ContextQMD
Back to Wazuh

Events Reference

docs/ref/modules/syscollector/events.md

4.14.420.4 KB
Original Source

Events Reference

This document describes the event formats generated by the Syscollector module in Wazuh. These events use Wazuh's custom field structure for inventory data.

Event Structure

All Syscollector events share a common structure based on the component type:

json
{
    "data":
    {
        "checksum": "26db1e87e1cb563512707363adeabaecdd7ae11a",
        "item_id": "c3cbf3edb7c5565edb919ccb2475845270839642",
        "scan_time": "2025/09/18 13:45:48",
        // ... component-specific fields
    },
    "operation": "INSERTED",
    "type": "dbsync_network_iface"
}

Inventory Categories

Hardware Events

Generated when hardware configuration changes.

Hardware Event Fields

  • board_serial - Motherboard serial number
  • cpu_name - CPU model name
  • cpu_cores - Number of CPU cores
  • cpu_mhz - CPU frequency in MHz
  • ram_total - Total RAM in KB
  • ram_free - Available RAM in KB
  • ram_usage - Used RAM percentage

Event Example

json
{
    "data":
    {
        "board_serial": "0",
        "checksum": "752e394b1d19ba29ca3fef9df2c96c0cbf0374af",
        "cpu_cores": 8,
        "cpu_mhz": 3800.0,
        "cpu_name": "AMD Ryzen 7 5800X 8-Core Processor",
        "ram_free": 14077916,
        "ram_total": 16375868,
        "ram_usage": 15,
        "scan_time": "2025/09/18 13:46:04"
    },
    "operation": "MODIFIED",
    "type": "dbsync_hwinfo"
}

Operating System Events

Generated when OS information changes.

OS Event Fields

  • hostname - System hostname
  • architecture - System architecture (x86_64, arm64, etc.)
  • os_name - Operating system name
  • os_major - OS major version number
  • os_minor - OS minor version number
  • os_codename - OS codename/release name
  • os_platform - OS platform identifier
  • os_version - Complete OS version string
  • release - Kernel release version
  • sysname - System name (Linux, Windows, etc.)
  • version - Detailed kernel/OS version

Event Example

json
{
    "data":
    {
        "architecture": "x86_64",
        "checksum": "1758203148259835853",
        "hostname": "noble",
        "os_codename": "noble",
        "os_major": "24",
        "os_minor": "04",
        "os_name": "Ubuntu",
        "os_platform": "ubuntu",
        "os_version": "24.04 LTS (Noble Numbat)",
        "release": "6.8.0-31-generic",
        "scan_time": "2025/09/18 13:45:48",
        "sysname": "Linux",
        "version": "#31-Ubuntu SMP PREEMPT_DYNAMIC Sat Apr 20 00:40:06 UTC 2024"
    },
    "operation": "INSERTED",
    "type": "dbsync_osinfo"
}

Packages Events

Generated when software packages are installed, updated, or removed.

Package Event Fields

  • name - Package name
  • version - Package version
  • vendor - Software vendor
  • format - Package format (deb, rpm, msi, etc.)
  • architecture - Architecture (amd64, x86_64, etc.)
  • size - Package size in bytes
  • description - Package description
  • install_time - Installation timestamp
  • location - Installation path
  • priority - Package priority
  • groups - Package category/group
  • source - Source package name
  • multiarch - Multi-architecture support

Event Example

json
{
    "data":
    {
        "architecture": "all",
        "checksum": "b72f2ddac7476f3c54b26d3ec28b8f68d9cfed7e",
        "description": "JavaScript support for Sphinx documentation",
        "format": "deb",
        "groups": "javascript",
        "install_time": " ",
        "item_id": "5780194be938f3784d9a135d89a8931b8b4b9fb0",
        "location": " ",
        "multiarch": "foreign",
        "name": "libjs-sphinxdoc",
        "priority": "optional",
        "scan_time": "2025/09/18 13:45:48",
        "size": 204800,
        "source": "sphinx",
        "vendor": "Debian Python Team",
        "version": "7.2.6-6"
    },
    "operation": "INSERTED",
    "type": "dbsync_packages"
}

Network Interface Events

Generated when network interface configuration changes.

Network Interface Event Fields

  • name - Interface name
  • adapter - Adapter identifier
  • type - Interface type
  • state - Interface state (up/down)
  • mtu - Maximum transmission unit
  • mac - MAC address
  • tx_packets - Transmitted packets
  • rx_packets - Received packets
  • tx_bytes - Transmitted bytes
  • rx_bytes - Received bytes
  • tx_errors - Transmission errors
  • rx_errors - Reception errors
  • tx_dropped - Dropped transmissions
  • rx_dropped - Dropped receptions

Event Example

json
{
    "data":
    {
        "checksum": "9f354e321cea8beb065c4d426535796929f9e42f",
        "item_id": "689c849c40783292622ce604316663b0c766f6f5",
        "mac": "08:00:27:d4:46:39",
        "mtu": 1500,
        "name": "eth1",
        "rx_bytes": 3745889,
        "rx_dropped": 0,
        "rx_errors": 0,
        "rx_packets": 18227,
        "scan_time": "2025/09/18 13:45:48",
        "state": "up",
        "tx_bytes": 8219746,
        "tx_dropped": 0,
        "tx_errors": 0,
        "tx_packets": 18547,
        "type": "ethernet"
    },
    "operation": "INSERTED",
    "type": "dbsync_network_iface"
}

Network Address Events

Generated when network address configuration changes.

Network Address Event Fields

  • iface - Interface name
  • proto - Protocol (0=ipv4, 1=ipv6)
  • address - IP address
  • netmask - Network mask
  • broadcast - Broadcast address

Event Example

json
{
    "data":
    {
        "address": "10.0.2.15",
        "broadcast": "10.0.2.255",
        "checksum": "05d2d949e2507040eafacffeb3c9d91dd8d4f5dc",
        "iface": "eth0",
        "item_id": "e499c93734efd5b7664bdd6f17a40f56b178b82d",
        "netmask": "255.255.255.0",
        "proto": 0,
        "scan_time": "2025/09/18 13:45:48"
    },
    "operation": "INSERTED",
    "type": "dbsync_network_address"
}

Network Protocol Events

Generated when network protocol configuration changes.

Network Protocol Event Fields

  • iface - Interface name
  • type - Protocol type (ipv4/ipv6)
  • gateway - Gateway address
  • dhcp - DHCP status (enabled/disabled/unknown)
  • metric - Route metric

Event Example

json
{
    "data":
    {
        "checksum": "8203e61612bcec28e1c741b30f2f124803155885",
        "dhcp": "unknown",
        "gateway": "10.0.2.2",
        "iface": "eth0",
        "item_id": "f19629d858393054b7075ec6db3d778db7f18f30",
        "metric": "100",
        "scan_time": "2025/09/18 13:45:48",
        "type": "ipv4"
    },
    "operation": "INSERTED",
    "type": "dbsync_network_protocol"
}

Ports Events

Generated when network ports are opened or closed.

Port Event Fields

  • protocol - Network protocol (tcp, tcp6, udp, udp6)
  • local_ip - Local IP address
  • local_port - Local port number
  • remote_ip - Remote IP address
  • remote_port - Remote port number
  • tx_queue - Transmit queue size
  • rx_queue - Receive queue size
  • inode - Socket inode
  • state - Connection state
  • pid - Process ID using the port
  • process - Process name using the port

Event Example

json
{
    "data":
    {
        "checksum": "761a502a9150d7cd0e0baacc1ca182e245ed0916",
        "inode": 13615,
        "item_id": "8d27e3fd98724c60cf0de4534927ad584f1eb691",
        "local_ip": "::ffff:192.168.56.132",
        "local_port": 22,
        "pid": 2249,
        "process": "sshd",
        "protocol": "tcp6",
        "remote_ip": "::ffff:192.168.56.1",
        "remote_port": 60524,
        "rx_queue": 0,
        "scan_time": "2025/09/18 13:45:48",
        "state": "established",
        "tx_queue": 0
    },
    "operation": "INSERTED",
    "type": "dbsync_ports"
}

Processes Events

Generated when processes start or stop.

Process Event Fields

  • pid - Process ID
  • name - Process name
  • cmd - Full command line
  • argvs - Command line arguments
  • state - Process state
  • ppid - Parent process ID
  • euser - Effective user
  • ruser - Real user
  • suser - Saved user
  • egroup - Effective group
  • rgroup - Real group
  • sgroup - Saved group
  • fgroup - File system group
  • priority - Process priority
  • nice - Nice value
  • size - Process size
  • vm_size - Virtual memory size
  • resident - Resident memory
  • share - Shared memory
  • start_time - Process start time
  • utime - User CPU time
  • stime - System CPU time
  • pgrp - Process group ID
  • session - Session ID
  • nlwp - Number of threads
  • tgid - Thread group ID
  • tty - Controlling terminal
  • processor - Processor number

Event Example

json
{
    "data":
    {
        "argvs": "-n -iNONE",
        "checksum": "6280d8a41e0fad04bcc33bf088abdbfde8921196",
        "cmd": "/usr/sbin/rsyslogd",
        "egroup": "syslog",
        "euser": "syslog",
        "fgroup": "syslog",
        "name": "rsyslogd",
        "nice": 0,
        "nlwp": 4,
        "pgrp": 819,
        "pid": "819",
        "ppid": 1,
        "priority": 20,
        "processor": 1,
        "resident": 5504,
        "rgroup": "syslog",
        "ruser": "syslog",
        "scan_time": "2025/09/18 13:45:48",
        "session": 819,
        "sgroup": "syslog",
        "share": 1088,
        "size": 55627,
        "start_time": 1758196941,
        "state": "S",
        "stime": 3,
        "suser": "syslog",
        "tgid": 819,
        "tty": 0,
        "utime": 2,
        "vm_size": 222508
    },
    "operation": "INSERTED",
    "type": "dbsync_processes"
}

Users Events

Generated when system user accounts are created, modified, or removed.

User Event Fields

  • user_name - Username
  • user_full_name - Full/display name
  • user_home - Home directory path
  • user_id - User ID (UID)
  • user_uid_signed - Signed user ID
  • user_uuid - User UUID (macOS/Windows)
  • user_groups - Group memberships (colon-separated)
  • user_group_id - Primary group ID
  • user_group_id_signed - Signed primary group ID
  • user_created - Account creation timestamp
  • user_shell - Login shell
  • user_type - User account type
  • user_is_hidden - Hidden account flag
  • user_is_remote - Remote account flag
  • user_last_login - Last login timestamp
  • user_password_status - Password status
  • user_password_expiration_date - Password expiration date
  • user_password_hash_algorithm - Password hash algorithm
  • user_password_inactive_days - Password inactive days
  • user_password_last_change - Password last change timestamp
  • user_password_max_days_between_changes - Maximum days between password changes
  • user_password_min_days_between_changes - Minimum days between password changes
  • user_password_warning_days_before_expiration - Warning days before expiration
  • user_roles - User roles
  • user_auth_failed_count - Failed authentication count
  • user_auth_failed_timestamp - Last failed authentication timestamp
  • host_ip - Host IP address
  • login_status - Login status
  • login_tty - Login terminal
  • login_type - Login type
  • process_pid - Associated process ID

Event Example

json
{
    "data":
    {
        "checksum": "ef86b3fa5116219b74d0e6edeefb39f067ff1802",
        "host_ip": "0.0.0.0",
        "login_status": 1,
        "login_tty": "pts/0",
        "login_type": "user",
        "process_pid": 12561,
        "scan_time": "2025/09/18 13:45:48",
        "user_auth_failed_count": 0,
        "user_auth_failed_timestamp": 0,
        "user_created": 0,
        "user_full_name": "vagrant",
        "user_group_id": 1000,
        "user_group_id_signed": 1000,
        "user_groups": "vagrant:adm:cdrom:sudo:dip:plugdev:lxd",
        "user_home": "/home/vagrant",
        "user_id": 1000,
        "user_is_hidden": 0,
        "user_is_remote": 1,
        "user_last_login": 1758203148,
        "user_name": "vagrant",
        "user_password_expiration_date": -1,
        "user_password_hash_algorithm": "6",
        "user_password_inactive_days": -1,
        "user_password_last_change": 1714348800.0,
        "user_password_max_days_between_changes": 99999,
        "user_password_min_days_between_changes": 0,
        "user_password_status": "active",
        "user_password_warning_days_before_expiration": 7,
        "user_roles": " ",
        "user_shell": "/bin/bash",
        "user_type": " ",
        "user_uid_signed": 1000,
        "user_uuid": " "
    },
    "operation": "INSERTED",
    "type": "dbsync_users"
}

Groups Events

Generated when system groups are created, modified, or removed.

Group Event Fields

  • group_name - Group name
  • group_description - Group description
  • group_id - Group ID (GID)
  • group_id_signed - Signed group ID
  • group_users - Group member list (colon-separated)
  • group_is_hidden - Hidden group flag
  • group_uuid - Group UUID

Event Example

json
{
    "data":
    {
        "checksum": "ec4e94eb67532b00fcebaf4fb710d981b2a91cd5",
        "group_description": " ",
        "group_id": 1,
        "group_id_signed": 1,
        "group_is_hidden": 0,
        "group_name": "daemon",
        "group_users": "daemon:pollinate:vboxadd",
        "group_uuid": " ",
        "scan_time": "2025/09/18 13:45:48"
    },
    "operation": "INSERTED",
    "type": "dbsync_groups"
}

Services Events

Generated when system services change state or configuration.

Service Event Fields

  • service_name - Service name
  • service_description - Service description
  • service_type - Service type
  • service_state - Current state (active, inactive, etc.)
  • service_sub_state - Sub-state (running, dead, etc.)
  • service_enabled - Enabled at boot (enabled, disabled, static)
  • service_start_type - Start type
  • service_id - Service identifier
  • service_object_path - D-Bus object path
  • service_restart - Restart policy
  • service_address - Service address
  • service_exit_code - Exit code
  • service_win32_exit_code - Windows exit code
  • service_frequency - Service frequency
  • service_inetd_compatibility - Inetd compatibility flag
  • service_starts_on_mount - Starts on mount flag
  • service_starts_on_not_empty_directory - Starts on non-empty directory
  • service_starts_on_path_modified - Starts on path modified
  • service_target_address - Target address
  • service_target_ephemeral_id - Target ephemeral ID
  • process_pid - Process ID if running
  • process_executable - Executable path
  • process_args - Process arguments
  • process_group_name - Process group name
  • process_root_directory - Process root directory
  • process_working_directory - Process working directory
  • file_path - Service file path
  • log_file_path - Log file path
  • error_log_file_path - Error log file path

Event Example

json
{
    "data":
    {
        "checksum": "b92cd9cc0b7f874b7338532288a53dacf5ed23dd",
        "error_log_file_path": " ",
        "file_path": " ",
        "item_id": "9a73e5bdbac23fedd77a4ad2a16064d0c61d4d68",
        "log_file_path": " ",
        "process_args": " ",
        "process_executable": "/usr/lib/systemd/system/rescue.target",
        "process_group_name": " ",
        "process_pid": 0,
        "process_root_directory": " ",
        "process_working_directory": " ",
        "scan_time": "2025/09/18 13:45:48",
        "service_address": " ",
        "service_description": "Rescue Mode",
        "service_enabled": "static",
        "service_exit_code": 0,
        "service_frequency": 0,
        "service_id": "rescue.target",
        "service_inetd_compatibility": 0,
        "service_name": "rescue.target",
        "service_object_path": "/org/freedesktop/systemd1/unit/rescue_2etarget",
        "service_restart": " ",
        "service_start_type": " ",
        "service_starts_on_mount": 0,
        "service_starts_on_not_empty_directory": " ",
        "service_starts_on_path_modified": " ",
        "service_state": "inactive",
        "service_sub_state": "dead",
        "service_target_address": "/",
        "service_target_ephemeral_id": 0,
        "service_type": " ",
        "service_win32_exit_code": 0
    },
    "operation": "INSERTED",
    "type": "dbsync_services"
}

Browser Extensions Events

Generated when browser extensions are installed, updated, or removed.

Browser Extension Event Fields

  • browser_name - Browser name (chrome, firefox, etc.)
  • browser_profile_name - Browser profile name
  • browser_profile_path - Browser profile path
  • browser_profile_referenced - Profile referenced flag
  • package_name - Extension name
  • package_id - Extension ID
  • package_version - Extension version
  • package_description - Extension description
  • package_path - Extension installation path
  • package_enabled - Extension enabled status
  • package_from_webstore - Installed from official store
  • package_autoupdate - Auto-update enabled
  • package_build_version - Build version
  • package_installed - Installation timestamp
  • package_permissions - Extension permissions
  • package_persistent - Persistent extension flag
  • package_reference - Update reference URL
  • package_type - Extension type
  • package_visible - Visible extension flag
  • file_hash_sha256 - Extension file hash
  • user_id - User who owns the extension

Event Example

json
{
    "data":
    {
        "browser_name": "chrome",
        "browser_profile_name": "Nico Wazuh",
        "browser_profile_path": "/home/nbertoldo/.config/google-chrome/Profile 1",
        "browser_profile_referenced": 1,
        "checksum": "14143035a3724acb40173cc51f514d3cbdd871ff",
        "file_hash_sha256": "f52f39015be44f6be8a3a73dcd87cd9a01e1520f1983b4adfc6d4dd0cc22838e",
        "item_id": "76e2a99717f0d59594b300116a6238d62c8f68ae",
        "package_autoupdate": 0,
        "package_build_version": " ",
        "package_description": "Improve your writing with all-in-one assistance—including generative AI, grammar check, and more.",
        "package_enabled": 1,
        "package_from_webstore": 1,
        "package_id": "kbfnbcaeplbcioakkpcpgfkobkghlhen",
        "package_installed": "1717159065",
        "package_name": "Grammarly: AI Writing Assistant and Grammar Checker App",
        "package_path": "/home/nbertoldo/.config/google-chrome/Profile 1/Extensions/kbfnbcaeplbcioakkpcpgfkobkghlhen/14.1254.0_1",
        "package_permissions": "scripting, sidePanel, tabs, notifications, cookies, identity, storage",
        "package_persistent": 0,
        "package_reference": "https://clients2.google.com/service/update2/crx",
        "package_type": " ",
        "package_version": "14.1254.0",
        "package_visible": 0,
        "scan_time": "2025/09/18 15:13:53",
        "user_id": "1000"
    },
    "operation": "INSERTED",
    "type": "dbsync_browser_extensions"
}

Windows Hotfix Events

Generated when Windows updates are installed or removed (Windows only).

Hotfix Event Fields

  • hotfix - Update identifier (e.g., KB5031356)

Event Example

json
{
    "data":
    {
        "checksum": "56162cd7bb632b4728ec868e8e271b01222ff131",
        "hotfix": "KB12345678",
        "scan_time": "2025/09/18 13:46:04"
    },
    "operation": "INSERTED",
    "type": "dbsync_hotfixes"
}

Field Mapping Summary

CategoryFields PrefixExample Fields
Hardware(direct fields)board_serial, cpu_name, ram_total
Operating System(direct fields)hostname, os_name, os_version, architecture
Packages(direct fields)name, version, vendor
Network Interfaces(direct fields)name, state, mac
Network Addresses(direct fields)iface, address, proto
Network Protocols(direct fields)iface, gateway, type
Network Ports(direct fields)protocol, local_ip, local_port
Processes(direct fields)pid, name, cmd
Usersuser_*user_name, user_home, user_shell
Groupsgroup_*group_name, group_description
Servicesservice_*, process_*service_name, service_state
Browser Extensionsbrowser_*, package_*browser_name, package_name
Hotfixes(direct field)hotfix

Common Fields

All syscollector events include these standard fields:

  • scan_time - When the inventory scan occurred
  • checksum - MD5 hash for change detection
  • item_id - Unique identifier for the inventory item (where applicable)

Event Processing

Syscollector events are processed by the Inventory Harvester and stored directly in Wazuh Indexer without going through traditional rule processing, since they represent inventory state rather than security events.

Integration

Access syscollector inventory data through:

  • Wazuh API: REST endpoints for querying current inventory state
  • Wazuh Dashboard: Built-in inventory visualization
  • Direct Database: Query Wazuh Indexer for raw event data