chemamartinez
commented
4 years ago Unix sockets list
Wazuh DB
queue/db/wdb
- socket purpose: entry point for Wazuh DB manager only.
Clients
- Auth daemon: manage agents.
- Analysis daemon: Store events, query information to databases, etc.
- Agent control tool: Query FIM scan timestamps
Auth daemon
queue/ossec/auth
- socket purpose: Requests for agents registration manager only.
Clients
- Manage agents tool: handle the agents registration
- Monitor daemon: removing old agents
- API
Analysis and agent daemons
queue/ossec/queue
- socket purpose: this socket is created by
ossec-analysisdin managers and byossec-agentdin agents. Its purpose in both cases is to receive the events from the rest of the modules to be analyzed or forwarded.
Clients
- Agentless daemon: send events from the
agentlessservice manager only. - Monitor daemon: send monitoring events to the analysis engine manager only.
- Remote daemon: forward secure and syslog events manager only.
- Wazuh modules: send events from the modules (Vulnerability Detector, SCA, Syscollector, CIS-CAT, AWS, Azure, Command, and OSQuery)
- VirusTotal integration: send events from the VirusTotal integration.
queue/ossec/analysis
- socket purpose: request the active configuration of the analysis daemon manager only.
Clients
Remote daemon
queue/ossec/request
- socket purpose: Receive configuration requests manager only.
Clients
Wazuh modules
queue/alerts/cfgaq
- socket purpose: Receive sync requests from Analysisd to the SCA module manager only.
Clients -Analysis daemon
queue/alerts/cfgarq
- socket purpose: Receive sync requests from Remoted to the SCA module manager only.
Clients -Remote daemon
queue/ossec/control
- socket purpose: the agent daemon requests to this socket the agent IP address agent only.
Clients
- Agent daemon: query the agent IP
queue/ossec/download
- socket purpose: socket to send requests in order to download resources.
Clients
- Remote daemon: Download shared files from an external repository.
- Vulnerability Detector (Wazuh modules): Fetch vulnerability feeds.
queue/ossec/krequest
- socket purpose: Agent key polling socket.
Clients
- Remote daemon: pull agent keys.
queue/ossec/wmodules
- socket purpose: Request modules configuration.
Clients
- API: request Wazuh modules config from the API.
- Agent daemon: request Wazuh modules config in agents.
Logcollector daemon
queue/ossec/logcollector
- socket purpose: Request Logcollector active configuration
Clients
- Agent daemon: query the Logcollector configuration
Syscheck daemon
queue/ossec/syscheck
- socket purpose: Request Syscheck active configuration
Clients
- Agent daemon: query the Syscheck configuration
Exec daemon
queue/ossec/com
- socket purpose: Socket to send requests to Execd.
Clients
- Agent daemon: restart an agent.
queue/alerts/execq
- socket purpose: execute commands from the manager and agent daemons.
Clients
queue/alerts/execa
- socket purpose: execute commands from the API.
Clients
queue/alerts/ar
- socket purpose: forward active responses.
Clients
Mail daemon
queue/ossec/mail
- socket purpose: Socket to query the mail daemon configuration manager only.
Clients
Agentless daemon
queue/ossec/agentless
- socket purpose: Socket to query the Agentless daemon configuration manager only.
Clients
Integrator daemon
queue/ossec/integrator
- socket purpose: Socket to query the Integrator daemon configuration manager only.
Clients
Syslog daemon
queue/ossec/csyslog
- socket purpose: Socket to query the Syslog daemon configuration manager only.
Clients
Monitor daemon
queue/ossec/monitor
- socket purpose: Socket to query the Monitor daemon configuration manager only.
Clients
Cluster daemon
queue/ossec/c-internal.sock
- socket purpose: Socket to query the Cluster config and manage agents manager only.
Clients
Description
The aim of this issue is to set a standard communication protocol for all the daemons and components of the Wazuh core product.
Once the protocol is defined it must be applied to all the components that exchange messages internally, in both agent and manager.
High-level tasks