Syscollector test

Version	Revision	Branch
3.11.0	31100	vuln-windows

Scan

Run a complete Syscollector scan:

Operating system.
Hardware.
Packages.
Network interfaces.
Ports.
Processes.
Hotfixes (by default in Windows since 3.11)

Test on:

[x] Windows Server 2019.
[x] Windows XP.
[x] Windows Server 2003.
[ ] Debian.
[ ] RPM.
[x] Centos 5.
[ ] macOS.

Configuration

[x] Check interval option runs as expected more than the very first time.
[x] Send a Syscollector configuration by the shared conf (agent.conf).

Database

[x] Upgrade from a version older than v3.8.0. The databases at queue/db/ must be updated.
[x] Check that Syscollector info has been stored in the DB of the agent (queue/db/xxx.db).
[x] Check that a new scan deletes the previous scan from the DB. [Search by scan_id]
[x] Delete the DB of an agent (file 001.db for example) and send a new scan. Is the scan received? Is the DB restored when the manager is restarted?

I installed Windows agent from the vuln-windows branch, compiled the agent in Linux and generated the MSI installer in Windows from the related branch.

Check interval option Windows Server 2019

Test example 1.

Example Syscollector configuration:

<!-- System inventory -->
  <wodle name="syscollector">
    <disabled>no</disabled>
    <interval>2m</interval>
    <scan_on_start>yes</scan_on_start>
    <hardware>yes</hardware>
    <os>yes</os>
    <network>yes</network>
    <packages>yes</packages>
    <ports all="no">yes</ports>
    <processes>yes</processes>
  </wodle>

Logs:

2019/10/03 16:38:26 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/03 16:38:28 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2019/10/03 16:40:26 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/03 16:40:30 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2019/10/03 16:42:26 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/03 16:42:28 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2019/10/03 16:44:26 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/03 16:44:27 wazuh-modulesd:syscollector: INFO: Evaluation finished.

As we can see, we get a log report every 2 minutes as I have specified on the configuration.

On /var/ossec/queue/db/Agent_ID.db we can consult datas:

root@Vela-PC:/var/ossec/queue/db# sqlite3 002.db
SQLite version 3.22.0 2018-01-22 18:45:57
Enter ".help" for usage hints.
sqlite> select * from sys_osinfo;
1499646275|2019/10/03 16:50:26|WIN-087251A1RP6|x86_64|Microsoft Windows Server 2019 Standard Evaluation|10.0.17763||10|0|17763||||6.2|1809

In this case, I consulted Agent's OS version.

2 minutes after, information has been updated:

sqlite> select * from sys_osinfo;
201478398|2019/10/03 16:52:27|WIN-087251A1RP6|x86_64|Microsoft Windows Server 2019 Standard Evaluation|10.0.17763||10|0|17763||||6.2|1809

Until two minutes pass, we won't see it updated:

590786551|2019/10/03 16:54:26|WIN-087251A1RP6|x86_64|Microsoft Windows Server 2019 Standard Evaluation|10.0.17763||10|0|17763||||6.2|1809
sqlite> select * from sys_osinfo;
590786551|2019/10/03 16:54:26|WIN-087251A1RP6|x86_64|Microsoft Windows Server 2019 Standard Evaluation|10.0.17763||10|0|17763||||6.2|1809
sqlite> select * from sys_osinfo;
590786551|2019/10/03 16:54:26|WIN-087251A1RP6|x86_64|Microsoft Windows Server 2019 Standard Evaluation|10.0.17763||10|0|17763||||6.2|1809
sqlite> select * from sys_osinfo;
742871911|2019/10/03 16:56:26|WIN-087251A1RP6|x86_64|Microsoft Windows Server 2019 Standard Evaluation|10.0.17763||10|0|17763||||6.2|1809

Test example 2.

We are going to modify syscollector configuration changing interval option by <interval>3m</interval>.

As expected, we get a log report on the agent's log every 3 minutes:

2019/10/03 17:10:35 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/03 17:10:39 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2019/10/03 17:13:35 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/03 17:13:38 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2019/10/03 17:16:35 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/03 17:16:37 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2019/10/03 17:19:35 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/03 17:19:37 wazuh-modulesd:syscollector: INFO: Evaluation finished.

Also, we get our tables updated every 3 minutes on our manager:

sqlite> select * from sys_osinfo;
88309208|2019/10/03 17:25:35|WIN-087251A1RP6|x86_64|Microsoft Windows Server 2019 Standard Evaluation|10.0.17763||10|0|17763||||6.2|1809
sqlite> select * from sys_osinfo;
491023145|2019/10/03 17:28:36|WIN-087251A1RP6|x86_64|Microsoft Windows Server 2019 Standard Evaluation|10.0.17763||10|0|17763||||6.2|1809
sqlite> select * from sys_osinfo;
1066222077|2019/10/03 17:31:35|WIN-087251A1RP6|x86_64|Microsoft Windows Server 2019 Standard Evaluation|10.0.17763||10|0|17763||||6.2|1809

Extra test.

If we configure a minor interval than 1 minute, such as <interval>5s</interval>, we effectivelly are going to see a log report every 5 second:

2019/10/03 17:40:30 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/03 17:40:35 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2019/10/03 17:40:35 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/03 17:40:37 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2019/10/03 17:40:40 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/03 17:40:43 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2019/10/03 17:40:45 wazuh-modulesd:syscollector: INFO: Starting evaluation.

However, we are not going to be able to see our tables updated from the manager terminal because the database hasn't got enough time to "commit" updates.

We can see it from the Wazuh-API or stopping and restarting the manager.

In shorts, it works as expected.

Send a Syscollector configuration by the shared conf. Windows Server 2019

To do this test, my Windows agent belongs to the default group, so I edited the /var/ossec/shared/default/agent.conf file as follows:

<agent_config>
  <wodle name="syscollector">
    <disabled>no</disabled>
    <interval>2m</interval>
    <scan_on_start>yes</scan_on_start>
    <hardware>yes</hardware>
    <os>yes</os>
    <network>yes</network>
    <packages>yes</packages>
    <ports all="no">yes</ports>
    <processes>yes</processes>
  </wodle>
</agent_config>

Actually, on the agent's ossec.conf, I have the interval option in 1 hours.

First, I checked if the file had any error:

verify-agent-conf: Verifying [/var/ossec/etc/shared/default/agent.conf]
verify-agent-conf: OK

I restarted the manager in addition to get agent.conf file available to the agents more quickly. I verified if the agent was synchronized:

root@Vela-PC:/home/vela# /var/ossec/bin/agent_groups -S -i 001
Agent '001' is synchronized.

I restarted the agent:

root@Vela-PC:/home/vela# /var/ossec/bin/agent_control -R -u 001

Wazuh agent_control: Restarting agent: 001

Syscollector new configuration supposed to be updated, let's see if it worked:

Agent log report:

2019/10/04 09:05:12 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/04 09:05:16 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2019/10/04 09:07:12 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/04 09:07:14 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2019/10/04 09:09:12 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/04 09:09:13 wazuh-modulesd:syscollector: INFO: Evaluation finished.

Manager database consult:


sqlite> select * from sys_osinfo;
2143634295|2019/10/04 09:05:14|WIN-087251A1RP6|x86_64|Microsoft Windows Server 2019 Standard Evaluation|10.0.17763||10|0|17763||||6.2|1809

sqlite> select * from sys_osinfo; 1866113568|2019/10/04 09:07:12|WIN-087251A1RP6|x86_64|Microsoft Windows Server 2019 Standard Evaluation|10.0.17763||10|0|17763||||6.2|1809

sqlite> select * from sys_osinfo; 491103323|2019/10/04 09:09:12|WIN-087251A1RP6|x86_64|Microsoft Windows Server 2019 Standard Evaluation|10.0.17763||10|0|17763||||6.2|1809



As we can see, previously we had a diferent Syscollector configuration which has been updated remotelly with the `agent.conf`.

---
It worked as expected.

---

Testing diferent options. Windows Server 2019

Operating system:

sqlite> select * from sys_osinfo;
1866242968|2019/10/04 08:17:41|WIN-087251A1RP6|x86_64|Microsoft Windows Server 2019 Standard Evaluation|10.0.17763||10|0|17763||||6.2|1809

Hardware:

sqlite> select * from sys_hwinfo;
1451099873|2019/10/04 08:17:41|0|Intel(R) Core(TM) i5-5200U CPU @ 2.20GHz|1|2195.0|2096692|1111604|46

Packages:

sqlite> select * from sys_programs;
307247529|2019/10/04 12:13:53|win|Oracle VM VirtualBox Guest Additions 5.2.32||||Oracle Corporation||5.2.32.0|x86_64|||||0||
307247529|2019/10/04 12:13:53|win|WiX Toolset v3.11 X64||||.NET Foundation|20191003|3.11.4516|x86_64|||||0||
307247529|2019/10/04 12:13:53|win|WiX Toolset v3.11 Native 2015 SDK||||.NET Foundation|20191003|3.11.4516|i686|||||0||
307247529|2019/10/04 12:13:53|win|Wazuh Agent||||Wazuh, Inc.|20191004|3.11.0|i686|||||||
307247529|2019/10/04 12:13:53|win|WiX Toolset v3.11 Native 2013 SDK||||.NET Foundation|20191003|3.11.4516|i686|||||0||
307247529|2019/10/04 12:13:53|win|WiX Toolset v3.11 Core||||.NET Foundation|20191003|3.11.4516|i686|||||0||
307247529|2019/10/04 12:13:53|win|WiX Toolset v3.11.2.4516||||.NET Foundation||3.11.2.4516|i686|||||0||
307247529|2019/10/04 12:13:53|win|WiX Toolset v3.11 Managed SDK||||.NET Foundation|20191003|3.11.4516|i686|||||0||
307247529|2019/10/04 12:13:53|win|WiX Toolset v3.11 Native 2012 SDK||||.NET Foundation|20191003|3.11.4516|i686|||||0||
307247529|2019/10/04 12:13:53|win|WiX Toolset v3.11 Native 2017 SDK||||.NET Foundation|20191003|3.11.4516|i686|||||0||
307247529|2019/10/04 12:13:53|win|WiX Toolset v3.11 Native 2010 SDK||||.NET Foundation|20191003|3.11.4516|i686|||||0||

Network interface:

sqlite> select * from sys_netiface;
1474284526|2019/10/04 08:17:41|Ethernet|Intel(R) PRO/1000 MT Desktop Adapter|ethernet|up|1500|08:00:27:7B:76:06|7351|17177|1039250|13320743|0|0|0|0

Ports:

sqlite> select * from sys_ports;
33856924|2019/10/04 08:17:42|tcp|0.0.0.0|135|0.0.0.0|0||||listening|788|svchost.exe
33856924|2019/10/04 08:17:42|tcp|0.0.0.0|445|0.0.0.0|0||||listening|4|System
33856924|2019/10/04 08:17:42|tcp|0.0.0.0|5357|0.0.0.0|0||||listening|4|System
33856924|2019/10/04 08:17:42|tcp|0.0.0.0|5985|0.0.0.0|0||||listening|4|System
33856924|2019/10/04 08:17:42|tcp|0.0.0.0|47001|0.0.0.0|0||||listening|4|System
33856924|2019/10/04 08:17:42|tcp|0.0.0.0|49664|0.0.0.0|0||||listening|456|wininit.exe
33856924|2019/10/04 08:17:42|tcp|0.0.0.0|49665|0.0.0.0|0||||listening|584|lsass.exe
33856924|2019/10/04 08:17:42|tcp|0.0.0.0|49666|0.0.0.0|0||||listening|1000|svchost.exe
33856924|2019/10/04 08:17:42|tcp|0.0.0.0|49667|0.0.0.0|0||||listening|304|svchost.exe
33856924|2019/10/04 08:17:42|tcp|0.0.0.0|49668|0.0.0.0|0||||listening|1640|spoolsv.exe
33856924|2019/10/04 08:17:42|tcp|0.0.0.0|49669|0.0.0.0|0||||listening|576|services.exe
33856924|2019/10/04 08:17:42|tcp|10.0.2.15|139|0.0.0.0|0||||listening|4|System
33856924|2019/10/04 08:17:42|tcp6|::|135|::|0||||listening|788|svchost.exe
33856924|2019/10/04 08:17:42|tcp6|::|445|::|0||||listening|4|System
33856924|2019/10/04 08:17:42|tcp6|::|5357|::|0||||listening|4|System
33856924|2019/10/04 08:17:42|tcp6|::|5985|::|0||||listening|4|System
33856924|2019/10/04 08:17:42|tcp6|::|47001|::|0||||listening|4|System
33856924|2019/10/04 08:17:42|tcp6|::|49664|::|0||||listening|456|wininit.exe
33856924|2019/10/04 08:17:42|tcp6|::|49665|::|0||||listening|584|lsass.exe
33856924|2019/10/04 08:17:42|tcp6|::|49666|::|0||||listening|1000|svchost.exe
33856924|2019/10/04 08:17:42|tcp6|::|49667|::|0||||listening|304|svchost.exe
33856924|2019/10/04 08:17:42|tcp6|::|49668|::|0||||listening|1640|spoolsv.exe
33856924|2019/10/04 08:17:42|tcp6|::|49669|::|0||||listening|576|services.exe

Processes:

sqlite> select * from sys_processes;
166122210|2019/10/04 08:17:42|0|System Idle Process||0|0|0|none|||||||||0|0|0|0|||||0|1|||
166122210|2019/10/04 08:17:42|4|System||0|0|0|none|||||||||8|0|0|0|||||0|93|||
166122210|2019/10/04 08:17:42|68|Registry||4|0|0||||||||||8|0|0|0|||||0|4|||
166122210|2019/10/04 08:17:42|280|smss.exe||4|0|0||||||||||11|0|0|0|||||0|2|||
166122210|2019/10/04 08:17:42|368|csrss.exe||360|0|0||||||||||13|0|0|0|||||0|11|||
166122210|2019/10/04 08:17:42|440|csrss.exe||432|0|0||||||||||13|0|0|0|||||0|10|||
166122210|2019/10/04 08:17:42|456|wininit.exe||360|0|0||||||||||13|0|0|0|||||0|1|||
166122210|2019/10/04 08:17:42|492|winlogon.exe||432|0|0|C:\Windows\System32\winlogon.exe|||||||||13|0|2494464|13635584|||||1|4|||
166122210|2019/10/04 08:17:42|576|services.exe||456|0|0||||||||||9|0|0|0|||||0|6|||
166122210|2019/10/04 08:17:42|584|lsass.exe||456|0|0|C:\Windows\System32\lsass.exe|||||||||9|0|6090752|21151744|||||0|7|||
166122210|2019/10/04 08:17:42|688|svchost.exe||576|0|0|C:\Windows\System32\svchost.exe|||||||||8|0|7348224|34500608|||||0|10|||
166122210|2019/10/04 08:17:42|712|fontdrvhost.exe||492|0|0|C:\Windows\System32\fontdrvhost.exe|||||||||8|0|1871872|6901760|||||1|5|||
166122210|2019/10/04 08:17:42|720|fontdrvhost.exe||456|0|0|C:\Windows\System32\fontdrvhost.exe|||||||||8|0|1454080|5009408|||||0|5|||
166122210|2019/10/04 08:17:42|788|svchost.exe||576|0|0|C:\Windows\System32\svchost.exe|||||||||8|0|4907008|16044032|||||0|8|||
166122210|2019/10/04 08:17:42|872|dwm.exe||492|0|0|C:\Windows\System32\dwm.exe|||||||||13|0|44105728|118587392|||||1|14|||
166122210|2019/10/04 08:17:42|976|svchost.exe||576|0|0|C:\Windows\System32\svchost.exe|||||||||8|0|13111296|35807232|||||0|19|||
166122210|2019/10/04 08:17:42|1000|svchost.exe||576|0|0|C:\Windows\System32\svchost.exe|||||||||8|0|14454784|39518208|||||0|16|||
166122210|2019/10/04 08:17:42|316|svchost.exe||576|0|0|C:\Windows\System32\svchost.exe|||||||||8|0|5603328|13004800|||||0|7|||
166122210|2019/10/04 08:17:42|860|svchost.exe||576|0|0|C:\Windows\System32\svchost.exe|||||||||8|0|7503872|31330304|||||0|18|||
166122210|2019/10/04 08:17:42|304|svchost.exe||576|4|2|C:\Windows\System32\svchost.exe|||||||||8|0|49082368|134283264|||||0|47|||
166122210|2019/10/04 08:17:42|1044|VBoxService.exe||576|0|0|C:\Windows\System32\VBoxService.exe|||||||||8|0|2293760|9895936|||||0|10|||
166122210|2019/10/04 08:17:42|1080|svchost.exe||576|0|0|C:\Windows\System32\svchost.exe|||||||||8|0|8626176|30289920|||||0|19|||
166122210|2019/10/04 08:17:42|1368|svchost.exe||576|0|0|C:\Windows\System32\svchost.exe|||||||||8|0|1925120|9744384|||||0|4|||
166122210|2019/10/04 08:17:42|1432|svchost.exe||576|0|0|C:\Windows\System32\svchost.exe|||||||||8|0|7958528|24629248|||||0|13|||
166122210|2019/10/04 08:17:42|1640|spoolsv.exe||576|0|0|C:\Windows\System32\spoolsv.exe|||||||||8|0|5820416|22085632|||||0|6|||
166122210|2019/10/04 08:17:42|1660|svchost.exe||576|0|0|C:\Windows\System32\svchost.exe|||||||||8|0|2744320|12341248|||||0|4|||
166122210|2019/10/04 08:17:42|1728|svchost.exe||576|0|0|C:\Windows\System32\svchost.exe|||||||||8|0|12083200|39694336|||||0|12|||
166122210|2019/10/04 08:17:42|1812|svchost.exe||576|0|0|C:\Windows\System32\svchost.exe|||||||||8|0|1847296|9441280|||||0|4|||
166122210|2019/10/04 08:17:42|1860|wlms.exe||576|0|0|C:\Windows\System32\wlms\wlms.exe|||||||||8|0|724992|3809280|||||0|2|||
166122210|2019/10/04 08:17:42|1896|MsMpEng.exe||576|0|0||||||||||8|0|0|0|||||0|25|||
166122210|2019/10/04 08:17:42|1932|svchost.exe||576|0|0|C:\Windows\System32\svchost.exe|||||||||8|0|2236416|10395648|||||0|5|||
166122210|2019/10/04 08:17:42|2420|NisSrv.exe||576|0|0||||||||||8|0|0|0|||||0|6|||
166122210|2019/10/04 08:17:42|2632|svchost.exe||576|0|0|C:\Windows\System32\svchost.exe|||||||||8|0|5349376|20664320|||||0|5|||
166122210|2019/10/04 08:17:42|2676|sihost.exe||304|0|0|C:\Windows\System32\sihost.exe|||||||||8|0|5083136|29970432|||||1|8|||
166122210|2019/10/04 08:17:42|2716|svchost.exe||576|0|0|C:\Windows\System32\svchost.exe|||||||||8|0|7438336|42061824|||||1|5|||
166122210|2019/10/04 08:17:42|2736|taskhostw.exe||304|0|0|C:\Windows\System32\taskhostw.exe|||||||||8|0|4300800|17108992|||||1|4|||
166122210|2019/10/04 08:17:42|2908|ctfmon.exe||976|0|0|C:\Windows\System32\ctfmon.exe|||||||||13|0|4534272|20557824|||||1|8|||
166122210|2019/10/04 08:17:42|384|explorer.exe||3068|4|6|C:\Windows\explorer.exe|||||||||8|0|39829504|151351296|||||1|58|||
166122210|2019/10/04 08:17:42|2560|ShellExperienceHost.exe||688|0|0|C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe|||||||||8|0|21655552|82788352|||||1|26|||
166122210|2019/10/04 08:17:42|1976|SearchUI.exe||688|2|0|C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe|||||||||8|0|79085568|158146560|||||1|35|||
166122210|2019/10/04 08:17:42|2312|RuntimeBroker.exe||688|0|0|C:\Windows\System32\RuntimeBroker.exe|||||||||8|0|3436544|17887232|||||1|2|||
166122210|2019/10/04 08:17:42|2628|RuntimeBroker.exe||688|0|0|C:\Windows\System32\RuntimeBroker.exe|||||||||8|0|7090176|30420992|||||1|5|||
166122210|2019/10/04 08:17:42|448|RuntimeBroker.exe||688|0|0|C:\Windows\System32\RuntimeBroker.exe|||||||||8|0|2408448|14897152|||||1|2|||
166122210|2019/10/04 08:17:42|1764|smartscreen.exe||688|0|0|C:\Windows\System32\smartscreen.exe|||||||||8|0|8073216|31313920|||||1|5|||
166122210|2019/10/04 08:17:42|3112|VBoxTray.exe||384|0|0|C:\Windows\System32\VBoxTray.exe|||||||||8|0|2592768|13602816|||||1|10|||
166122210|2019/10/04 08:17:42|3404|msdtc.exe||576|0|0|C:\Windows\System32\msdtc.exe|||||||||8|0|3141632|13385728|||||0|10|||
166122210|2019/10/04 08:17:42|2464|dllhost.exe||688|0|0|C:\Windows\System32\dllhost.exe|||||||||8|0|3379200|14958592|||||1|6|||
166122210|2019/10/04 08:17:42|2364|ApplicationFrameHost.exe||688|0|0|C:\Windows\System32\ApplicationFrameHost.exe|||||||||8|0|7135232|35409920|||||1|3|||
166122210|2019/10/04 08:17:42|2004|SystemSettings.exe||688|1|0|C:\Windows\ImmersiveControlPanel\SystemSettings.exe|||||||||8|0|21213184|95342592|||||1|21|||
166122210|2019/10/04 08:17:42|3368|WmiPrvSE.exe||688|0|0|C:\Windows\System32\wbem\WmiPrvSE.exe|||||||||8|0|2134016|10452992|||||0|4|||
166122210|2019/10/04 08:17:42|1576|win32ui.exe||3548|0|0|C:\Program Files (x86)\ossec-agent\win32ui.exe|||||||||8|0|2359296|13271040|||||1|3|||
166122210|2019/10/04 08:17:42|312|svchost.exe||576|0|0||||||||||8|0|0|0|||||0|9|||
166122210|2019/10/04 08:17:42|3876|ossec-agent.exe||576|0|0|C:\Program Files (x86)\ossec-agent\ossec-agent.exe|||||||||8|0|6942720|19132416|||||0|18|||

Hotfixes:

sqlite> select * from sys_hotfixes;
1317886166|2019/10/04 08:17:42|KB4489899
1317886166|2019/10/04 08:17:42|KB4470788
1317886166|2019/10/04 08:17:42|KB4483452
1317886166|2019/10/04 08:17:42|DotNetRollup
1317886166|2019/10/04 08:17:42|RollupFix

Database tests. Windows Server 2019

Upgrade from a version older than v3.8.0. The databases at queue/db/ must be updated.

To do this test, I have installed Wazuh manager 3.7.

Wazuh v3.7.3 (Rev. 3728) Installation Script - http://www.wazuh.com

 You are about to start the installation process of Wazuh.
 You must have a C compiler pre-installed in your system.

  - System: Linux Vela-PC 4.15.0-64-generic (linuxmint 19.2)
  - User: root
  - Host: Vela-PC

I had to install Wazuh agent 3.7 too in Windows.

Here, we can see the DB:

root@Vela-PC:/var/ossec/queue/db# ls -l --full-time
total 5020
-rw-r----- 1 ossec ossec 2256896 2019-10-04 11:05:59.698816866 +0200 000.db
-rw-r----- 1 ossec ossec   32768 2019-10-04 11:08:41.525487126 +0200 000.db-shm
-rw-r----- 1 ossec ossec 2517352 2019-10-04 11:08:41.349484258 +0200 000.db-wal
-rw-r----- 1 ossec ossec  147456 2019-10-04 11:13:02.621677721 +0200 001.db
-rw-r----- 1 ossec ossec   32768 2019-10-04 11:16:53.845309245 +0200 001.db-shm
-rw-r----- 1 ossec ossec  148352 2019-10-04 11:16:58.033374529 +0200 001.db-wal
srw-rw---- 1 ossec ossec       0 2019-10-04 11:06:00.770834794 +0200 wdb

Now I'm going to update the manager to the related brach and check if the DB is updated.

root@Vela-PC:/var/ossec/queue/db# ls
000.db  000.db-shm  000.db-wal  001.db  001.db-shm  001.db-wal  wdb

root@Vela-PC:/var/ossec/queue/db# sqlite3 001.db
SQLite version 3.22.0 2018-01-22 18:45:57
Enter ".help" for usage hints.
sqlite> .tables
ciscat_results        sca_policy            sys_netproto        
fim_entry             sca_scan_info         sys_osinfo          
metadata              scan_info             sys_ports           
pm_event              sys_hotfixes          sys_processes       
sca_check             sys_hwinfo            sys_programs        
sca_check_compliance  sys_netaddr           vuln_metadata       
sca_check_rules       sys_netiface

As we can see, we have the DB created and we have vuln_metadata table into our agent's DB, it means that the DB has been updated correctly.

Check that Syscollector info has been stored in the DB of the agent (queue/db/xxx.db).

In the previous tests, we have seen how it works:

root@Vela-PC:/var/ossec/queue/db# /var/ossec/bin/agent_control -l

Wazuh agent_control. List of available agents:
   ID: 000, Name: Vela-PC (server), IP: 127.0.0.1, Active/Local
   ID: 001, Name: WIN-087251A1RP6, IP: 192.168.0.150, Active

List of agentless devices:

root@Vela-PC:/var/ossec/queue/db# ls
000.db  000.db-shm  000.db-wal  001.db  001.db-shm  001.db-wal  wdb

We have our Windows agent which ID is 001 and how Syscollector info has been stored in the agent's DB. 001.db 001.db-shm 001.db-wal.

Check that a new scan deletes the previous scan from the DB. [Search by scan_id].

sqlite> select scan_id from sys_hwinfo;
1561502522

sqlite> select scan_id from sys_hwinfo;
1962231651

As we can see, a new scan deletes the previous scan.

Delete the DB of an agent (file 001.db for example) and send a new scan. Is the scan received? Is the DB restored when the manager is restarted?

root@Vela-PC:/var/ossec/queue/db# ls
000.db  000.db-shm  000.db-wal  001.db  001.db-shm  001.db-wal  wdb
root@Vela-PC:/var/ossec/queue/db# rm 001*
root@Vela-PC:/var/ossec/queue/db# ls
000.db  000.db-shm  000.db-wal  wdb
root@Vela-PC:/var/ossec/queue/db# systemctl restart wazuh-manager
root@Vela-PC:/var/ossec/queue/db# ls
000.db  000.db-shm  000.db-wal  001.db  001.db-shm  001.db-wal  wdb
root@Vela-PC:/var/ossec/queue/db# sqlite3 001.db
SQLite version 3.22.0 2018-01-22 18:45:57
Enter ".help" for usage hints.
sqlite> select * from sys_hwinfo;
769101749|2019/10/04 10:35:02|0|Intel(R) Core(TM) i5-5200U CPU @ 2.20GHz|1|2195.0|2096692|1068284|49

As we can see, after removing agent's DB and restanting the manager, the scan is received and the DB restored.

It worked as expected.

I installed Windows agent from the vuln-windows branch, compiled the agent in Linux and generated the MSI installer in Windows from the related branch.

Check interval option Windows XP

Test example 1.

Example Syscollector configuration:

<!-- System inventory -->
  <wodle name="syscollector">
    <disabled>no</disabled>
    <interval>2m</interval>
    <scan_on_start>yes</scan_on_start>
    <hardware>yes</hardware>
    <os>yes</os>
    <network>yes</network>
    <packages>yes</packages>
    <ports all="no">yes</ports>
    <processes>yes</processes>
  </wodle>

Agent's logs:

2019/10/07 03:33:02 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/07 03:33:09 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2019/10/07 03:35:02 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/07 03:35:06 wazuh-modulesd:syscollector: INFO: Evaluation finished.

Consult to the DB:

sqlite> select * from sys_osinfo;
5327162|2019/10/07 03:33:04|VELA-346A03F82A|i686|Microsoft Windows XP|5.1.2600||5|1|2600||||5.1
sqlite> select * from sys_osinfo;
206238926|2019/10/07 03:35:02|VELA-346A03F82A|i686|Microsoft Windows XP|5.1.2600||5|1|2600||||5.1

As we can see, we get updated DB's tables every two minutes as we have specified in the configuration.

Test example 2.

We are going to modify syscollector configuration changing interval option by 3m.

As expected, we get a log report on the agent's log every 3 minutes:

2019/10/07 03:48:36 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/07 03:48:40 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2019/10/07 03:51:36 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/07 03:51:42 wazuh-modulesd:syscollector: INFO: Evaluation finished.

Also, we get our tables updated every 3 minutes on our manager:

sqlite> select * from sys_osinfo;
998799179|2019/10/07 03:48:36|VELA-346A03F82A|i686|Microsoft Windows XP|5.1.2600||5|1|2600||||5.1
sqlite> select * from sys_osinfo;
190887807|2019/10/07 03:51:36|VELA-346A03F82A|i686|Microsoft Windows XP|5.1.2600||5|1|2600||||5.1

It works as expected. Interval option works well more than the very first time.

Send a Syscollector configuration by the shared conf. Windows XP

Actually, on the agent's ossec.conf, this is my syscollector configuration:

<!-- System inventory -->
  <wodle name="syscollector">
    <disabled>yes</disabled>
    <interval>5m</interval>
    <scan_on_start>yes</scan_on_start>
    <hardware>yes</hardware>
    <os>yes</os>
    <network>yes</network>
    <packages>yes</packages>
    <ports all="no">yes</ports>
    <processes>yes</processes>
  </wodle>

Syscollector is disabled. Let's enable it from the manager and change the interval option from 5m to 2m.

agent.conf file configuration:

<wodle name="syscollector">
    <disabled>no</disabled>
    <interval>2m</interval>
    <scan_on_start>yes</scan_on_start>
    <hardware>yes</hardware>
    <os>yes</os>
    <network>yes</network>
    <packages>yes</packages>
    <ports all="no">yes</ports>
    <processes>yes</processes>
  </wodle>

Syscollector new configuration supposed to be updated, let's see if it worked: Agent's logs:

2019/10/07 03:57:32 wazuh-modulesd:syscollector: INFO: Module disabled. Exiting...

...

2019/10/07 04:02:52 wazuh-modulesd:syscollector: INFO: Module started.

2019/10/07 04:06:53 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/07 04:06:59 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2019/10/07 04:08:53 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/07 04:08:58 wazuh-modulesd:syscollector: INFO: Evaluation finished.

Consult to the DB:

sqlite> select * from sys_osinfo;
181796598|2019/10/07 04:06:53|VELA-346A03F82A|i686|Microsoft Windows XP|5.1.2600||5|1|2600||||5.1
sqlite> select * from sys_osinfo;
122096704|2019/10/07 04:08:53|VELA-346A03F82A|i686|Microsoft Windows XP|5.1.2600||5|1|2600||||5.1

As we can see, we have enabled syscollector remotelly by the shared conf. It works as expected.

Testing diferent options. Windows XP

Operating system:

sqlite> select * from sys_osinfo;
148033178|2019/10/07 04:10:53|VELA-346A03F82A|i686|Microsoft Windows XP|5.1.2600||5|1|2600||||5.1

Hardware:

sqlite> select * from sys_hwinfo;
162875094|2019/10/07 04:12:53|0|Intel(R) Core(TM) i5-5200U CPU @ 2.20GHz|1|2195.0|523760|338412|35

Packages:

sqlite> select * from sys_programs;
1168856537|2019/10/07 04:12:53|win|Security Update for CAPICOM (KB931906)||||Microsoft Corporation||2.1.0.2|i686|||||0
1168856537|2019/10/07 04:12:53|win|Oracle VM VirtualBox Guest Additions 5.2.32||||Oracle Corporation||5.2.32.0|i686|||||0
1168856537|2019/10/07 04:12:53|win|Wazuh Agent||||Wazuh, Inc.|20191007|3.11.0|i686|||||0
1168856537|2019/10/07 04:12:53|win|WebFldrs XP||||Microsoft Corporation|20191004|9.50.7523|i686|||||0

Network interface:

sqlite> select * from sys_netiface;
999558218|2019/10/07 04:12:53|Local Area Connection|AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport|ethernet|up|1500|08:00:27:89:33:50|30904|4441|8562483|2036459|0|0|0|0
999558218|2019/10/07 04:12:53|Teredo Tunneling Pseudo-Interface|Teredo Tunneling Pseudo-Interface|tunnel|down|1280|FF:FF:FF:FF:FF:FF:FF:FF||||||||
999558218|2019/10/07 04:12:53|6to4 Pseudo-Interface|6to4 Pseudo-Interface|tunnel|up|1280|FF:FF:FF:FF||||||||
999558218|2019/10/07 04:12:53|Automatic Tunneling Pseudo-Interface|Automatic Tunneling Pseudo-Interface|tunnel|up|1280|0A:00:02:0F||||||||

Ports:

sqlite> select * from sys_ports;
295952037|2019/10/07 04:12:59|tcp|0.0.0.0|135|0.0.0.0|16469||||listening|760|svchost.exe
295952037|2019/10/07 04:12:59|tcp|0.0.0.0|445|0.0.0.0|12342||||listening|4|System
295952037|2019/10/07 04:12:59|tcp|10.0.2.15|139|0.0.0.0|49381||||listening|4|System
295952037|2019/10/07 04:12:59|tcp|127.0.0.1|1025|0.0.0.0|57443||||listening|1800|alg.exe

Processes:

sqlite> select * from sys_processes;
561513671|2019/10/07 04:14:57|0|System Idle Process||0|0|0|none|||||||||0|0|0|0|||||0|1|||
561513671|2019/10/07 04:14:57|4|System||0|0|0|none|||||||||8|0|0|0|||||0|54|||
561513671|2019/10/07 04:14:57|320|smss.exe||4|0|0|\Device\HarddiskVolume1\WINDOWS\system32\smss.exe|||||||||11|0|176128|614400|||||0|3|||
561513671|2019/10/07 04:14:57|416|csrss.exe||320|1|5|\Device\HarddiskVolume1\WINDOWS\system32\csrss.exe|||||||||13|0|1867776|6078464|||||0|12|||
561513671|2019/10/07 04:14:57|440|winlogon.exe||320|0|1|\Device\HarddiskVolume1\WINDOWS\system32\winlogon.exe|||||||||13|0|14491648|27881472|||||0|19|||
561513671|2019/10/07 04:14:57|484|services.exe||440|1|7|\Device\HarddiskVolume1\WINDOWS\system32\services.exe|||||||||9|0|9601024|23277568|||||0|21|||
561513671|2019/10/07 04:14:57|496|lsass.exe||440|0|0|\Device\HarddiskVolume1\WINDOWS\system32\lsass.exe|||||||||9|0|4198400|11337728|||||0|22|||
561513671|2019/10/07 04:14:57|644|VBoxService.exe||484|0|0|\Device\HarddiskVolume1\WINDOWS\system32\VBoxService.exe|||||||||8|0|1470464|5337088|||||0|8|||
561513671|2019/10/07 04:14:57|680|svchost.exe||484|0|0|\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe|||||||||8|0|3375104|8704000|||||0|20|||
561513671|2019/10/07 04:14:57|760|svchost.exe||484|0|0|\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe|||||||||8|0|2093056|7004160|||||0|11|||
561513671|2019/10/07 04:14:57|800|svchost.exe||484|1|7|\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe|||||||||8|0|14221312|39464960|||||0|77|||
561513671|2019/10/07 04:14:57|848|svchost.exe||484|0|0|\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe|||||||||8|0|1413120|5238784|||||0|4|||
561513671|2019/10/07 04:14:57|880|svchost.exe||484|0|0|\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe|||||||||8|0|1781760|6250496|||||0|12|||
561513671|2019/10/07 04:14:57|1156|explorer.exe||1136|4|10|\Device\HarddiskVolume1\WINDOWS\explorer.exe|||||||||8|0|19001344|47013888|||||0|14|||
561513671|2019/10/07 04:14:57|1264|spoolsv.exe||484|0|0|\Device\HarddiskVolume1\WINDOWS\system32\spoolsv.exe|||||||||8|0|3260416|8216576|||||0|10|||
561513671|2019/10/07 04:14:57|1336|svchost.exe||484|0|0|\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe|||||||||8|0|1482752|5554176|||||0|5|||
561513671|2019/10/07 04:14:57|1800|alg.exe||484|0|0|\Device\HarddiskVolume1\WINDOWS\system32\alg.exe|||||||||8|0|1310720|5197824|||||0|5|||
561513671|2019/10/07 04:14:57|1888|VBoxTray.exe||1156|0|0|\Device\HarddiskVolume1\WINDOWS\system32\VBoxTray.exe|||||||||8|0|1802240|6766592|||||0|11|||
561513671|2019/10/07 04:14:57|1896|ctfmon.exe||1156|0|0|\Device\HarddiskVolume1\WINDOWS\system32\ctfmon.exe|||||||||8|0|1081344|4829184|||||0|1|||
561513671|2019/10/07 04:14:57|156|wscntfy.exe||800|0|0|\Device\HarddiskVolume1\WINDOWS\system32\wscntfy.exe|||||||||8|0|708608|3403776|||||0|1|||
561513671|2019/10/07 04:14:57|2648|wuauclt.exe||800|0|0|\Device\HarddiskVolume1\WINDOWS\system32\wuauclt.exe|||||||||8|0|2379776|6733824|||||0|3|||
561513671|2019/10/07 04:14:57|3268|win32ui.exe||3216|0|0|\Device\HarddiskVolume1\Program Files\ossec-agent\win32ui.exe|||||||||8|0|1429504|5988352|||||0|1|||
561513671|2019/10/07 04:14:57|832|ossec-agent.exe||484|16|2|\Device\HarddiskVolume1\Program Files\ossec-agent\ossec-agent.exe|||||||||8|0|12701696|27680768|||||0|18|||
561513671|2019/10/07 04:14:57|788|notepad.exe||3268|0|0|\Device\HarddiskVolume1\WINDOWS\system32\notepad.exe|||||||||8|0|1482752|5996544|||||0|1|||
561513671|2019/10/07 04:14:57|2056|wmiprvse.exe||680|0|0|\Device\HarddiskVolume1\WINDOWS\system32\wbem\wmiprvse.exe|||||||||8|0|2691072|8912896|||||0|7|||

Hotfixes:

sqlite> select * from sys_hotfixes;
710525376|2019/10/07 23:30:50|KB2115168
710525376|2019/10/07 23:30:50|KB2124261
710525376|2019/10/07 23:30:50|KB2229593
710525376|2019/10/07 23:30:50|KB2264107
710525376|2019/10/07 23:30:50|KB2270406
710525376|2019/10/07 23:30:50|KB2290570
710525376|2019/10/07 23:30:50|KB2296011
710525376|2019/10/07 23:30:50|KB2345886
710525376|2019/10/07 23:30:50|KB2347290
710525376|2019/10/07 23:30:50|KB2378111_WM9
710525376|2019/10/07 23:30:50|KB2387149
710525376|2019/10/07 23:30:50|KB2393802
710525376|2019/10/07 23:30:50|KB2419632
710525376|2019/10/07 23:30:50|KB2423089
710525376|2019/10/07 23:30:50|KB2440591
710525376|2019/10/07 23:30:50|KB2443105
710525376|2019/10/07 23:30:50|KB2454533-v2
710525376|2019/10/07 23:30:50|KB2467659
710525376|2019/10/07 23:30:50|KB2478960
710525376|2019/10/07 23:30:50|KB2478971
710525376|2019/10/07 23:30:50|KB2479943
710525376|2019/10/07 23:30:50|KB2483185
710525376|2019/10/07 23:30:50|KB2485663
710525376|2019/10/07 23:30:50|KB2491683
710525376|2019/10/07 23:30:50|KB2492386
710525376|2019/10/07 23:30:50|KB2498072
710525376|2019/10/07 23:30:50|KB2508429
710525376|2019/10/07 23:30:50|KB2509553
710525376|2019/10/07 23:30:50|KB2510531-IE8
710525376|2019/10/07 23:30:50|KB2510581
710525376|2019/10/07 23:30:50|KB2535512
710525376|2019/10/07 23:30:50|KB2536276-v2
710525376|2019/10/07 23:30:50|KB2544893
710525376|2019/10/07 23:30:50|KB2544893-v2
710525376|2019/10/07 23:30:50|KB2564958
710525376|2019/10/07 23:30:50|KB2566454
710525376|2019/10/07 23:30:50|KB2570947
710525376|2019/10/07 23:30:50|KB2584146
710525376|2019/10/07 23:30:50|KB2584577
710525376|2019/10/07 23:30:50|KB2585542
710525376|2019/10/07 23:30:50|KB2592799
710525376|2019/10/07 23:30:50|KB2598479
710525376|2019/10/07 23:30:50|KB2598845-IE8
710525376|2019/10/07 23:30:50|KB2603381
710525376|2019/10/07 23:30:50|KB2619339
710525376|2019/10/07 23:30:50|KB2620712
710525376|2019/10/07 23:30:50|KB2629462
710525376|2019/10/07 23:30:50|KB2631813
710525376|2019/10/07 23:30:50|KB2632503-IE8
710525376|2019/10/07 23:30:50|KB2653956
710525376|2019/10/07 23:30:50|KB2655992
710525376|2019/10/07 23:30:50|KB2659262
710525376|2019/10/07 23:30:50|KB2661637
710525376|2019/10/07 23:30:50|KB2686509
710525376|2019/10/07 23:30:50|KB2691442
710525376|2019/10/07 23:30:50|KB2698365
710525376|2019/10/07 23:30:50|KB2705219-v2
710525376|2019/10/07 23:30:50|KB2712808
710525376|2019/10/07 23:30:50|KB2719985
710525376|2019/10/07 23:30:50|KB2723135-v2
710525376|2019/10/07 23:30:50|KB2727528
710525376|2019/10/07 23:30:50|KB2749655
710525376|2019/10/07 23:30:50|KB2757638
710525376|2019/10/07 23:30:50|KB2758857
710525376|2019/10/07 23:30:50|KB2770660
710525376|2019/10/07 23:30:50|KB2780091
710525376|2019/10/07 23:30:50|KB2802968
710525376|2019/10/07 23:30:50|KB2803821-v2
710525376|2019/10/07 23:30:50|KB2807986
710525376|2019/10/07 23:30:50|KB2808679
710525376|2019/10/07 23:30:50|KB2813347-v2
710525376|2019/10/07 23:30:50|KB2820917
710525376|2019/10/07 23:30:50|KB2828030
710525376|2019/10/07 23:30:50|KB2834886
710525376|2019/10/07 23:30:50|KB2836198
710525376|2019/10/07 23:30:50|KB2845187
710525376|2019/10/07 23:30:50|KB2847311
710525376|2019/10/07 23:30:50|KB2849470
710525376|2019/10/07 23:30:50|KB2850869
710525376|2019/10/07 23:30:50|KB2859537
710525376|2019/10/07 23:30:50|KB2862152
710525376|2019/10/07 23:30:50|KB2862330
710525376|2019/10/07 23:30:50|KB2862335
710525376|2019/10/07 23:30:50|KB2864063
710525376|2019/10/07 23:30:50|KB2868038
710525376|2019/10/07 23:30:50|KB2868626
710525376|2019/10/07 23:30:50|KB2876217
710525376|2019/10/07 23:30:50|KB2876331
710525376|2019/10/07 23:30:50|KB2883150
710525376|2019/10/07 23:30:50|KB2884256
710525376|2019/10/07 23:30:50|KB2888505
710525376|2019/10/07 23:30:50|KB2888505-IE8
710525376|2019/10/07 23:30:50|KB2890882
710525376|2019/10/07 23:30:50|KB2892734
710525376|2019/10/07 23:30:50|KB2900986
710525376|2019/10/07 23:30:50|KB898461
710525376|2019/10/07 23:30:50|KB909520
710525376|2019/10/07 23:30:50|KB916157-v6
710525376|2019/10/07 23:30:50|KB922120-v6
710525376|2019/10/07 23:30:50|KB932578
710525376|2019/10/07 23:30:50|KB932716-v2
710525376|2019/10/07 23:30:50|KB942213
710525376|2019/10/07 23:30:50|KB942288-v3
710525376|2019/10/07 23:30:50|KB943232-v2
710525376|2019/10/07 23:30:50|KB944043
710525376|2019/10/07 23:30:50|KB946648
710525376|2019/10/07 23:30:50|KB947460
710525376|2019/10/07 23:30:50|KB948046-v2
710525376|2019/10/07 23:30:50|KB948101
710525376|2019/10/07 23:30:50|KB948720
710525376|2019/10/07 23:30:50|KB949127
710525376|2019/10/07 23:30:50|KB949900
710525376|2019/10/07 23:30:50|KB950616
710525376|2019/10/07 23:30:50|KB950974
710525376|2019/10/07 23:30:50|KB951126
710525376|2019/10/07 23:30:50|KB951376
710525376|2019/10/07 23:30:50|KB951531
710525376|2019/10/07 23:30:50|KB951618-v2
710525376|2019/10/07 23:30:50|KB951624
710525376|2019/10/07 23:30:50|KB951709
710525376|2019/10/07 23:30:50|KB951978
710525376|2019/10/07 23:30:50|KB952004
710525376|2019/10/07 23:30:50|KB952011
710525376|2019/10/07 23:30:50|KB952069_WM9
710525376|2019/10/07 23:30:50|KB952954
710525376|2019/10/07 23:30:50|KB953024
710525376|2019/10/07 23:30:50|KB953028
710525376|2019/10/07 23:30:50|KB953155
710525376|2019/10/07 23:30:50|KB953609
710525376|2019/10/07 23:30:50|KB953761
710525376|2019/10/07 23:30:50|KB954155_WM9
710525376|2019/10/07 23:30:50|KB954193
710525376|2019/10/07 23:30:50|KB954232
710525376|2019/10/07 23:30:50|KB954708
710525376|2019/10/07 23:30:50|KB954920
710525376|2019/10/07 23:30:50|KB955109
710525376|2019/10/07 23:30:50|KB955356
710525376|2019/10/07 23:30:50|KB955417
710525376|2019/10/07 23:30:50|KB955567
710525376|2019/10/07 23:30:50|KB955576
710525376|2019/10/07 23:30:50|KB955704
710525376|2019/10/07 23:30:50|KB955830-v2
710525376|2019/10/07 23:30:50|KB955988
710525376|2019/10/07 23:30:50|KB956048
710525376|2019/10/07 23:30:50|KB956391
710525376|2019/10/07 23:30:50|KB956572
710525376|2019/10/07 23:30:50|KB956844
710525376|2019/10/07 23:30:50|KB957931
710525376|2019/10/07 23:30:50|KB958149
710525376|2019/10/07 23:30:50|KB958244
710525376|2019/10/07 23:30:50|KB958347
710525376|2019/10/07 23:30:50|KB958817
710525376|2019/10/07 23:30:50|KB959267
710525376|2019/10/07 23:30:50|KB959334
710525376|2019/10/07 23:30:50|KB959465
710525376|2019/10/07 23:30:50|KB960071
710525376|2019/10/07 23:30:50|KB960417
710525376|2019/10/07 23:30:50|KB960680
710525376|2019/10/07 23:30:50|KB960859
710525376|2019/10/07 23:30:50|KB961118
710525376|2019/10/07 23:30:50|KB961187-v2
710525376|2019/10/07 23:30:50|KB961451-v2
710525376|2019/10/07 23:30:50|KB961503
710525376|2019/10/07 23:30:50|KB961605
710525376|2019/10/07 23:30:50|KB961742-v3
710525376|2019/10/07 23:30:50|KB967048-v2
710525376|2019/10/07 23:30:50|KB967756
710525376|2019/10/07 23:30:50|KB968389
710525376|2019/10/07 23:30:50|KB969084
710525376|2019/10/07 23:30:50|KB969557
710525376|2019/10/07 23:30:50|KB970254
710525376|2019/10/07 23:30:50|KB970430
710525376|2019/10/07 23:30:50|KB970483
710525376|2019/10/07 23:30:50|KB970553
710525376|2019/10/07 23:30:50|KB971029
710525376|2019/10/07 23:30:50|KB971165
710525376|2019/10/07 23:30:50|KB971234-v2
710525376|2019/10/07 23:30:50|KB971314
710525376|2019/10/07 23:30:50|KB971345
710525376|2019/10/07 23:30:50|KB971657
710525376|2019/10/07 23:30:50|KB972270
710525376|2019/10/07 23:30:50|KB972422
710525376|2019/10/07 23:30:50|KB972435
710525376|2019/10/07 23:30:50|KB972878
710525376|2019/10/07 23:30:50|KB973502
710525376|2019/10/07 23:30:50|KB973507
710525376|2019/10/07 23:30:50|KB973540_WM9
710525376|2019/10/07 23:30:50|KB973624
710525376|2019/10/07 23:30:50|KB973815
710525376|2019/10/07 23:30:50|KB973869
710525376|2019/10/07 23:30:50|KB973904
710525376|2019/10/07 23:30:50|KB974112
710525376|2019/10/07 23:30:50|KB974266
710525376|2019/10/07 23:30:50|KB974318
710525376|2019/10/07 23:30:50|KB974571
710525376|2019/10/07 23:30:50|KB975025
710525376|2019/10/07 23:30:50|KB975467
710525376|2019/10/07 23:30:50|KB975558_WM8
710525376|2019/10/07 23:30:50|KB975560
710525376|2019/10/07 23:30:50|KB975713
710525376|2019/10/07 23:30:50|KB975791
710525376|2019/10/07 23:30:50|KB976002-v5
710525376|2019/10/07 23:30:50|KB976323
710525376|2019/10/07 23:30:50|KB977816
710525376|2019/10/07 23:30:50|KB977914
710525376|2019/10/07 23:30:50|KB978338
710525376|2019/10/07 23:30:50|KB978542
710525376|2019/10/07 23:30:50|KB978695_WM9
710525376|2019/10/07 23:30:50|KB978706
710525376|2019/10/07 23:30:50|KB978835
710525376|2019/10/07 23:30:50|KB979099
710525376|2019/10/07 23:30:50|KB979309
710525376|2019/10/07 23:30:50|KB979482
710525376|2019/10/07 23:30:50|KB979687
710525376|2019/10/07 23:30:50|KB981073-v3
710525376|2019/10/07 23:30:50|KB981997
710525376|2019/10/07 23:30:50|KB982132
710525376|2019/10/07 23:30:50|KB982316
710525376|2019/10/07 23:30:50|KB982665
710525376|2019/10/07 23:30:50|KB983234-v2
710525376|2019/10/07 23:30:50|Q147222

Database tests. Windows XP

Upgrade from a version older than v3.8.0. The databases at queue/db/ must be updated.

Wazuh-manager version: 3.7.3

Wazuh-agent version: 3.7.2

sqlite> .tables
ciscat_results  pm_event        sys_netaddr     sys_osinfo      sys_programs  
fim_entry       scan_info       sys_netiface    sys_ports     
metadata        sys_hwinfo      sys_netproto    sys_processes

In this version we don't have vuln_metadata table in our DB. Let's upgrade our manager and agent to the related branch version.

sqlite> .tables
ciscat_results        sca_policy            sys_netproto        
fim_entry             sca_scan_info         sys_osinfo          
metadata              scan_info             sys_ports           
pm_event              sys_hotfixes          sys_processes       
sca_check             sys_hwinfo            sys_programs        
sca_check_compliance  sys_netaddr           vuln_metadata       
sca_check_rules       sys_netiface

Now we have vuln_metadata table, so the DB has been updated correctly.

Check that Syscollector info has been stored in the DB of the agent (queue/db/xxx.db).

root@Vela-PC:/var/ossec/queue/db# /var/ossec/bin/manage_agents -l

Available agents: 
   ID: 003, Name: vela-346a03f82a, IP: 192.168.0.99

root@Vela-PC:/var/ossec/queue/db# ls
000.db  000.db-shm  000.db-wal  003.db  003.db-shm  003.db-wal  wdb

Syscollector info has been stored in 003.db which is the DB of our agent.

Check that a new scan deletes the previous scan from the DB. [Search by scan_id].

sqlite> select scan_id from sys_ports;
970693641
970693641
970693641
970693641
970693641
sqlite> select scan_id from sys_ports;
1606040628
1606040628
1606040628
1606040628
1606040628

A new scan deletes the previous one.

Delete the DB of an agent (file 001.db for example) and send a new scan. Is the scan received? Is the DB restored when the manager is restarted?

root@Vela-PC:/var/ossec/queue/db# ls
000.db  000.db-shm  000.db-wal  003.db  003.db-shm  003.db-wal  wdb
root@Vela-PC:/var/ossec/queue/db# rm 003.db*
root@Vela-PC:/var/ossec/queue/db# ls
000.db  000.db-shm  000.db-wal  wdb
root@Vela-PC:/var/ossec/queue/db# systemctl restart wazuh-manager
root@Vela-PC:/var/ossec/queue/db# ls
000.db  000.db-shm  000.db-wal  003.db  003.db-shm  003.db-wal  wdb
root@Vela-PC:/var/ossec/queue/db# sqlite3 003.db
SQLite version 3.22.0 2018-01-22 18:45:57
Enter ".help" for usage hints.
sqlite> select * from sys
sys_hotfixes   sys_netaddr    sys_netproto   sys_ports      sys_programs   
sys_hwinfo     sys_netiface   sys_osinfo     sys_processes  sysname        
sqlite> select * from sys_hwinfo;
481523585|2019/10/07 23:38:48|0|Intel(R) Core(TM) i5-5200U CPU @ 2.20GHz|1|2194.0|523760|372588|28

The scan is received after deleting the agent's DB and restarting the manager.

Test worked as expected.

I installed Windows agent from the vuln-windows branch, compiled the agent in Linux and generated the MSI installer in Windows from the related branch.

Check interval option Windows Server 2003

Test example 1.

Example Syscollector configuration:

<wodle name="syscollector">
    <disabled>no</disabled>
    <interval>2m</interval>
    <scan_on_start>yes</scan_on_start>
    <hardware>yes</hardware>
    <os>yes</os>
    <network>yes</network>
    <packages>yes</packages>
    <ports all="no">yes</ports>
    <processes>yes</processes>
  </wodle>

Logs:

2019/10/08 10:49:43 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/08 10:49:44 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2019/10/08 10:51:43 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/08 10:51:46 wazuh-modulesd:syscollector: INFO: Evaluation finished.

DB:

sqlite> select * from sys_osinfo;
1664284770|2019/10/08 10:49:43|VELA-WS2003|i686|Microsoft Windows Server 2003|5.2.3790||5|2|3790||||5.2|sp1
sqlite> select * from sys_osinfo;
216318917|2019/10/08 10:51:43|VELA-WS2003|i686|Microsoft Windows Server 2003|5.2.3790||5|2|3790||||5.2|sp1

Test example 2.

We are going to modify syscollector configuration changing interval option by 3m.

As expected, we get a log report on the agent's log every 3 minutes:

2019/10/08 11:00:06 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/08 11:00:07 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2019/10/08 11:03:06 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/08 11:03:07 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2019/10/08 11:06:06 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/08 11:06:07 wazuh-modulesd:syscollector: INFO: Evaluation finished.

Also, we get our tables updated every 3 minutes on our manager:

sqlite> select * from sys_osinfo;
79339549|2019/10/08 11:00:06|VELA-WS2003|i686|Microsoft Windows Server 2003|5.2.3790||5|2|3790||||5.2|sp1
sqlite> select * from sys_osinfo;
1153414919|2019/10/08 11:03:06|VELA-WS2003|i686|Microsoft Windows Server 2003|5.2.3790||5|2|3790||||5.2|sp1
sqlite> select * from sys_osinfo;
34495637|2019/10/08 11:06:06|VELA-WS2003|i686|Microsoft Windows Server 2003|5.2.3790||5|2|3790||||5.2|sp1

Interval option runs as expected more than the very first time.

Send a Syscollector configuration by the shared conf. Windows Server 2003

Actually, on the agent's ossec.conf, this is my syscollector configuration:

<wodle name="syscollector">
    <disabled>yes</disabled>
    <interval>3m</interval>
    <scan_on_start>yes</scan_on_start>
    <hardware>yes</hardware>
    <os>yes</os>
    <network>yes</network>
    <packages>yes</packages>
    <ports all="no">yes</ports>
    <processes>yes</processes>
  </wodle>

Syscollector is disabled. Let's enable it from the manager and change the interval option from 3m to 2m. 2019/10/08 11:10:45 wazuh-modulesd:syscollector: INFO: Module disabled. Exiting...

agent.conf file configuration:

<agent_config>

  <!-- Shared agent configuration here -->
  <wodle name="syscollector">
    <disabled>no</disabled>
    <interval>2m</interval>
    <scan_on_start>yes</scan_on_start>
    <hardware>yes</hardware>
    <os>yes</os>
    <network>yes</network>
    <packages>yes</packages>
    <ports all="no">yes</ports>
    <processes>yes</processes>
  </wodle>

</agent_config>

After restart the agent from the manager:

2019/10/08 11:13:18 wazuh-modulesd:syscollector: INFO: Module started.

2019/10/08 11:15:19 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/08 11:15:21 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2019/10/08 11:17:19 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/08 11:17:20 wazuh-modulesd:syscollector: INFO: Evaluation finished.

sqlite> select * from sys_hwinfo;
572775596|2019/10/08 11:15:21|0|Intel(R) Core(TM) i5-5200U CPU @ 2.20GHz|1|2195.0|523736|383576|26
sqlite> select * from sys_hwinfo;
712453476|2019/10/08 11:17:19|0|Intel(R) Core(TM) i5-5200U CPU @ 2.20GHz|1|2195.0|523736|383028|26

As we can see, previously we had a diferent Syscollector configuration which has been updated remotelly with the agent.conf.

It worked as expected.

Testing diferent options. Windows Server 2003

Operating system:

sqlite> select * from sys_osinfo;
579758372|2019/10/08 11:23:19|VELA-WS2003|i686|Microsoft Windows Server 2003|5.2.3790||5|2|3790||||5.2|sp1

Hardware:

sqlite> select * from sys_hwinfo;
266409670|2019/10/08 11:23:19|0|Intel(R) Core(TM) i5-5200U CPU @ 2.20GHz|1|2195.0|523736|383708|26

Packages:

sqlite> select * from sys_programs;
1875678664|2019/10/08 11:23:19|win|Oracle VM VirtualBox Guest Additions 5.2.32||||Oracle Corporation||5.2.32.0|i686|||||||
1875678664|2019/10/08 11:23:19|win|Wazuh Agent||||Wazuh, Inc.|20191008|3.11.0|i686|||||||

Network interface:

sqlite> select * from sys_netiface;
1591552450|2019/10/08 11:23:19|Conexi�n de �rea local|Adaptador de escritorio MT PRO/1000 de Intel�|ethernet|up|1500|08:00:27:4D:9C:62|20229|2496|5919083|942339|1|0|0|0
1591552450|2019/10/08 11:23:19|Teredo Tunneling Pseudo-Interface|Teredo Tunneling Pseudo-Interface|tunnel|down|1280|FF:FF:FF:FF:FF:FF:FF:FF||||||||
1591552450|2019/10/08 11:23:19|6to4 Pseudo-Interface|6to4 Pseudo-Interface|tunnel|up|1280|FF:FF:FF:FF||||||||
1591552450|2019/10/08 11:23:19|Automatic Tunneling Pseudo-Interface|Automatic Tunneling Pseudo-Interface|tunnel|up|1280|0A:00:02:0F||||||||

Ports:

sqlite> select * from sys_ports;
808165481|2019/10/08 11:23:19|tcp|0.0.0.0|135|0.0.0.0|33021||||listening|876|svchost.exe
808165481|2019/10/08 11:23:19|tcp|0.0.0.0|445|0.0.0.0|2048||||listening|4|System
808165481|2019/10/08 11:23:19|tcp|0.0.0.0|1025|0.0.0.0|28822||||listening|552|lsass.exe
808165481|2019/10/08 11:23:19|tcp|10.0.2.15|139|0.0.0.0|34962||||listening|4|System
808165481|2019/10/08 11:23:19|tcp6|::|445|::|63561||||listening|4|System

Processes:

sqlite> select * from sys_processes;
1216213495|2019/10/08 11:23:19|0|System Idle Process||0|0|0|none|||||||||0|0|0|0|||||0|1|||
1216213495|2019/10/08 11:23:19|4|System||0|0|0|none|||||||||8|0|0|0|||||0|62|||
1216213495|2019/10/08 11:23:19|356|smss.exe||4|0|0|\Device\HarddiskVolume1\WINDOWS\system32\smss.exe|||||||||11|0|147456|618496|||||0|3|||
1216213495|2019/10/08 11:23:19|472|csrss.exe||356|0|6|\Device\HarddiskVolume1\WINDOWS\system32\csrss.exe|||||||||13|0|1781760|6168576|||||0|13|||
1216213495|2019/10/08 11:23:19|496|winlogon.exe||356|0|0|\Device\HarddiskVolume1\WINDOWS\system32\winlogon.exe|||||||||13|0|6090752|8704000|||||0|17|||
1216213495|2019/10/08 11:23:19|540|services.exe||496|0|1|\Device\HarddiskVolume1\WINDOWS\system32\services.exe|||||||||9|0|9281536|16596992|||||0|21|||
1216213495|2019/10/08 11:23:19|552|lsass.exe||496|0|0|\Device\HarddiskVolume1\WINDOWS\system32\lsass.exe|||||||||9|0|6774784|13475840|||||0|33|||
1216213495|2019/10/08 11:23:19|752|VBoxService.exe||540|0|0|\Device\HarddiskVolume1\WINDOWS\system32\VBoxService.exe|||||||||8|0|1224704|4747264|||||0|8|||
1216213495|2019/10/08 11:23:19|800|svchost.exe||540|0|0|\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe|||||||||8|0|749568|3272704|||||0|5|||
1216213495|2019/10/08 11:23:19|876|svchost.exe||540|0|0|\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe|||||||||8|0|1146880|4366336|||||0|11|||
1216213495|2019/10/08 11:23:19|928|svchost.exe||540|0|0|\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe|||||||||8|0|5128192|11018240|||||0|12|||
1216213495|2019/10/08 11:23:19|972|svchost.exe||540|0|0|\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe|||||||||8|0|1015808|4075520|||||0|13|||
1216213495|2019/10/08 11:23:19|1008|svchost.exe||540|1|0|\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe|||||||||8|0|12029952|28991488|||||0|44|||
1216213495|2019/10/08 11:23:19|1440|spoolsv.exe||540|0|0|\Device\HarddiskVolume1\WINDOWS\system32\spoolsv.exe|||||||||8|0|3162112|7528448|||||0|13|||
1216213495|2019/10/08 11:23:19|1464|msdtc.exe||540|0|0|\Device\HarddiskVolume1\WINDOWS\system32\msdtc.exe|||||||||8|0|1490944|5332992|||||0|13|||
1216213495|2019/10/08 11:23:19|1588|svchost.exe||540|0|0|\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe|||||||||8|0|462848|2461696|||||0|2|||
1216213495|2019/10/08 11:23:19|1624|svchost.exe||540|0|0|\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe|||||||||8|0|266240|1597440|||||0|2|||
1216213495|2019/10/08 11:23:19|1944|svchost.exe||540|0|0|\Device\HarddiskVolume1\WINDOWS\system32\svchost.exe|||||||||8|0|1404928|5255168|||||0|16|||
1216213495|2019/10/08 11:23:19|448|explorer.exe||432|0|1|\Device\HarddiskVolume1\WINDOWS\explorer.exe|||||||||8|0|10240000|29503488|||||0|12|||
1216213495|2019/10/08 11:23:19|924|VBoxTray.exe||448|0|0|\Device\HarddiskVolume1\WINDOWS\system32\VBoxTray.exe|||||||||8|0|995328|4591616|||||0|11|||
1216213495|2019/10/08 11:23:19|968|ctfmon.exe||448|0|0|\Device\HarddiskVolume1\WINDOWS\system32\ctfmon.exe|||||||||8|0|417792|2973696|||||0|1|||
1216213495|2019/10/08 11:23:19|1296|wmiprvse.exe||800|0|0|\Device\HarddiskVolume1\WINDOWS\system32\wbem\wmiprvse.exe|||||||||8|0|1601536|6643712|||||0|4|||
1216213495|2019/10/08 11:23:19|364|win32ui.exe||1940|0|0|\Device\HarddiskVolume1\Archivos de programa\ossec-agent\win32ui.exe|||||||||8|0|1118208|4698112|||||0|1|||
1216213495|2019/10/08 11:23:19|836|cmd.exe||448|0|0|\Device\HarddiskVolume1\WINDOWS\system32\cmd.exe|||||||||8|0|1454080|3153920|||||0|1|||
1216213495|2019/10/08 11:23:19|1656|wmiprvse.exe||800|0|0|\Device\HarddiskVolume1\WINDOWS\system32\wbem\wmiprvse.exe|||||||||8|0|1507328|6705152|||||0|7|||
1216213495|2019/10/08 11:23:19|2764|ossec-agent.exe||540|4|1|\Device\HarddiskVolume1\Archivos de programa\ossec-agent\ossec-agent.exe|||||||||8|0|11698176|24932352|||||0|19|||

Hotfixes:

sqlite> select * from sys_hotfixes;
1874783208|2019/10/08 11:25:19|Q147222

Database tests. Windows Server 2003

Upgrade from a version older than v3.8.0. The databases at queue/db/ must be updated.

Wazuh-manager version: 3.7.3
Wazuh-agent version: 3.7.2

sqlite> .tables
ciscat_results  pm_event        sys_netaddr     sys_osinfo      sys_programs  
fim_entry       scan_info       sys_netiface    sys_ports     
metadata        sys_hwinfo      sys_netproto    sys_processes

In this version we don't have vuln_metadata table in our DB. Let's upgrade our manager and agent to the related branch version.

sqlite> .tables
ciscat_results        sca_policy            sys_netproto        
fim_entry             sca_scan_info         sys_osinfo          
metadata              scan_info             sys_ports           
pm_event              sys_hotfixes          sys_processes       
sca_check             sys_hwinfo            sys_programs        
sca_check_compliance  sys_netaddr           vuln_metadata       
sca_check_rules       sys_netiface

Now we have vuln_metadata table, so the DB has been updated correctly.

Check that Syscollector info has been stored in the DB of the agent (queue/db/xxx.db).

root@Vela-PC:/var/ossec/queue/db# /var/ossec/bin/agent_control -l

Wazuh agent_control. List of available agents:
   ID: 000, Name: Vela-PC (server), IP: 127.0.0.1, Active/Local
   ID: 001, Name: vela-ws2003, IP: 192.168.0.99, Active

List of agentless devices:

root@Vela-PC:/var/ossec/queue/db# ls
000.db  000.db-shm  000.db-wal  001.db  001.db-shm  001.db-wal  wdb
root@Vela-PC:/var/ossec/queue/db# sqlite3 001.db
SQLite version 3.22.0 2018-01-22 18:45:57
Enter ".help" for usage hints.
sqlite> select * from sys_hwinfo;
515554477|2019/10/08 11:31:19|0|Intel(R) Core(TM) i5-5200U CPU @ 2.20GHz|1|2195.0|523736|381444|27

Check that a new scan deletes the previous scan from the DB. [Search by scan_id].

sqlite> select scan_id from sys_osinfo;
1331196117

sqlite> select scan_id from sys_osinfo;
159005284

Delete the DB of an agent (file 001.db for example) and send a new scan. Is the scan received? Is the DB restored when the manager is restarted?

root@Vela-PC:/var/ossec/queue/db# ls
000.db  000.db-shm  000.db-wal  001.db  001.db-shm  001.db-wal  wdb
root@Vela-PC:/var/ossec/queue/db# rm 001*
root@Vela-PC:/var/ossec/queue/db# ls
000.db  000.db-shm  000.db-wal  wdb
root@Vela-PC:/var/ossec/queue/db# systemctl restart wazuh-manager
root@Vela-PC:/var/ossec/queue/db# ls
000.db  000.db-shm  000.db-wal  001.db  001.db-shm  001.db-wal  wdb

sqlite> select * from sys_osinfo;
1331196117|2019/10/08 11:29:19|VELA-WS2003|i686|Microsoft Windows Server 2003|5.2.3790||5|2|3790||||5.2|sp1

after removing agent's DB and restanting the manager, the scan is received and the DB restored.

It worked as expected.

Check interval option CentOS 5

Example Syscollector configuration:

<!-- System inventory -->
  <wodle name="syscollector">
    <disabled>no</disabled>
    <interval>2m</interval>
    <scan_on_start>yes</scan_on_start>
    <hardware>yes</hardware>
    <os>yes</os>
    <network>yes</network>
    <packages>yes</packages>
    <ports all="no">yes</ports>
    <processes>yes</processes>
  </wodle>

Logs:

2019/10/09 12:10:49 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/09 12:10:53 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2019/10/09 12:12:49 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/09 12:12:52 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2019/10/09 12:14:49 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/09 12:14:53 wazuh-modulesd:syscollector: INFO: Evaluation finished.

Consults:

1875027997|2019/10/09 12:10:49|centos5|x86_64|CentOS Linux|5.11||5|11||centos|Linux|2.6.18-419.el5.centos.plus|#1 SMP Sat Feb 25 15:50:12 UTC 2017|
sqlite> select * from sys_osinfo;
66869581|2019/10/09 12:12:49|centos5|x86_64|CentOS Linux|5.11||5|11||centos|Linux|2.6.18-419.el5.centos.plus|#1 SMP Sat Feb 25 15:50:12 UTC 2017|
sqlite> select * from sys_osinfo;
904897234|2019/10/09 12:14:49|centos5|x86_64|CentOS Linux|5.11||5|11||centos|Linux|2.6.18-419.el5.centos.plus|#1 SMP Sat Feb 25 15:50:12 UTC 2017|

Change interval option from 2m to 3m.

Logs:

2019/10/09 12:18:02 wazuh-modulesd:syscollector: INFO: Module started.
2019/10/09 12:18:03 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/09 12:18:06 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2019/10/09 12:21:03 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/09 12:21:08 wazuh-modulesd:syscollector: INFO: Evaluation finished.

Consults:

sqlite> select * from sys_osinfo;
88335618|2019/10/09 12:18:03|centos5|x86_64|CentOS Linux|5.11||5|11||centos|Linux|2.6.18-419.el5.centos.plus|#1 SMP Sat Feb 25 15:50:12 UTC 2017|
105581116|2019/10/09 12:21:04|centos5|x86_64|CentOS Linux|5.11||5|11||centos|Linux|2.6.18-419.el5.centos.plus|#1 SMP Sat Feb 25 15:50:12 UTC 2017|

It worked as expected.

Send a Syscollector configuration by the shared conf. CentOS 5

ossec.conf configuration:

<!-- System inventory -->
  <wodle name="syscollector">
    <disabled>yes</disabled>
    <interval>3m</interval>
    <scan_on_start>yes</scan_on_start>
    <hardware>yes</hardware>
    <os>yes</os>
    <network>yes</network>
    <packages>yes</packages>
    <ports all="no">yes</ports>
    <processes>yes</processes>
  </wodle>

As we can see, syscollector is disabled:

2019/10/09 12:24:03 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/09 12:24:07 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2019/10/09 12:24:28 wazuh-modulesd:syscollector: INFO: Module finished.
2019/10/09 12:24:30 wazuh-modulesd:syscollector: INFO: Module disabled. Exiting...

agent.conf configuration:

<agent_config>
  <!-- Shared agent configuration here -->
  <wodle name="syscollector">
    <disabled>no</disabled>
    <interval>2m</interval>
    <scan_on_start>yes</scan_on_start>
    <hardware>yes</hardware>
    <os>yes</os>
    <network>yes</network>
    <packages>yes</packages>
    <ports all="no">yes</ports>
    <processes>yes</processes>
  </wodle>
</agent_config>

Logs:

2019/10/09 12:27:27 wazuh-modulesd:syscollector: INFO: Module started.
2019/10/09 12:27:28 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/09 12:27:36 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2019/10/09 12:29:28 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/09 12:29:33 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2019/10/09 12:31:28 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2019/10/09 12:31:32 wazuh-modulesd:syscollector: INFO: Evaluation finished.

Consults:

sqlite> select * from sys_osinfo;
1569118939|2019/10/09 12:29:28|centos5|x86_64|CentOS Linux|5.11||5|11||centos|Linux|2.6.18-419.el5.centos.plus|#1 SMP Sat Feb 25 15:50:12 UTC 2017|
158280889|2019/10/09 12:31:28|centos5|x86_64|CentOS Linux|5.11||5|11||centos|Linux|2.6.18-419.el5.centos.plus|#1 SMP Sat Feb 25 15:50:12 UTC 2017|

It worked as expected.

Testing diferent options. CentOS 5

Operating system:

sqlite> select * from sys_osinfo;
1615966422|2019/10/09 12:49:28|centos5|x86_64|CentOS Linux|5.11||5|11||centos|Linux|2.6.18-419.el5.centos.plus|#1 SMP Sat Feb 25 15:50:12 UTC 2017|

Hardware:

sqlite> select * from sys_hwinfo;
1137136219|2019/10/09 12:51:28|unknown|Intel(R) Core(TM) i5-5200U CPU @ 2.20GHz|2|2194.918|509660|6412|99

Packages:

sqlite> select * from sys_programs;
1134082791|2019/10/09 12:51:28|rpm|nash||System Environment/Base|2397|CentOS|2018/12/27 21:34:50|5.1.19.6-82.el5|x86_64|||nash shell||||
1134082791|2019/10/09 12:51:28|rpm|filesystem||System Environment/Base|0|CentOS|2018/12/27 21:34:50|2.4.0-3.el5.centos|x86_64|||The basic directory layout for a Linux system.||||
1134082791|2019/10/09 12:51:28|rpm|termcap||System Environment/Base|788|CentOS|2018/12/27 21:34:51|1:5.5-1.20060701.1|noarch|||The terminal feature database used by certain applications.||||
1134082791|2019/10/09 12:51:28|rpm|zlib||System Environment/Libraries|86|CentOS|2018/12/27 21:34:59|1.2.3-7.el5|x86_64|||The zlib compression and decompression library.||||
1134082791|2019/10/09 12:51:28|rpm|mktemp||System Environment/Base|15|CentOS|2018/12/27 21:34:59|3:1.5-24.el5|x86_64|||A small utility for safely making /tmp files.||||
1134082791|2019/10/09 12:51:28|rpm|audit-libs||Development/Libraries|152|CentOS|2018/12/27 21:34:59|1.8-2.el5|x86_64|||Dynamic library for libaudit||||
1134082791|2019/10/09 12:51:28|rpm|libtermcap||System Environment/Libraries|13|CentOS|2018/12/27 21:34:59|2.0.8-46.1|x86_64|||A basic system library for accessing the termcap database.||||
1134082791|2019/10/09 12:51:28|rpm|info||System Environment/Base|279|CentOS|2018/12/27 21:35:00|4.8-14.el5|x86_64|||A stand-alone TTY-based reader for GNU texinfo documentation.||||
1134082791|2019/10/09 12:51:28|rpm|ncurses||System Environment/Libraries|2951|CentOS|2018/12/27 21:35:02|5.5-24.20060715|x86_64|||A terminal handling library||||
1134082791|2019/10/09 12:51:28|rpm|sqlite||Applications/Databases|401|CentOS|2018/12/27 21:35:02|3.3.6-7|x86_64|||Library that implements an embeddable SQL database engine||||
1134082791|2019/10/09 12:51:28|rpm|sed||Applications/Text|327|CentOS|2018/12/27 21:35:02|4.1.5-8.el5|x86_64|||A GNU stream text editor.||||
...

Network interface:

sqlite> select * from sys_netiface;
1813942187|2019/10/09 12:51:28|eth0||ethernet|up|1500|08:00:27:41:a9:64|24918|8159|6962616|3564978|0|0|0|0
1813942187|2019/10/09 12:51:28|eth1||ethernet|up|1500|08:00:27:da:cf:8f|22|111|1356|22200|0|0|0|0
1813942187|2019/10/09 12:51:28|sit0||tunnel|down|1480|00:00:00:00|0|0|0|0|0|0|0|0

Ports:

sqlite> select * from sys_ports;
786824305|2019/10/09 12:53:30|tcp|0.0.0.0|2049|0.0.0.0|0|0|0|5276|listening||
786824305|2019/10/09 12:53:30|tcp|0.0.0.0|1003|0.0.0.0|0|0|0|5298|listening||
786824305|2019/10/09 12:53:30|tcp|0.0.0.0|812|0.0.0.0|0|0|0|4776|listening||
786824305|2019/10/09 12:53:30|tcp|0.0.0.0|111|0.0.0.0|0|0|0|4620|listening||
786824305|2019/10/09 12:53:30|tcp|0.0.0.0|22|0.0.0.0|0|0|0|5072|listening||
786824305|2019/10/09 12:53:30|tcp|0.0.0.0|33495|0.0.0.0|0|0|0|5280|listening||
786824305|2019/10/09 12:53:30|tcp6|::|22|::|0|0|0|5070|listening||

Processes:

sqlite> select * from sys_processes;
1887090680|2019/10/09 12:53:30|1|init|S|0|0|51|init [3]||root|root|root|root|root|root|root|15|0|2593|10372|200|167|5|1|1|1|1|0|1
1887090680|2019/10/09 12:53:30|2|migration/0|S|1|0|7|||root|root|root|root|root|root|root||-5|0|0|0|0|11|1|1|1|2|0|0
1887090680|2019/10/09 12:53:30|3|ksoftirqd/0|S|1|0|0|||root|root|root|root|root|root|root|34|19|0|0|0|0|11|1|1|1|3|0|0
1887090680|2019/10/09 12:53:30|4|watchdog/0|S|1|0|0|||root|root|root|root|root|root|root||-5|0|0|0|0|11|1|1|1|4|0|0
1887090680|2019/10/09 12:53:30|5|migration/1|S|1|0|5|||root|root|root|root|root|root|root||-5|0|0|0|0|11|1|1|1|5|0|1
1887090680|2019/10/09 12:53:30|6|ksoftirqd/1|S|1|0|0|||root|root|root|root|root|root|root|34|19|0|0|0|0|11|1|1|1|6|0|1
1887090680|2019/10/09 12:53:30|7|watchdog/1|S|1|0|0|||root|root|root|root|root|root|root||-5|0|0|0|0|11|1|1|1|7|0|1
1887090680|2019/10/09 12:53:30|8|events/0|S|1|0|116|||root|root|root|root|root|root|root|10|-5|0|0|0|0|42|1|1|1|8|0|0
1887090680|2019/10/09 12:53:30|9|events/1|S|1|0|0|||root|root|root|root|root|root|root|10|-5|0|0|0|0|42|1|1|1|9|0|1
1887090680|2019/10/09 12:53:30|10|khelper|S|1|0|0|||root|root|root|root|root|root|root|10|-5|0|0|0|0|42|1|1|1|10|0|1

Hotfixes: This option is only available on Windows.

It worked as expected.

Database tests. CentOS 5

Upgrade from a version older than v3.8.0. The databases at queue/db/ must be updated.

Wazuh v 3.7 tables:

sqlite> .tables
ciscat_results  pm_event        sys_netaddr     sys_osinfo      sys_programs  
fim_entry       scan_info       sys_netiface    sys_ports     
metadata        sys_hwinfo      sys_netproto    sys_processes

After updating to our brach:

sqlite> .tables
ciscat_results        sca_policy            sys_netproto        
fim_entry             sca_scan_info         sys_osinfo          
metadata              scan_info             sys_ports           
pm_event              sys_hotfixes          sys_processes       
sca_check             sys_hwinfo            sys_programs        
sca_check_compliance  sys_netaddr           vuln_metadata       
sca_check_rules       sys_netiface

Check that Syscollector info has been stored in the DB of the agent (queue/db/xxx.db).

root@Vela-PC:/var/ossec/queue/db# /var/ossec/bin/agent_control -l

Wazuh agent_control. List of available agents:
   ID: 000, Name: Vela-PC (server), IP: 127.0.0.1, Active/Local
   ID: 001, Name: centos5, IP: 10.0.0.1, Active

List of agentless devices:

root@Vela-PC:/var/ossec/queue/db# sqlite3 001.db
SQLite version 3.22.0 2018-01-22 18:45:57
Enter ".help" for usage hints.
sqlite> select * from sys_osinfo;
47141211|2019/10/09 13:01:28|centos5|x86_64|CentOS Linux|5.11||5|11||centos|Linux|2.6.18-419.el5.centos.plus|#1 SMP Sat Feb 25 15:50:12 UTC 2017|

Check that a new scan deletes the previous scan from the DB. [Search by scan_id].

sqlite> select scan_id from sys_osinfo;
183729761
sqlite> select scan_id from sys_osinfo;
47141211

Delete the DB of an agent (file 001.db for example) and send a new scan. Is the scan received? Is the DB restored when the manager is restarted?

root@Vela-PC:/var/ossec/queue/db# ls
000.db      000.db-wal  001.db-shm  wdb
000.db-shm  001.db      001.db-wal
root@Vela-PC:/var/ossec/queue/db# rm 001*
root@Vela-PC:/var/ossec/queue/db# ls
000.db  000.db-shm  000.db-wal  wdb
root@Vela-PC:/var/ossec/queue/db# systemctl restart wazuh-manager
root@Vela-PC:/var/ossec/queue/db# ls
000.db      000.db-wal  001.db-shm  wdb
000.db-shm  001.db      001.db-wal
root@Vela-PC:/var/ossec/queue/db# sqlite3 001.db
SQLite version 3.22.0 2018-01-22 18:45:57
Enter ".help" for usage hints.
sqlite> select * from sys_osinfo;
183729761|2019/10/09 12:59:28|centos5|x86_64|CentOS Linux|5.11||5|11||centos|Linux|2.6.18-419.el5.centos.plus|#1 SMP Sat Feb 25 15:50:12 UTC 2017|

It worked as expected.

wazuh / wazuh-qa

Test Syscollector v3.11.0 #176

Syscollector test

Scan

Configuration

Database

Check interval option Windows Server 2019

Test example 1.

Test example 2.

Extra test.

Send a Syscollector configuration by the shared conf. Windows Server 2019

Testing diferent options. Windows Server 2019

Database tests. Windows Server 2019

Upgrade from a version older than v3.8.0. The databases at queue/db/ must be updated.

Check that Syscollector info has been stored in the DB of the agent (queue/db/xxx.db).

Check that a new scan deletes the previous scan from the DB. [Search by scan_id].

Delete the DB of an agent (file 001.db for example) and send a new scan. Is the scan received? Is the DB restored when the manager is restarted?

Check interval option Windows XP

Test example 1.

Test example 2.

Send a Syscollector configuration by the shared conf. Windows XP

Testing diferent options. Windows XP

Database tests. Windows XP

Upgrade from a version older than v3.8.0. The databases at queue/db/ must be updated.

Check that Syscollector info has been stored in the DB of the agent (queue/db/xxx.db).

Check that a new scan deletes the previous scan from the DB. [Search by scan_id].

Delete the DB of an agent (file 001.db for example) and send a new scan. Is the scan received? Is the DB restored when the manager is restarted?

Check interval option Windows Server 2003

Test example 1.

Test example 2.

Send a Syscollector configuration by the shared conf. Windows Server 2003

Testing diferent options. Windows Server 2003

Database tests. Windows Server 2003

Upgrade from a version older than v3.8.0. The databases at queue/db/ must be updated.

Check that Syscollector info has been stored in the DB of the agent (queue/db/xxx.db).

Check that a new scan deletes the previous scan from the DB. [Search by scan_id].

Delete the DB of an agent (file 001.db for example) and send a new scan. Is the scan received? Is the DB restored when the manager is restarted?

Check interval option CentOS 5

Send a Syscollector configuration by the shared conf. CentOS 5

Testing diferent options. CentOS 5

Database tests. CentOS 5

Upgrade from a version older than v3.8.0. The databases at queue/db/ must be updated.

Check that Syscollector info has been stored in the DB of the agent (queue/db/xxx.db).

Check that a new scan deletes the previous scan from the DB. [Search by scan_id].

Delete the DB of an agent (file 001.db for example) and send a new scan. Is the scan received? Is the DB restored when the manager is restarted?