A complete, practical guide for viewing system inventory, exporting reports, and querying via Dev Tools.
Wazuh Home Β· Wazuh Ambassador Program Β· Portfolio
An accurate system inventory is one of the most fundamental components of cybersecurity.
Without visibility into what hardware, software, and processes are present in an environment, itβs nearly impossible to detect anomalies or respond effectively to threats.
The Syscollector module of Wazuh provides this visibility by automatically collecting:
This data gives security teams and administrators a baseline of their infrastructure.
Any unexpected changes, such as new software, suspicious processes, or new open ports, can be quickly identified and investigated.
In this tutorial, we will:
Syscollector is part of the Wazuh agent, which runs on each endpoint (Linux, Windows, macOS).

Figure 1: Syscollector runs on agents, collects system inventory, and sends it to the Wazuh server for visualization.
How it works:
This centralized view allows security teams to monitor multiple systems from a single dashboard.
Syscollector is enabled by default in Wazuh agents, but we can confirm this by checking the configuration file:
/var/ossec/etc/ossec.conf
Code Snippet 1: Full path of configuration file
Inside the file, look for the following section:
<!-- System inventory -->
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="no">yes</ports>
<processes>yes</processes>
<!-- Database synchronization settings -->
<synchronization>
<max_eps>10</max_eps>
</synchronization>
</wodle>
β This configuration shows Syscollector is:
Restart the agent to trigger a fresh scan:
sudo systemctl restart wazuh-agent
To quickly review or download the system inventory collected by Syscollector, use the Wazuh dashboard.
Agents β Select Agent β Inventory
Figure 2: Inventory tab showing system details for a specific agent.
For more advanced use, Syscollector data can also be accessed through the Wazuh API using Dev Tools.
Server Management β Dev Tools
GET /syscollector/006/os?pretty=true
Code Snippet 3: Request query from Dev Tools
You can replace os with:
packages β Installed softwareports β Open portsprocesses β Running processesThis is especially useful for:
The JSON response will display detailed OS inventory information for the selected agent, including platform, version, architecture, and the last scan timestamp.
To demonstrate how Syscollector detects changes:
Note: Syscollector reflects system modifications based on the configured interval.
Ifscan_on_startis enabled, the changes appear sooner after a restart.
If the interval is long, it may take some time for updates to display in the dashboard.
Syscollector provides real-time visibility into system assets across all endpoints.
This visibility enables:
This guide is part of the Wazuh Weekly Tutorials series to help you implement and understand real security use cases.