docs/ref/modules/vulnerability-scanner/events.md
The incoming events from the agents must be parseable by the flatbuffer schemas, otherwise it will trigger an exception, and the event won't reach the vulnerability scanner. Below, we detail the format for the different systems supported by the scanner.
The vulnerability scanner as an event-driven module, reacts to the Syscollector events sent by the agents. There are two types of events received by the scanner: synchronization and delta events.
These event types provide the same information to the scanner, the detection is not affected by the type of event sent, they are just parsed differently.
Within synchronization events, an integrity_clear event will remove the information for a certain provider. For the case of a package provider, it will remove all vulnerabilities related to packages, for OS will remove vulnerabilities related to OS, but also affect the detection for packages, since the source operating system is a required information for detection. In the case of hotfixes it should detect vulnerabilities fixed by the presence of those security patches.
{
"agent_info": {
"agent_id": "002"
},
"data_type": "dbsync_hotfixes",
"data": {
"checksum": "1691178971959743855",
"hotfix": "KB5034763",
"scan_time": "2023/08/04 19:56:11"
},
"operation": "INSERTED"
}
{
"agent_info": {
"agent_id": "002"
},
"data_type": "state",
"data": {
"attributes_type": "syscollector_hotfixes",
"attributes": {
"checksum": "1691178971959743855",
"hotfix": "KB3114960",
"scan_time": "2023/08/04 19:56:11"
}
}
}
{
"agent_info": {
"agent_id": "002"
},
"data_type": "integrity_clear",
"data": {
"id": 1700236640,
"attributes_type": "syscollector_hotfixes"
}
}
For OS events, we need to pay attention to the following fields:
{
"agent_info": {
"agent_id": "001"
},
"data_type": "dbsync_osinfo",
"data": {
"architecture":"x86_64",
"checksum":"1691178971959743855",
"hostname":"debian",
"os_codename":"bookworm",
"os_major":"12",
"os_minor":"0",
"os_name":"Debian",
"os_patch":"0",
"os_platform":"debian",
"os_version":"Bookworm",
"release":"5.4.0-155-generic",
"scan_time":"2023/08/04 19:56:11",
"sysname":"Linux",
"version":""
},
"operation": "INSERTED"
}
{
"agent_info": {
"agent_id": "002"
},
"data_type": "dbsync_osinfo",
"data": {
"architecture":"x86_64",
"checksum":"1691178971959743855",
"hostname":"centos",
"os_codename":"7",
"os_major":"7",
"os_minor":"9",
"os_name":"Centos 7",
"os_patch":"6",
"os_platform":"centos",
"os_version":"7.9",
"release":"5.4.0-155-generic",
"scan_time":"2023/08/04 19:56:11",
"sysname":"Linux",
"version":"#172-Ubuntu SMP Fri Jul 7 16:10:02 UTC 2023"
},
"operation": "INSERTED"
}
{
"agent_info": {
"agent_id": "001"
},
"data_type": "dbsync_osinfo",
"data": {
"architecture":"x86_64",
"checksum":"1691178971959743855",
"hostname":"redhat",
"os_codename":"7",
"os_major":"7",
"os_minor":"9",
"os_name":"Redhat",
"os_patch":"6",
"os_platform":"rhel",
"os_version":"7.9",
"release":"5.4.0-155-generic",
"scan_time":"2023/08/04 19:56:11",
"sysname":"Linux",
"version":"#172-Ubuntu SMP Fri Jul 7 16:10:02 UTC 2023"
},
"operation": "INSERTED"
}
{
"agent_info": {
"agent_id": "004"
},
"data_type": "dbsync_osinfo",
"data": {
"architecture":"x86_64",
"checksum":"1691178971959743855",
"hostname":"Ubuntu",
"os_codename":"jammy",
"os_major":"22",
"os_minor":"04",
"os_name":"Ubuntu",
"os_patch":"1",
"os_platform":"ubuntu",
"os_version":"22.04.1",
"release":"5.4.0-155-generic",
"scan_time":"2023/08/04 19:56:11",
"sysname":"Linux",
"version":"#172-Ubuntu SMP Fri Jul 7 16:10:02 UTC 2023"
},
"operation": "INSERTED"
}
{
"agent_info": {
"agent_id": "001"
},
"data_type": "dbsync_osinfo",
"data": {
"architecture":"x86_64",
"checksum":"1691178971959743855",
"hostname":"fd9b83c25f30",
"os_major":"15",
"os_name":"SLES",
"os_platform":"sles",
"os_version":"15-SP5",
"release":"5.4.0-155-generic",
"scan_time":"2023/08/04 19:56:11",
"sysname":"Linux",
"version":"#172-Ubuntu SMP Fri Jul 7 16:10:02 UTC 2023"
},
"operation": "INSERTED"
}
{
"agent_info": {
"agent_id": "001"
},
"data_type": "dbsync_osinfo",
"data": {
"architecture":"x86_64",
"checksum":"1691178971959743855",
"hostname":"alas_test",
"os_codename":"Amazon Linux",
"os_major":"2023",
"os_minor":"4",
"os_name":"Amazon Linux",
"os_patch":"20240528",
"os_platform":"amzn",
"os_version":"2023",
"release":"2023",
"scan_time":"2023/08/04 19:56:11",
"sysname":"Linux",
"version":""
},
"operation": "INSERTED"
}
{
"agent_info": {
"agent_id": "002"
},
"data_type": "state",
"data": {
"attributes_type": "syscollector_osinfo",
"attributes": {
"architecture": "x86_64",
"checksum": "1691178971959743855",
"hostname": "fd9b83c25f30",
"os_major": "10",
"os_minor": "0",
"os_build": "19045.4043",
"os_name": "Microsoft Windows 10",
"os_display_version": "22H2",
"os_platform": "windows",
"os_version": "10.0.19045.4043",
"scan_time": "2023/08/04 19:56:11"
}
}
}
{
"agent_info": {
"agent_id": "001"
},
"data_type": "state",
"data": {
"attributes_type": "syscollector_osinfo",
"attributes": {
"scan_time": "2024/07/04 19:15:22",
"hostname": "archlinux",
"architecture": "x86_64",
"os_name": "Arch Linux",
"os_build": "rolling",
"os_platform": "arch",
"sysname": "Linux",
"release": "6.9.7-arch1-1",
"version": "#1 SMP PREEMPT_DYNAMIC Fri, 28 Jun 2024 04:32:50 +0000",
"checksum": "1720120521357595973"
}
}
}
{
"agent_info": {
"agent_id": "001"
},
"data_type": "state",
"data": {
"attributes_type": "syscollector_osinfo",
"attributes": {
"architecture":"x86_64",
"checksum":"1691178971959743855",
"hostname":"fd9b83c25f30",
"os_major":"14",
"os_minor":"0",
"os_name":"macOS",
"os_platform":"darwin",
"os_version":"14.0",
"release":"5.4.0-155-generic",
"scan_time":"2023/08/04 19:56:11",
"sysname":"macOS",
"version":"darwin 23.0"
}
}
}
{
"agent_info": {
"agent_id": "001"
},
"data_type": "state",
"data": {
"attributes_type": "syscollector_osinfo",
"attributes": {
"architecture": "x86_64",
"checksum": "1747339087646192180",
"hostname": "rocky9",
"os_major": "9",
"os_minor": "3",
"os_name": "Rocky Linux",
"os_platform": "rocky",
"os_version": "9.3 (Blue Onyx)",
"release": "5.14.0-362.13.1.el9_3.x86_64",
"scan_time": "2025/05/15 19:58:09",
"sysname": "Linux",
"version": "#1 SMP PREEMPT_DYNAMIC Wed Dec 13 14:07:45 UTC 2023"
},
"index": "Rocky Linux",
"timestamp": ""
}
}
{
"agent_info": {
"agent_id": "002"
},
"data_type": "integrity_clear",
"data": {
"id": 1700236640,
"attributes_type": "syscollector_osinfo"
}
}
For package events, we need to pay attention to the following fields:
Canonical
Ubuntu
Debian
Red Hat, Inc.
CentOS
Amazon Linux
Amazon.com
Amazon AWS
Arch Linux
suse
SUSE
openSUSE
AlmaLinux
CloudLinux
Rocky
format: When the package is not installed through a package manager (apt, yum, pacman, etc). The format field must be specified if we are referring to npm, pypi or snap packages.
name and version are the main identifiers of the package.
item_id: A non-ambiguous alphanumeric identifier that would be required for indexing.
source: Required for some cases (e.g. homebrew packages).
{
"agent_info": {
"agent_id": "001"
},
"data_type": "dbsync_packages",
"data": {
"architecture": "x86_64",
"checksum": "1e6ce14f97f57d1bbd46ff8e5d3e133171a1bbce",
"description": "SSH (Secure SHell) is a program for logging into and executing\ncommands on a remote machine. SSH is intended to replace rlogin and\nrsh, and to provide secure encrypted communications between two\nuntrusted hosts over an insecure network. X11 connections and\narbitrary TCP/IP ports can also be forwarded over the secure channel.\n\nOpenSSH is OpenBSD's version of the last free version of SSH, bringing\nit up to date in terms of security and features.\n\nThis package includes the core files necessary for both the OpenSSH\nclient and server. To make this package useful, you should also\ninstall openssh-clients, openssh-server, or both.",
"format": "rpm",
"groups": "libs",
"item_id": "ec465b7eb5fa011a336e95614072e4c7f1a65a53",
"multiarch": "same",
"name": "openssh",
"priority": "optional",
"scan_time": "2023/08/04 19:56:11",
"size": 1989384,
"source": " ",
"vendor": "Amazon Linux",
"version": "8.7p1-8.amzn2023.0.9"
},
"operation": "INSERTED"
}
{
"agent_info": {
"agent_id": "001"
},
"data_type": "dbsync_packages",
"data": {
"architecture": "amd64",
"checksum": "1e6ce14f97f57d1bbd46ff8e5d3e133171a1bbce",
"description": "NSS",
"format": "rpm",
"groups": "libs",
"item_id": "ec465b7eb5fa011a336e95614072e4c7f1a65a53",
"multiarch": "same",
"name": "nss",
"priority": "optional",
"scan_time": "2023/08/04 19:56:11",
"size": 72,
"source": "nss",
"vendor": "Red Hat, Inc.",
"version": "3.53.1-3.el7_9"
},
"operation": "INSERTED"
}
{
"agent_info": {
"agent_id": "001"
},
"data_type": "dbsync_packages",
"data": {
"architecture": "amd64",
"checksum": "1e6ce14f97f57d1bbd46ff8e5d3e133171a1bbce",
"description": "Secure Sockets and Transport Layer Security",
"format": "rpm",
"groups": "libs",
"item_id": "ec465b7eb5fa011a336e95614072e4c7f1a65a53",
"multiarch": "same",
"name": "libopenssl1_1",
"priority": "optional",
"scan_time": "2023/08/04 19:56:11",
"size": 72,
"source": "libopenssl1_1",
"vendor": "suse LLC <https://www.suse.com/>",
"version": "1.1.0i-150100.14.42.1.x86_64"
},
"operation": "INSERTED"
}
{
"agent_info": {
"agent_id": "001"
},
"data_type": "state",
"data": {
"attributes_type": "syscollector_packages",
"attributes": {
"architecture": "x86_64",
"checksum": "26442734fdd4093095499cb8e1d8b380664109a0",
"description": "VIM (VIsual editor iMproved) is an updated and improved version of the\nvi editor. Vi was the first real screen-based editor for UNIX, and is\nstill very popular. VIM improves on vi by addingnew features:\nmultiple windows, multi-level undo, block highlighting and more. The\nvim-common package contains files which every VIM binary will need in\norder to run.\n\nIf you are installing vim-enhanced or vim-X11, you'll also need\nto install the vim-common package.",
"format": "rpm",
"groups": "Unspecified",
"install_time": "1747338731",
"item_id": "d499a33e8cbd95b5473ce782eb75886d599ceb6a",
"location": " ",
"name": "vim-common",
"priority": " ",
"scan_time": "2025/05/15 19:59:17",
"size": 31861347,
"source": " ",
"vendor": "Rocky Enterprise Software Foundation",
"version": "2:8.2.2637-21.el9"
},
"index": "d499a33e8cbd95b5473ce782eb75886d599ceb6a",
"timestamp": ""
}
}
{
"agent_info": {
"agent_id": "001"
},
"data_type": "dbsync_packages",
"data": {
"architecture": "amd64",
"checksum": "1e6ce14f97f57d1bbd46ff8e5d3e133171a1bbce",
"description": "LDAP-like embedded database - shared library",
"format": "deb",
"groups": "libs",
"item_id": "ec465b7eb5fa011a336e95614072e4c7f1a65a53",
"multiarch": "same",
"name": "libldb2",
"priority": "optional",
"scan_time": "2023/08/04 19:56:11",
"size": 72,
"source": "samba",
"vendor": "Debian Samba Maintainers <[email protected]>",
"version": "2:2.6.2+samba4.17.12+dfsg-0+deb12u1"
},
"operation": "INSERTED"
}
{
"agent_info": {
"agent_id": "004"
},
"data_type": "dbsync_packages",
"data": {
"architecture": "amd64",
"checksum": "1e6ce14f97f57d1bbd46ff8e5d3e133171a1bbce",
"description": "Network dispatching library for applications",
"format": "deb",
"groups": "libs",
"item_id": "ec465b7eb5fa011a336e95614072e4c7f1a65a53",
"multiarch": "same",
"name": "networkd-dispatcher",
"priority": "optional",
"scan_time": "2023/08/04 19:56:11",
"size": 72,
"source": "networkd-dispatcher",
"vendor": "Ubuntu Developers",
"version": "2.1-1ubuntu0.22.04.2"
},
"operation": "INSERTED"
}
{
"agent_info": {
"agent_id": "001"
},
"data_type": "dbsync_packages",
"data": {
"scan_time": "2024/07/04 19:03:19",
"format": "pacman",
"name": "openssh",
"size": 5778565,
"vendor": "Arch Linux",
"install_time": "2024/07/04 18:50:06",
"version": "9.7p1-2",
"architecture": "x86_64",
"description": "SSH protocol implementation for remote login, command execution and file transfer",
"checksum": "757e2f6eb5497e320a87f43cf37e6f0605744a1f",
"item_id": "1e6915113339de57ade9c25886732793d3421785"
},
"operation": "INSERTED"
}
{
"agent_info": {
"agent_id": "001"
},
"data_type": "dbsync_packages",
"data": {
"architecture": "amd64",
"checksum": "5e6ce14f97f57d1bbd46ff8e5d3e133171a1bbce",
"description": "Application for serving and sharing geospatial data",
"format": "pypi",
"groups": "libs",
"item_id": "5c465b7eb5fa011a336e95614072e4c7f1a65a53",
"multiarch": "same",
"name": "geonode",
"priority": "optional",
"scan_time": "2023/08/04 19:56:11",
"size": 72,
"source": "geonode",
"vendor": "pypi",
"version": "4.1.0-1"
},
"operation": "INSERTED"
}
{
"agent_info": {
"agent_id": "002"
},
"data_type": "state",
"data": {
"attributes_type": "syscollector_packages",
"attributes": {
"architecture": "i686",
"checksum": "72cb38e06710a81ba437ad222e3a6aaeefe90352",
"description": " ",
"format": "win",
"item_id": "9ca216dec5bef19993deb9d365debf11e7f554f9",
"multiarch": null,
"name": "Skype for Business Basic 2016",
"priority": " ",
"scan_time": "2025/03/05 14:04:53",
"size": 0,
"source": " ",
"vendor": "Microsoft Corporation",
"version": "2016"
}
}
}
{
"agent_info": {
"agent_id": "001",
"agent_ip": "any",
"agent_name": "centos9",
"agent_version": "v4.11.2"
},
"data_type": "state",
"data": {
"attributes_type": "syscollector_packages",
"attributes": {
"architecture": " ",
"checksum": "9829f9b2efe88f4aed2dd95fae446caed42b7294",
"description": "axion",
"format": "npm",
"groups": " ",
"install_time": " ",
"item_id": "78ce414f84bfa17682645bed561e97600ddd3446",
"location": "/usr/local/lib/node_modules/axion/package.json",
"name": "axion",
"priority": " ",
"scan_time": "2025/05/06 18:30:21",
"size": 0,
"source": "https://github.com/stelatech/axion#README",
"vendor": " ",
"version": "0.1.0"
},
"index": "78ce414f84bfa17682645bed561e97600ddd3446",
"timestamp": ""
}
}
{
"agent_info": {
"agent_id": "001",
"agent_ip": "any",
"agent_name": "centos9",
"agent_version": "v4.11.2"
},
"data_type": "state",
"data": {
"attributes_type": "syscollector_packages",
"attributes": {
"architecture": " ",
"checksum": "c68868d87169efb965edd7c78ab3014eb645a0f6",
"description": "Mozilla Firefox web browser",
"format": "snap",
"groups": " ",
"install_time": "2025/05/06 14:08:53",
"item_id": "e44f5b3c9fd3544295add0b3c9f35a39bedcc0b0",
"location": "/snap/firefox",
"multiarch": " ",
"name": "firefox",
"priority": " ",
"scan_time": "2025/05/06 18:30:56",
"size": 253280256,
"source": "snapcraft",
"vendor": "Mozilla",
"version": "138.0.1-1"
},
"index": "e44f5b3c9fd3544295add0b3c9f35a39bedcc0b0",
"timestamp": ""
}
}
{
"agent_info": {
"agent_id": "002"
},
"data_type": "integrity_clear",
"data": {
"id": 1700236640,
"attributes_type": "syscollector_packages"
}
}