wazuh-db
The ThreatLockDown core uses list-based databases to store information related to agent keys, and FIM/Rootcheck event data.
Note
Each agent has a database which name is the id of the agent registered in the manager
wazuh-db options
-d |
Basic debug mode. |
-dd |
Verbose debug mode. |
-f |
Run in foreground. |
-h |
Display the help message. |
-V |
Version and license message. |
-t |
Test configuration. |
Tables available for wazuh-db
Agent tables
Task tables
fim_entry
Data from FIM records reported by the agent
Field |
Description |
Example |
|---|---|---|
file |
File name |
/test/file |
type |
Type (file or registry) |
file |
date |
Event timestamp |
1538556788 |
changes |
Successive file changes |
0 |
size |
File size |
28179 |
perm |
File permissions |
100664 |
uid |
User ID |
1000 |
gid |
Group ID (Unix) |
1000 |
md5 |
File MD5 |
6d9bd718faff778bbeabada6f07f5c2f |
sha1 |
File SHA1 |
3ad067d8949ab0e20c220d7b1acb338190967acc |
uname |
Unix name |
root |
gname |
Group name |
root |
mtime |
Modify time |
1536059852 |
inode |
Inode number |
14946484 |
sha256 |
File SHA256 |
09aaf47929660c513332aa2349bc66ce7ae710d030888530e0ae27646c9e6f5d |
attributes |
File attrs mask (Windows) |
32 |
symbolic_path |
Path of the monitored sym link |
/test/link |
checksum |
SHA1 of all file attributes |
da39a3ee5e6b4b0d3255bfef95601890afd80709 |
sync_info
It stores the information related to the synchronization between the databases of the agents and the manager
Field |
Description |
Example |
|---|---|---|
component |
Module name |
fim |
last_attempt |
Unix timestamp of the last synchronization attempt |
1580906939 |
last_completion |
Unix timestamp of the last successful synchronization |
1580906939 |
n_attempts |
Number of synchronization attempts |
32 |
n_completions |
Number of successful synchronizations |
29 |
scan_info
It stores the begin and end times of each scan of an agent (used for agents prior to 3.12)
Field |
Description |
Example |
|---|---|---|
module |
Module name |
fim |
first_start |
First scan begin date |
1538558233 |
first_end |
First scan end date |
1538556788 |
start_scan |
Last scan start date |
1538558233 |
end_scan |
Last scan end date |
1538558192 |
fim_first_check |
Start date of first scan |
1538558233 |
fim_second_check |
Start date of two scans ago |
1538556779 |
fim_third_check |
Start date of three scans ago |
1538555325 |
Note
Fields fim_first_check, fim_second_check and fim_third_check are only used on FIM scans
metadata
Data needed to upgrade the agent's database
Field |
Description |
Example |
|---|---|---|
key |
Field name |
db_version |
value |
Field value |
3 |
New in version 4.4.0.
The key field can also store the following values:
last_vacuum_time: its
valuefield stores the last time the vacuum was performed.last_vacuum_value: its
valuefield stores the fragmentation value that the database was left with after the last vacuum was performed.
Syscollector tables
Table |
Description |
|---|---|
Stores information about the hardware of the system |
|
Stores information about the existing network interfaces of the system |
|
Stores information about the IPv4 and IPv6 of the existing network interfaces |
|
Stores information about routing configuration for each interface |
|
Stores information about the operating system |
|
Stores information about the opened ports of a system |
|
Stores information about the current processes running in the system |
|
Stores information about the packages installed in the system |
|
Stores information about the Windows updates installed on the agent |
CIS-CAT table
Results of a CIS-CAT scan of an agent
Field |
Description |
Example |
|---|---|---|
id |
Unique identifier |
12372 |
scan_id |
Scan identifier |
1701467600 |
scan_time |
Scan time |
2018-02-08T11:47:28.066-08:00 |
benchmark |
Executed benchmark |
CIS Ubuntu Linux 16.04 LTS Benchmark |
profile |
Profile inside benchmark executed |
xccdf_org.cisecurity.benchmarks_profile_Level_2_-_Server |
pass |
Number of checks passed |
98 |
fail |
Number of fails |
85 |
error |
Number of errors |
0 |
notchecked |
Number of not checked |
36 |
unknown |
Number of unknown |
1 |
score |
Final score |
53% |
tasks
Tasks executed on the agents
Field |
Description |
Example |
|---|---|---|
task_id |
Task unique identifier |
14 |
agent_id |
Agent identifier |
5 |
node |
Node that executed the task |
node01 |
module |
Module that requested the task |
upgrade_module |
command |
Command executed |
upgrade |
create_time |
Timestamp of the task creation |
1599147413 |
last_update_time |
Timestamp of the last change |
1599147657 |
status |
Current status of the task |
Failed |
error_message |
Optional when the task failed |
Upgrade procedure exited with error code |
The possible statuses of a task are the following:
Pending: The task was created but it is not running yet.
In progress: The task is running.
Done: The execution of the task finished successfully.
Failed: The execution of the task finished with an error. It should have an error message with more information.
Cancelled: The task was canceled and will not run.
Timeout: The task ran for a long period of time (configurable) and no final result was obtained.
Legacy: The result of the task cannot be known and must be checked manually.