wazuh-db

The ThreatLockDown core uses list-based databases to store information related to agent keys, and FIM/Rootcheck event data.

Note

Each agent has a database which name is the id of the agent registered in the manager

wazuh-db options

-d

Basic debug mode.

-dd

Verbose debug mode.

-f

Run in foreground.

-h

Display the help message.

-V

Version and license message.

-t

Test configuration.

Tables available for wazuh-db

Agent tables

Task tables

fim_entry

Data from FIM records reported by the agent

Field

Description

Example

file

File name

/test/file

type

Type (file or registry)

file

date

Event timestamp

1538556788

changes

Successive file changes

0

size

File size

28179

perm

File permissions

100664

uid

User ID

1000

gid

Group ID (Unix)

1000

md5

File MD5

6d9bd718faff778bbeabada6f07f5c2f

sha1

File SHA1

3ad067d8949ab0e20c220d7b1acb338190967acc

uname

Unix name

root

gname

Group name

root

mtime

Modify time

1536059852

inode

Inode number

14946484

sha256

File SHA256

09aaf47929660c513332aa2349bc66ce7ae710d030888530e0ae27646c9e6f5d

attributes

File attrs mask (Windows)

32

symbolic_path

Path of the monitored sym link

/test/link

checksum

SHA1 of all file attributes

da39a3ee5e6b4b0d3255bfef95601890afd80709

sync_info

It stores the information related to the synchronization between the databases of the agents and the manager

Field

Description

Example

component

Module name

fim

last_attempt

Unix timestamp of the last synchronization attempt

1580906939

last_completion

Unix timestamp of the last successful synchronization

1580906939

n_attempts

Number of synchronization attempts

32

n_completions

Number of successful synchronizations

29

scan_info

It stores the begin and end times of each scan of an agent (used for agents prior to 3.12)

Field

Description

Example

module

Module name

fim

first_start

First scan begin date

1538558233

first_end

First scan end date

1538556788

start_scan

Last scan start date

1538558233

end_scan

Last scan end date

1538558192

fim_first_check

Start date of first scan

1538558233

fim_second_check

Start date of two scans ago

1538556779

fim_third_check

Start date of three scans ago

1538555325

Note

Fields fim_first_check, fim_second_check and fim_third_check are only used on FIM scans

metadata

Data needed to upgrade the agent's database

Field

Description

Example

key

Field name

db_version

value

Field value

3

New in version 4.4.0.

The key field can also store the following values:

  • last_vacuum_time: its value field stores the last time the vacuum was performed.

  • last_vacuum_value: its value field stores the fragmentation value that the database was left with after the last vacuum was performed.

Syscollector tables

Table

Description

sys_hwinfo

Stores information about the hardware of the system

sys_netiface

Stores information about the existing network interfaces of the system

sys_netaddr

Stores information about the IPv4 and IPv6 of the existing network interfaces

sys_netproto

Stores information about routing configuration for each interface

sys_osinfo

Stores information about the operating system

sys_ports

Stores information about the opened ports of a system

sys_processes

Stores information about the current processes running in the system

sys_programs

Stores information about the packages installed in the system

sys_hotfixes

Stores information about the Windows updates installed on the agent

CIS-CAT table

Results of a CIS-CAT scan of an agent

Field

Description

Example

id

Unique identifier

12372

scan_id

Scan identifier

1701467600

scan_time

Scan time

2018-02-08T11:47:28.066-08:00

benchmark

Executed benchmark

CIS Ubuntu Linux 16.04 LTS Benchmark

profile

Profile inside benchmark executed

xccdf_org.cisecurity.benchmarks_profile_Level_2_-_Server

pass

Number of checks passed

98

fail

Number of fails

85

error

Number of errors

0

notchecked

Number of not checked

36

unknown

Number of unknown

1

score

Final score

53%

tasks

Tasks executed on the agents

Field

Description

Example

task_id

Task unique identifier

14

agent_id

Agent identifier

5

node

Node that executed the task

node01

module

Module that requested the task

upgrade_module

command

Command executed

upgrade

create_time

Timestamp of the task creation

1599147413

last_update_time

Timestamp of the last change

1599147657

status

Current status of the task

Failed

error_message

Optional when the task failed

Upgrade procedure exited with error code

The possible statuses of a task are the following:

  • Pending: The task was created but it is not running yet.

  • In progress: The task is running.

  • Done: The execution of the task finished successfully.

  • Failed: The execution of the task finished with an error. It should have an error message with more information.

  • Cancelled: The task was canceled and will not run.

  • Timeout: The task ran for a long period of time (configurable) and no final result was obtained.

  • Legacy: The result of the task cannot be known and must be checked manually.