Reduce High Volume of Inventory Events Generated by Agent

[LucioDonda]

Description

Closes #407

The Wazuh agent performs regular system inventory synchronization. By default, it is configured to inventory all supported data, including:

• Active processes
• Open ports
• Ports in use

Both active processes and ports in use tend to change frequently, resulting in a significant volume of stateful synchronization messages (create/delete events). While this behavior is expected given the current configuration, it can lead to an overload of events and potentially impact system performance.

Proposal

To reduce the volume of inventory synchronization messages, we propose disabling the following inventory options:

• Processes inventory: Disable inventory of active processes.
• Ports in use inventory: Disable inventory of ports in use.

These options can be adjusted in the agent configuration as follows:

processes: false
ports_all: false

This adjustment is expected to significantly reduce the number of inventory-related events without affecting other critical functionalities.

Configuration Changes

inventory:
  enabled: true
  interval: 60s
  scan_on_start: true
  hardware: true
  system: true
  networks: true
  packages: true
  ports: true
  ports_all: false
  processes: false    
  hotfixes: true

Documentation Updates

• Updated inventory default values,

Tests Introduced

• fixed defaultCtor in inventory fixture.

Review Checklist

• Code changes reviewed
• Relevant evidence provided
• Tests cover the new functionality
• Configuration changes documented
• Developer documentation reflects the changes
• Meets requirements and/or definition of done
• No unresolved dependencies with other issues
• Package installation.

[LucioDonda]

Tests:

logs from mockserver with default configuration:

mockServerFullLogs.log

LogsFromAgent

Details

root@pm-ubuntu24-server:/home/pm-vagrant/workspace/wazuh-agent# ./build/wazuh-agent 
[2025-02-10 20:40:26.913] [wazuh-agent] [info] [INFO] [process_options_unix.cpp:24] [StartAgent] Starting wazuh-agent
[2025-02-10 20:40:27.209] [wazuh-agent] [info] [INFO] [communicator.cpp:113] [SendAuthenticationRequest] Successfully authenticated with the manager.
[2025-02-10 20:40:27.209] [wazuh-agent] [info] [INFO] [inventory.cpp:19] [Start] Inventory module started.
[2025-02-10 20:40:27.209] [wazuh-agent] [info] [INFO] [logcollector.cpp:28] [Start] Logcollector module is disabled.
[2025-02-10 20:40:27.210] [wazuh-agent] [info] [INFO] [inventoryImp.cpp:991] [SyncLoop] Module started.
[2025-02-10 20:40:27.210] [wazuh-agent] [info] [INFO] [inventoryImp.cpp:974] [Scan] Starting evaluation.
[2025-02-10 20:40:29.902] [wazuh-agent] [info] [INFO] [inventoryImp.cpp:986] [Scan] Evaluation finished.
^C[2025-02-10 20:40:42.563] [wazuh-agent] [info] [INFO] [inventory.cpp:78] [Stop] Inventory module stopping...
[2025-02-10 20:40:42.563] [wazuh-agent] [info] [INFO] [logcollector.cpp:100] [Stop] Logcollector module stopped.
[2025-02-10 20:40:42.563] [wazuh-agent] [info] [INFO] [inventoryImp.cpp:974] [Scan] Starting evaluation.
[2025-02-10 20:40:42.563] [wazuh-agent] [info] [INFO] [inventoryImp.cpp:986] [Scan] Evaluation finished.
[2025-02-10 20:40:42.563] [wazuh-agent] [info] [INFO] [inventory.cpp:39] [Start] Inventory module stopped.

while checking for processes or ports not in listening state this was the result:

~/Desktop  cat mockServerFullLogs.log | grep '"collector":"processes"'                                                                                                                                ✔ 
~/Desktop  cat mockServerFullLogs.log | grep '"collector":' | wc -l                                                                                                                                0|1 ✘ 
1369
 ~/Desktop  cat mockServerFullLogs.log | grep '"collector":"ports"'                                                                                                                                     
{"collector":"ports","id":"b734dd4804af62a45ff4de02a95fbd60a0587fdd","module":"inventory","operation":"create"}
{"collector":"ports","id":"90ab532bf158c7812dda5773a065bdb41d9c0290","module":"inventory","operation":"create"}
{"collector":"ports","id":"0c3f8834659ae43e115d949b400e2229a99a2a88","module":"inventory","operation":"create"}
{"collector":"ports","id":"e9860dd48c2c01fe0180d1ffc5f1f39da1f98cfc","module":"inventory","operation":"create"}
{"collector":"ports","id":"fcfaafdc9ed64d3f2f5a75813bce48b2364cda4e","module":"inventory","operation":"create"}
{"collector":"ports","id":"7ca4288abe9d039e1fed69853533efbe73f2d85a","module":"inventory","operation":"create"}
{"collector":"ports","id":"6cb86cbf73f002bd09e458b8c80a8ac07dac04eb","module":"inventory","operation":"create"}
{"collector":"ports","id":"760e9cdbe019b528033ec8d70f4ed25f802adfca","module":"inventory","operation":"create"}
{"collector":"ports","id":"07953450a0e9b85713a1a8449551909e67a5a7a5","module":"inventory","operation":"create"}
{"collector":"ports","id":"e29fc119c355921eadbef5706ac9a12cc659451b","module":"inventory","operation":"create"}
{"collector":"ports","id":"2b1ec6858b102f86400aea6e67bf917e99888c45","module":"inventory","operation":"create"}
 ~/Desktop  cat mockServerFullLogs.log | grep '"collector":"ports"' | wc -l                                                                                                                            
11
~/Desktop  cat mockServerFullLogs.log | grep '"interface":{"state":'                                                                                                                                   
{"@timestamp":"2025-02-10T20:40:27.210Z","destination":{"ip":["0.0.0.0"],"port":0},"file":{"inode":10552},"host":{"network":{"egress":{"queue":0},"ingress":{"queue":0}}},"interface":{"state":null},"network":{"protocol":"udp"},"process":{"name":"systemd-resolve","pid":685},"source":{"ip":["127.0.0.54"],"port":53}}
{"@timestamp":"2025-02-10T20:40:27.210Z","destination":{"ip":["0.0.0.0"],"port":0},"file":{"inode":10550},"host":{"network":{"egress":{"queue":0},"ingress":{"queue":0}}},"interface":{"state":null},"network":{"protocol":"udp"},"process":{"name":"systemd-resolve","pid":685},"source":{"ip":["127.0.0.53"],"port":53}}
{"@timestamp":"2025-02-10T20:40:27.210Z","destination":{"ip":["::"],"port":0},"file":{"inode":12364},"host":{"network":{"egress":{"queue":0},"ingress":{"queue":0}}},"interface":{"state":null},"network":{"protocol":"udp6"},"process":{"name":"systemd-network","pid":669},"source":{"ip":["fe80::be24:11ff:fe54:83fb"],"port":546}}
{"@timestamp":"2025-02-10T20:40:27.210Z","destination":{"ip":["0.0.0.0"],"port":0},"file":{"inode":10551},"host":{"network":{"egress":{"queue":0},"ingress":{"queue":0}}},"interface":{"state":"listening"},"network":{"protocol":"tcp"},"process":{"name":"systemd-resolve","pid":685},"source":{"ip":["127.0.0.53"],"port":53}}
{"@timestamp":"2025-02-10T20:40:27.210Z","destination":{"ip":["0.0.0.0"],"port":0},"file":{"inode":71874},"host":{"network":{"egress":{"queue":0},"ingress":{"queue":0}}},"interface":{"state":"listening"},"network":{"protocol":"tcp"},"process":{"name":"docker-proxy","pid":23020},"source":{"ip":["0.0.0.0"],"port":55000}}
{"@timestamp":"2025-02-10T20:40:27.210Z","destination":{"ip":["0.0.0.0"],"port":0},"file":{"inode":31333},"host":{"network":{"egress":{"queue":0},"ingress":{"queue":0}}},"interface":{"state":"listening"},"network":{"protocol":"tcp"},"process":{"name":"code-31c37ee8f6","pid":8321},"source":{"ip":["127.0.0.1"],"port":37809}}
{"@timestamp":"2025-02-10T20:40:27.210Z","destination":{"ip":["0.0.0.0"],"port":0},"file":{"inode":10553},"host":{"network":{"egress":{"queue":0},"ingress":{"queue":0}}},"interface":{"state":"listening"},"network":{"protocol":"tcp"},"process":{"name":"systemd-resolve","pid":685},"source":{"ip":["127.0.0.54"],"port":53}}
{"@timestamp":"2025-02-10T20:40:27.210Z","destination":{"ip":["0.0.0.0"],"port":0},"file":{"inode":72795},"host":{"network":{"egress":{"queue":0},"ingress":{"queue":0}}},"interface":{"state":"listening"},"network":{"protocol":"tcp"},"process":{"name":"docker-proxy","pid":23007},"source":{"ip":["0.0.0.0"],"port":27000}}
{"@timestamp":"2025-02-10T20:40:27.210Z","destination":{"ip":["::"],"port":0},"file":{"inode":73819},"host":{"network":{"egress":{"queue":0},"ingress":{"queue":0}}},"interface":{"state":"listening"},"network":{"protocol":"tcp6"},"process":{"name":"docker-proxy","pid":23027},"source":{"ip":["::"],"port":55000}}
{"@timestamp":"2025-02-10T20:40:27.210Z","destination":{"ip":["::"],"port":0},"file":{"inode":10117},"host":{"network":{"egress":{"queue":0},"ingress":{"queue":0}}},"interface":{"state":"listening"},"network":{"protocol":"tcp6"},"process":{"name":"systemd","pid":1},"source":{"ip":["::"],"port":22}}
{"@timestamp":"2025-02-10T20:40:27.210Z","destination":{"ip":["::"],"port":0},"file":{"inode":73816},"host":{"network":{"egress":{"queue":0},"ingress":{"queue":0}}},"interface":{"state":"listening"},"network":{"protocol":"tcp6"},"process":{"name":"docker-proxy","pid":23014},"source":{"ip":["::"],"port":27000}}
~/Desktop  cat mockServerFullLogs.log | grep '"interface":{"state":' | wc -l                                                                                                                          
11

[cborla]

LGTM

[cborla]

To complete the pr I would like to generate a package and install it, seeing that the configuration is correct.

[cborla]

LGTM

[LucioDonda]

Additional tests with packages confirmed:

• job
• config file by default:

root@pm-ubuntu24-server:/etc/wazuh-agent# cat wazuh-agent.yml 
agent:
  thread_count: 4
  server_url: https://localhost:27000
  retry_interval: 30s
  verification_mode: none
events:
  batch_interval: 10s
  batch_size: 1MB
inventory:
  enabled: true
  interval: 1h
  scan_on_start: true
  hardware: true
  system: true
  networks: true
  packages: true
  ports: true
  ports_all: false
  processes: false
  hotfixes: true
logcollector:
  enabled: true
  localfiles:
    - /var/log/auth.log
  reload_interval: 1m
  read_interval: 500ms

• mock server logs after start:
  mockServerLogs.log