Syscollector

The Syscollector module collects system inventory information from Wazuh agents and detects changes in system state over time. It module has been enhanced with a reliable synchronization mechanism that ensures system inventory changes are persisted and synchronized with the manager even during network interruptions or agent restarts.

The module implements a dual event system that provides both real-time alerts and reliable state synchronization. It leverages the Agent Sync Protocol to persist differences in a local SQLite database and synchronizes them periodically with the manager through a session-based protocol.

Syscollector persistence supports stateful synchronization for complete system inventory including hardware, OS, network, packages, ports, processes, users, groups, services, and browser extensions, while maintaining stateless real-time events for immediate inventory change detection.

Note: Starting in version 5.0, vulnerability detection operates as an independent module separate from Syscollector, with its own synchronization protocol.

Overview

Syscollector performs periodic scans to gather inventory data and only sends changes to the Wazuh manager, providing efficient monitoring of system state across your infrastructure.

Key Features

Comprehensive Inventory: Collects hardware, OS, packages, network, processes, users, services, and browser extensions
Change Detection: Only reports modifications, not full inventory
Cross-Platform: Supports Windows, Linux, macOS, and Unix systems
Configurable: Flexible scan intervals and component selection
Local Storage: SQLite database for change detection and state persistence
Document Limits: Manager-controlled limits on synchronized items per inventory type to optimize resource consumption
Automatic Data Cleanup: When individual collectors (packages, OS, hotfixes, etc.) are disabled, Syscollector automatically notifies the manager and cleans up associated data

How It Works

Periodic Scanning: Collects current system inventory based on configured interval
Change Detection: Compares with previous scan stored in local SQLite database
Delta Events: Generates events only for changes (additions, modifications, deletions)
Event Transmission: Sends inventory events to manager for processing and indexing

Inventory Categories

Category	Description	Platforms
Hardware	CPU, memory, storage specifications	All
Operating System	OS version, kernel, architecture	All
Packages	Installed software and applications	All
Network Interfaces	Network configuration and traffic stats	All
Network Addresses	IP addresses and network settings	All
Network Protocols	Protocol configuration (DHCP, routes)	All
Ports	Open network ports and listening services	All
Processes	Running processes and resource usage	All
Users	System user accounts and properties	All
Groups	System groups and membership	All
Services	System services and their status	All
Browser Extensions	Installed browser add-ons	All
Hotfixes	Windows updates and patches	Windows only

Quick Start

Basic Configuration

Add to your agent's ossec.conf:

xml

<wodle name="syscollector">
    <disabled>no</disabled>
    <interval>1h</interval>
    <scan_on_start>yes</scan_on_start>

    <!-- Enable inventory categories -->
    <hardware>yes</hardware>
    <os>yes</os>
    <network>yes</network>
    <packages>yes</packages>
    <ports>yes</ports>
    <processes>yes</processes>
    <users>yes</users>
    <groups>yes</groups>
    <services>yes</services>
    <browser_extensions>yes</browser_extensions>
    <hotfixes>yes</hotfixes> <!-- Windows only -->
</wodle>

Verify Operation

Check that syscollector is running:

bash

grep syscollector /var/ossec/logs/ossec.log

Documentation

Document	Description
Configuration	Complete configuration options and examples
Architecture	Technical architecture and data flow
Events	Event formats and field reference
Database Schema	Local SQLite database structure
API Reference	Internal APIs and integration details