Skip to main content

Collecting System Inventory with Wazuh Syscollector


Collecting System Inventory with Wazuh Syscollector

A clear, practical guide for viewing inventory, exporting reports, and querying via Dev Tools

Wazuh Home · Wazuh Ambassador Program · Portfolio

Table of Contents

  1. Introduction – Why system inventory matters
  2. How Syscollector Works
  3. Verification of Syscollector on Agents
  4. Explore Inventory in the Dashboard
  5. Practical Example: Detecting Changes
  6. Conclusion

1. Introduction – Why system inventory matters

An accurate system inventory is one of the most fundamental components of cybersecurity. Without visibility into what hardware, software, and processes are present in an environment, it is nearly impossible to detect anomalies or respond effectively to threats. 

Syscollector module of Wazuh provides this visibility by automatically collecting:

  • Hardware information
  • Operating system details
  • Installed software
  • Running processes
  • Open ports and network interfaces

This data gives security teams and administrators a baseline of their infrastructure. Any unexpected changes such as new software, suspicious processes, or new open ports, can be quickly identified and investigated.

In this tutorial, we will verify Syscollector configuration, explore inventory in the dashboard, access data via API, and detect changes on endpoints.

2. How Syscollector Works

Syscollector is part of the Wazuh agent, which runs on each endpoint (Linux, Windows, macOS).

Syscollector architecture: Agents → Wazuh Server/Manager → Dashboard
Figure 1: Syscollector runs on agents, collects system inventory, and sends it to the Wazuh server for visualization.

• Each agent collects inventory information locally.
• This data is sent to the Wazuh server.
• It is then stored in the indexer and displayed in the Wazuh dashboard, where it can be filtered, analyzed, and exported.

This centralized view allows security teams to monitor multiple systems from a single dashboard.

3. Verification of Syscollector on Agents

Syscollector is enabled by default in Wazuh agents but still we can confirm this by checking the configuration file ossec.conf. The full path of the configuration file is as:

/var/ossec/etc/ossec.conf

Code Snippet 1: Full path of conf file

In this configuration file, find the following snippet which shows that the syscollector is enabled by default.

<!-- System inventory -->
<wodle name="syscollector">
  <disabled>no</disabled>
  <interval>1h</interval>
  <scan_on_start>yes</scan_on_start>
  <hardware>yes</hardware>
  <os>yes</os>
  <network>yes</network>
  <packages>yes</packages>
  <ports all="no">yes</ports>
  <processes>yes</processes>

  <!-- Database synchronization settings -->
  <synchronization>
    <max_eps>10</max_eps>
  </synchronization>
</wodle>

Code Snippet 2: Syscollector from ossec.conf

This configuration shows Syscollector is enabled with a 1-hour interval and scanning triggered on agent startup.

4. Explore Inventory in the Dashboard

To quickly review or download the system inventory collected by Syscollector, we can do it directly through the Wazuh dashboard. After Syscollector runs — either when the agent starts (if scan_on_start is enabled) or according to the configured interval — navigate to: Agents → [Select Agent] → Inventory to see details for a specific system.

From here, there are different tabs available such as System (OS details, CPU, memory), Software (installed packages), Processes (running applications). There is also option to export this data for reporting or auditing purposes by clicking Export formatted to download a CSV file or selecting Generate report to create a full PDF. Please check Figure 1 for reference.

For more advanced use, Syscollector data can also be accessed through the Wazuh API using Dev Tools. Simply navigate to Server Management → Dev Tools and run queries like:

GET /syscollector/006/os?pretty=true

Code Snippet 3: Request query from Dev Tools

We can replace os with packages, ports, or processes to retrieve specific inventory information directly via the API. This is especially useful for automation, integrations, or deeper investigations.

Dev Tools request and JSON response for Syscollector OS data
Figure 2: Dev Tools JSON response showing OS inventory details returned by the Syscollector API.

Figure 2 shows how to query Syscollector data through the Wazuh Dev Tools using a simple GET request. On the right side, the JSON response displays detailed OS inventory information for the selected agent, including platform, version, architecture, and the last scan timestamp. 

5. Practical Example: Detecting Changes

To demonstrate how Syscollector helps detect changes:

  1. Install a package on one agent.
  2. Syscollector will automatically detect it and display it in the Software tab.
  3. Uninstall the package and refresh the inventory view.

Note: Syscollector reflects system modifications based on the configured interval. If scan_on_start is enabled, the changes can appear sooner after a restart. If the interval is long, it may take some time before the new state is visible in the dashboard.

6. Conclusion

Syscollector provides real-time visibility into system assets across all endpoints. This visibility enables:

  • Faster detection of anomalies
  • Easier compliance reporting
  • Improved security monitoring and response

📥 Download the Full Tutorial (PDF)

If you prefer an offline copy, you can download the PDF version here:

Download PDF

📢 Follow the Wazuh Weekly Tutorials series.
Labels:
Location: Finland

Comments

Post a Comment

Popular posts from this blog

DEPLOYING A WAZUH LAB

  Deploying a Wazuh Lab: Building the Environment and Adding Agents This tutorial walks through the process of setting up a small Wazuh lab on a single host. Using virtual machines gives you a self‑contained environment for experimentation while keeping your main operating system untouched. The lab is structured with one Wazuh server running Ubuntu 22.04 LTS and several agents representing different endpoint operating systems. 1. Preparing the virtual environment Before installing Wazuh, you need an environment that mirrors a small network. I used Oracle VM VirtualBox to create four virtual machines: one acts as the Wazuh server and the other three act as agents. The machines are connected via a bridged network so they can communicate as if they were on the same LAN. Figure 1 shows the virtual environment: three Ubuntu machines and one Kali machine, with the server running Ubuntu 22.04 LTS and the agents running Ubuntu 18.04 LTS, Ubuntu...
Post a Comment
Read more