.5-8.el5|x86_64|||A GNU stream text editor.||||
...
Network interface:
sqlite> select * from sys_netiface;
1813942187|2019/10/09 12:51:28|eth0||ethernet|up|1500|08:00:27:41:a9:64|24918|8159|6962616|3564978|0|0|0|0
1813942187|2019/10/09 12:51:28|eth1||ethernet|up|1500|08:00:27:da:cf:8f|22|111|1356|22200|0|0|0|0
1813942187|2019/10/09 12:51:28|sit0||tunnel|down|1480|00:00:00:00|0|0|0|0|0|0|0|0
Ports:
sqlite> select * from sys_ports;
786824305|2019/10/09 12:53:30|tcp|0.0.0.0|2049|0.0.0.0|0|0|0|5276|listening||
786824305|2019/10/09 12:53:30|tcp|0.0.0.0|1003|0.0.0.0|0|0|0|5298|listening||
786824305|2019/10/09 12:53:30|tcp|0.0.0.0|812|0.0.0.0|0|0|0|4776|listening||
786824305|2019/10/09 12:53:30|tcp|0.0.0.0|111|0.0.0.0|0|0|0|4620|listening||
786824305|2019/10/09 12:53:30|tcp|0.0.0.0|22|0.0.0.0|0|0|0|5072|listening||
786824305|2019/10/09 12:53:30|tcp|0.0.0.0|33495|0.0.0.0|0|0|0|5280|listening||
786824305|2019/10/09 12:53:30|tcp6|::|22|::|0|0|0|5070|listening||
Processes:
sqlite> select * from sys_processes;
1887090680|2019/10/09 12:53:30|1|init|S|0|0|51|init [3]||root|root|root|root|root|root|root|15|0|2593|10372|200|167|5|1|1|1|1|0|1
1887090680|2019/10/09 12:53:30|2|migration/0|S|1|0|7|||root|root|root|root|root|root|root||-5|0|0|0|0|11|1|1|1|2|0|0
1887090680|2019/10/09 12:53:30|3|ksoftirqd/0|S|1|0|0|||root|root|root|root|root|root|root|34|19|0|0|0|0|11|1|1|1|3|0|0
1887090680|2019/10/09 12:53:30|4|watchdog/0|S|1|0|0|||root|root|root|root|root|root|root||-5|0|0|0|0|11|1|1|1|4|0|0
1887090680|2019/10/09 12:53:30|5|migration/1|S|1|0|5|||root|root|root|root|root|root|root||-5|0|0|0|0|11|1|1|1|5|0|1
1887090680|2019/10/09 12:53:30|6|ksoftirqd/1|S|1|0|0|||root|root|root|root|root|root|root|34|19|0|0|0|0|11|1|1|1|6|0|1
1887090680|2019/10/09 12:53:30|7|watchdog/1|S|1|0|0|||root|root|root|root|root|root|root||-5|0|0|0|0|11|1|1|1|7|0|1
1887090680|2019/10/09 12:53:30|8|events/0|S|1|0|116|||root|root|root|root|root|root|root|10|-5|0|0|0|0|42|1|1|1|8|0|0
1887090680|2019/10/09 12:53:30|9|events/1|S|1|0|0|||root|root|root|root|root|root|root|10|-5|0|0|0|0|42|1|1|1|9|0|1
1887090680|2019/10/09 12:53:30|10|khelper|S|1|0|0|||root|root|root|root|root|root|root|10|-5|0|0|0|0|42|1|1|1|10|0|1
Hotfixes: This option is only available on Windows.
It worked as expected.
Wazuh v 3.7 tables:
sqlite> .tables
ciscat_results pm_event sys_netaddr sys_osinfo sys_programs
fim_entry scan_info sys_netiface sys_ports
metadata sys_hwinfo sys_netproto sys_processes
After updating to our brach:
sqlite> .tables
ciscat_results sca_policy sys_netproto
fim_entry sca_scan_info sys_osinfo
metadata scan_info sys_ports
pm_event sys_hotfixes sys_processes
sca_check sys_hwinfo sys_programs
sca_check_compliance sys_netaddr vuln_metadata
sca_check_rules sys_netiface
root@Vela-PC:/var/ossec/queue/db# /var/ossec/bin/agent_control -l
Wazuh agent_control. List of available agents:
ID: 000, Name: Vela-PC (server), IP: 127.0.0.1, Active/Local
ID: 001, Name: centos5, IP: 10.0.0.1, Active
List of agentless devices:
root@Vela-PC:/var/ossec/queue/db# sqlite3 001.db
SQLite version 3.22.0 2018-01-22 18:45:57
Enter ".help" for usage hints.
sqlite> select * from sys_osinfo;
47141211|2019/10/09 13:01:28|centos5|x86_64|CentOS Linux|5.11||5|11||centos|Linux|2.6.18-419.el5.centos.plus|#1 SMP Sat Feb 25 15:50:12 UTC 2017|
sqlite> select scan_id from sys_osinfo;
183729761
sqlite> select scan_id from sys_osinfo;
47141211
root@Vela-PC:/var/ossec/queue/db# ls
000.db 000.db-wal 001.db-shm wdb
000.db-shm 001.db 001.db-wal
root@Vela-PC:/var/ossec/queue/db# rm 001*
root@Vela-PC:/var/ossec/queue/db# ls
000.db 000.db-shm 000.db-wal wdb
root@Vela-PC:/var/ossec/queue/db# systemctl restart wazuh-manager
root@Vela-PC:/var/ossec/queue/db# ls
000.db 000.db-wal 001.db-shm wdb
000.db-shm 001.db 001.db-wal
root@Vela-PC:/var/ossec/queue/db# sqlite3 001.db
SQLite version 3.22.0 2018-01-22 18:45:57
Enter ".help" for usage hints.
sqlite> select * from sys_osinfo;
183729761|2019/10/09 12:59:28|centos5|x86_64|CentOS Linux|5.11||5|11||centos|Linux|2.6.18-419.el5.centos.plus|#1 SMP Sat Feb 25 15:50:12 UTC 2017|
It worked as expected.
Syscollector test
Scan
Run a complete Syscollector scan:
Test on:
Configuration
Database
scan_id
]