Skip to main content

Introduction

The System Inventory feature (Syscollector) enables Wazuh agents to collect detailed information about the systems they are monitoring. This data is aggregated in the Wazuh Dashboard, providing administrators with comprehensive visibility into hardware configurations, installed software, network interfaces, running processes, and other system attributes.

System Inventory Overview

System inventory data is collected through the Syscollector module, which periodically scans the system and reports information to the Wazuh manager. The collected data is indexed and made available for querying and visualization in the Dashboard.

Data Collection Categories

Syscollector gathers information in the following categories:
  1. Hardware: Physical system components and specifications
  2. Operating System: OS details and version information
  3. Packages: Installed software packages and versions
  4. Processes: Running processes and their attributes
  5. Network: Network interfaces and configurations
  6. Ports: Open ports and listening services
  7. Hotfixes: Installed system updates (Windows)
  8. Users and Groups: System user accounts and groups
  9. Services: System services and their status
  10. Browser Extensions: Installed browser extensions

Accessing System Inventory

Inventory Metrics Panel

System inventory summary is displayed on the agent welcome screen:
  1. Navigate to the Endpoints section
  2. Select an agent from the table
  3. View the “System Inventory” panel
The inventory metrics panel displays:
  • Cores: Number of CPU cores
  • Memory: Total system memory (formatted)
  • CPU: Processor model and name
  • Hostname: System hostname
  • Serial Number: Hardware serial number
Component implementation: syscollector-metrics.tsx:1

IT Hygiene Dashboard

Detailed system inventory data is available through the IT Hygiene dashboard:
  • Click the “Open IT Hygiene” button from the System Inventory panel
  • Navigate directly to the IT Hygiene application
  • Access comprehensive inventory tables and analytics
Navigation: ITHygiene.id application

System Inventory Configuration

Enabling Syscollector

Syscollector is configured in the agent’s ossec.conf file: 
<wodle name="syscollector">
  <disabled>no</disabled>
  <interval>1h</interval>
  <scan_on_start>yes</scan_on_start>
  <hardware>yes</hardware>
  <os>yes</os>
  <network>yes</network>
  <packages>yes</packages>
  <ports>yes</ports>
  <processes>yes</processes>
</wodle>

Configuration Parameters

disabled

  • Type: Boolean (yes/no)
  • Default: no
  • Description: Enable or disable the Syscollector module

interval

  • Type: Time value
  • Default: 1h
  • Description: Frequency of system scans
  • Values: Seconds (s), minutes (m), hours (h), days (d)
  • Examples: 30m, 2h, 1d

scan_on_start

  • Type: Boolean (yes/no)
  • Default: yes
  • Description: Perform inventory scan when agent starts

hardware

  • Type: Boolean (yes/no)
  • Default: yes
  • Description: Collect hardware information

os

  • Type: Boolean (yes/no)
  • Default: yes
  • Description: Collect operating system information

network

  • Type: Boolean (yes/no)
  • Default: yes
  • Description: Collect network interface information

packages

  • Type: Boolean (yes/no)
  • Default: yes
  • Description: Collect installed packages information

ports

  • Type: Boolean (yes/no)
  • Default: yes
  • Description: Collect open ports and listening services

processes

  • Type: Boolean (yes/no)
  • Default: yes
  • Description: Collect running processes information

Hardware Inventory

Collected Hardware Data

The hardware inventory includes:

CPU Information

  • Name: Processor model and brand
  • Cores: Number of physical cores
  • Speed: Clock speed in MHz/GHz
  • Architecture: Processor architecture (x86_64, ARM, etc.)

Memory Information

  • Total: Total system memory in bytes
  • Free: Available memory
  • Used: Memory in use

System Information

  • Serial Number: Hardware serial number
  • Board Serial: Motherboard serial number
  • Manufacturer: System manufacturer
  • Product Name: System model/product name

Hardware Data Source

Hardware data is retrieved using the System Inventory Hardware data source: 
const itHygieneHardwareDataSource = useDataSource<
  tParsedIndexPattern,
  PatternDataSource
>({
  DataSource: SystemInventoryStatesDataSource,
  repository: new SystemInventoryHardwareStatesDataSourceRepository(),
});
Index pattern: wazuh-states-inventory-hardware*

Operating System Inventory

Collected OS Data

The operating system inventory includes:
  • Platform: Operating system platform (Linux, Windows, macOS)
  • Distribution: Specific distribution (Ubuntu, CentOS, Windows 10, etc.)
  • Version: OS version number
  • Architecture: System architecture (x86_64, i386, ARM)
  • Hostname: System hostname
  • Release: Kernel or build release
  • Codename: OS codename (if applicable)

System Data Source

System/OS data is retrieved using: 
const itHygieneSystemDataSource = useDataSource<
  tParsedIndexPattern,
  PatternDataSource
>({
  DataSource: SystemInventoryStatesDataSource,
  repository: new SystemInventorySystemStatesDataSourceRepository(),
});
Index pattern: wazuh-states-inventory-system*

Package Inventory

Collected Package Data

The package inventory includes:
  • Package Name: Software package name
  • Version: Installed version
  • Architecture: Package architecture
  • Vendor: Software vendor/maintainer
  • Description: Package description
  • Install Time: When the package was installed
  • Size: Package size
  • Location: Installation path

Package Manager Support

Syscollector supports various package managers:
  • Linux:
    • RPM (Red Hat, CentOS, Fedora)
    • DEB (Debian, Ubuntu)
    • APK (Alpine Linux)
    • Pacman (Arch Linux)
  • Windows:
    • Windows Installer (MSI)
    • Programs and Features registry
  • macOS:
    • Homebrew
    • MacPorts
    • System packages
Index pattern: wazuh-states-inventory-packages*

Process Inventory

Collected Process Data

The process inventory includes:
  • Process ID (PID): Unique process identifier
  • Name: Process name
  • Command Line: Full command line with arguments
  • State: Process state (running, sleeping, etc.)
  • PPID: Parent process ID
  • User: User running the process
  • Priority: Process priority
  • Virtual Memory: Virtual memory usage
  • Resident Memory: Physical memory usage
  • Start Time: When the process started
  • Thread Count: Number of threads
Index pattern: wazuh-states-inventory-processes*

Network Inventory

Network Interface Data

The network inventory includes:

Interface Information

  • Name: Interface name (eth0, wlan0, etc.)
  • Type: Interface type (Ethernet, Wireless, Loopback)
  • State: Interface state (up, down)
  • MAC Address: Hardware address
  • MTU: Maximum transmission unit

IP Configuration

  • IPv4 Address: IPv4 addresses assigned
  • IPv4 Netmask: Network mask
  • IPv6 Address: IPv6 addresses assigned
  • IPv6 Netmask: IPv6 network mask
  • Gateway: Default gateway
  • DHCP: DHCP status

Statistics

  • TX Packets: Transmitted packets
  • RX Packets: Received packets
  • TX Bytes: Transmitted bytes
  • RX Bytes: Received bytes
  • TX Errors: Transmission errors
  • RX Errors: Reception errors
Index patterns:
  • wazuh-states-inventory-networks*
  • wazuh-states-inventory-interfaces*

Port Inventory

Collected Port Data

The port inventory includes:
  • Local IP: Local IP address
  • Local Port: Local port number
  • Remote IP: Remote IP address (for established connections)
  • Remote Port: Remote port number
  • Protocol: Network protocol (TCP, UDP)
  • State: Connection state (listening, established, etc.)
  • Process: Process using the port
  • PID: Process ID
Index pattern: wazuh-states-inventory-ports*

Additional Inventory Types

Hotfixes (Windows)

Windows-specific hotfix inventory:
  • Hotfix ID: Microsoft KB number
  • Installation Date: When the update was installed
  • Installed By: User who installed the update
Index pattern: wazuh-states-inventory-hotfixes*

Users and Groups

System user and group inventory:

Users

  • Username: User account name
  • UID: User ID
  • GID: Primary group ID
  • Home Directory: User home directory
  • Shell: Default shell
Index pattern: wazuh-states-inventory-users*

Groups

  • Group Name: Group name
  • GID: Group ID
  • Members: Group members
Index pattern: wazuh-states-inventory-groups*

Services

System services inventory:
  • Service Name: Service name
  • Display Name: Service display name
  • State: Service state (running, stopped)
  • Startup Type: Startup configuration (automatic, manual, disabled)
Index pattern: wazuh-states-inventory-services*

Browser Extensions

Installed browser extensions:
  • Browser: Browser name (Chrome, Firefox, Edge)
  • Extension Name: Extension name
  • Version: Extension version
  • Description: Extension description
  • Permissions: Requested permissions
Index pattern: wazuh-states-inventory-browser-extensions*

Data Source Integration

Index Pattern Data Sources

System inventory uses specialized data sources: 
import {
  SystemInventoryHardwareStatesDataSourceRepository,
  SystemInventorySystemStatesDataSourceRepository,
  SystemInventoryStatesDataSource,
} from '../../../common/data-source';

Data Fetching

Inventory data is fetched with pagination: 
const [hardware, software] = await Promise.all([
  itHygieneHardwareDataSource.fetchData({
    pagination: {
      pageIndex: 0,
      pageSize: 1,
    },
  }),
  itHygieneSystemDataSource.fetchData({
    pagination: {
      pageIndex: 0,
      pageSize: 1,
    },
  }),
]);

Field Formatting

Inventory fields are formatted using index pattern formatters: 
<IndexPatternFormattedField
  indexPattern={itHygieneHardwareDataSource?.dataSource?.indexPattern}
  doc={{ _source: data?.hardware }}
  field='host.memory.total'
/>
This ensures:
  • Consistent formatting across the Dashboard
  • Proper unit conversion (bytes to GB, etc.)
  • Locale-specific number formatting

Inventory Metrics Display

Loading States

The inventory metrics component handles multiple loading states: 
const dataSourceIsLoading =
  itHygieneSystemDataSource.isLoading ||
  itHygieneHardwareDataSource.isLoading;

const notEnoughData =
  !isLoading &&
  _.isEmpty(data?.hardware?.host) &&
  _.isEmpty(data?.software?.host);

Empty State Handling

When insufficient data is available: 
Not enough hardware or operating system information
This indicates:
  • Syscollector may be disabled
  • Agent has not completed initial scan
  • Data collection errors occurred

Ribbon Display

Inventory metrics are displayed in a ribbon panel: 
const items: IRibbonItem[] = [
  {
    key: 'cores',
    label: 'Cores',
    value: data?.hardware?.host?.cpu?.cores,
    isLoading: isLoading,
  },
  // Additional items...
];
Component: WzRibbonPanel, WzRibbonBody

Use Cases for System Inventory

Asset Management

  • Track hardware assets across the organization
  • Monitor hardware lifecycle and plan replacements
  • Maintain accurate inventory for compliance
  • Identify unauthorized hardware changes

Software Inventory

  • Track installed software versions
  • Identify outdated or vulnerable packages
  • Ensure license compliance
  • Plan software upgrades and patches

Network Mapping

  • Document network configurations
  • Identify unauthorized network interfaces
  • Monitor IP address assignments
  • Detect network configuration changes

Security Monitoring

  • Detect unauthorized processes
  • Monitor open ports for security risks
  • Identify rogue services
  • Track user account changes

Compliance Reporting

  • Generate compliance reports
  • Demonstrate asset tracking
  • Audit system configurations
  • Verify security controls

Integration with Other Features

Vulnerability Detection

System inventory integrates with vulnerability detection:
  • Package inventory used for vulnerability matching
  • CVE databases cross-referenced with installed packages
  • Vulnerability reports include package version details

IT Hygiene Module

Full inventory capabilities available in IT Hygiene:
  • Detailed tables for all inventory categories
  • Advanced filtering and search
  • Export capabilities
  • Trend analysis and reporting
Access via the popout button on the System Inventory panel.

Best Practices

Configuration

  • Set appropriate scan intervals based on environment:
    • Static environments: Longer intervals (12h, 24h)
    • Dynamic environments: Shorter intervals (1h, 4h)
  • Enable scan_on_start for immediate initial inventory
  • Disable unneeded inventory categories to reduce overhead

Performance

  • Monitor agent performance during scans
  • Adjust intervals if scans cause performance issues
  • Consider system load when scheduling scans
  • Use longer intervals for resource-constrained systems

Data Management

  • Regularly review inventory data for accuracy
  • Use inventory data for capacity planning
  • Archive historical inventory for trend analysis
  • Set appropriate data retention policies

Security

  • Protect inventory data (contains sensitive system information)
  • Restrict access to inventory views based on roles
  • Monitor for unexpected inventory changes
  • Use inventory data for anomaly detection

Troubleshooting

No Inventory Data

Symptoms:
  • “Not enough hardware or operating system information” message
  • Empty inventory metrics
Resolution:
  1. Verify Syscollector is enabled in agent configuration
  2. Check agent logs for Syscollector errors
  3. Verify agent has permissions to collect inventory
  4. Wait for initial scan to complete
  5. Manually trigger a scan by restarting the agent

Incomplete Inventory

Symptoms:
  • Some metrics display, others are empty
  • Missing data categories
Resolution:
  1. Check specific category enablement in configuration
  2. Verify agent permissions for specific operations
  3. Review logs for category-specific errors
  4. Ensure supported OS and version

Outdated Inventory

Symptoms:
  • Inventory data does not reflect recent changes
  • Timestamps are old
Resolution:
  1. Verify scan interval configuration
  2. Check agent connectivity and sync status
  3. Manually trigger scan by restarting agent
  4. Review agent logs for scan failures