Vulnerability Detection 4.14.1

[Max]

Hi,

I recently updated the Wazuh manager from version 4.13 to 4.14.1 and, according to the following documentation, Debian 10 still appears to be supported:

https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/how-it-works.html

However, I’m not seeing any data in the Inventory tab for my Debian 10 agent.

Could you please advise?

Thanks in advance.

[josue....@wazuh.com]

Hi,

Let me replicate this and I will get back to you as soon as possible.

I can confirm that Debian 10 is supported correct. 

Please share the ossec.log from the manager to check further.
cat /var/ossec/logs/ossec.log | grep -i -E "error|warn|vuln|index"

Also, you can try sudo /var/ossec/bin/wazuh-control restart to force the re-scan.

The Vulnerability Detection module creates alerts when new vulnerabilities are found or when existing ones are resolved as a result of package updates, removals, or system upgrades. Although these conditions are required for alerts to occur, they alone do not guarantee alert generation, as it also depends on the specific detection scenarios.

Alerts related to package changes are generated only when a vulnerability is added to or removed from the inventory as a result of installing or uninstalling a package.

For this to happen, the event must be captured during a scheduled Syscollector scan.

There are two situations where alerts may not be generated:
If package changes occur while the Wazuh agent is stopped, the changes will not trigger any alerts.
If the changes are detected only after the Wazuh agent has been restarted, no alert will be generated either.

You can install the older version of VLC and wait for the next scans and let me know if vulnerabilities are detected.
With this information, we can analyze what might be happening.

Thanks

[ArnaudG]

Hello, I"m working with MAx, then let me give you more details.

1/ It is not related to Alerts (as far as I understand), it is Inventory : we see nothing in the "Vulerability-Detection Inventory" for some of our Debian ( Specifically Debian 10 and Debian 9 machines), but can see Inventory items for other machines ( Windows / Ubuntu and Debian 11, 12 or 13).

2/ It was already the case when running v 4.13.1 but we have seen this https://github.com/wazuh/wazuh/issues/32507 then we decided to upgrade, but same result.

[Max]

Hi, 

Sorry for late response , i have enabled debugging in  internal_options of the manager and i see the syscollector of my agent "010" :

2025/12/11 09:24:52 logger-helper[550524] upsertElement.hpp:108 at handleRequest(): DEBUG: UpsertSystemElement::build: {"id":"010_Debian GNU/Linux","operation":"INSERTED","data":{"agent":{"id":"010","name":"xxxxx","version":"v4.14.1"},"host":{"architecture":"x86_64","hostname":"xxxxx","os":{"codename":"buster","kernel":{"name":"Linux","release":"6.1.0-0.deb10.41-amd64","version":"#1 SMP PREEMPT_DYNAMIC Debian 6.1.158-1~deb10u1 (2025-11-24)"},"name":"Debian GNU/Linux","platform":"debian","version":"10 (buster)"}},"wazuh":{"cluster":{"name":"xxxxx"},"schema":{"version":"1.0"}}}}

And in the vulnerability detector , nothing :

[josue....@wazuh.com]

Thanks for the information provided.

Can you please enable wazuh_modules.debug=2 in /var/ossec/etc/local_options.conf on the Debian 10 agent and restart wazuh service and capture new fresh logs please? 

grep -i -E "error|warn" /var/ossec/logs/ossec.log
egrep -i   'vulnerability' /var/ossec/logs/ossec.log

Remember that no new events or alerts are generated during the first scan so we can try reproducing a vulnerability to capture the logs, for example https://documentation.wazuh.com/current/proof-of-concept-guide/poc-vulnerability-detection.html

Check logs on the manager  

grep -i -E "error|warn" /var/ossec/logs/ossec.log
egrep -i   'vulnerability-detector' /var/ossec/logs/ossec.log

Can you also share agent  /var/ossec/etc/ossec.conf to check please

[Max]

Hi ,

For the test i have set wazuh_modules.debug=2 in /var/ossec/etc/local_options.conf.

The command "egrep -i   'vulnerability-detector' /var/ossec/logs/ossec.log" return nothing no matter what vulnerable package is installed.

Find in attachement the logs that we have and the configuration of the agent.

Best Regards.

[josue....@wazuh.com]

Hi,  

First, thank you for the detailed information you shared.

We’d like to reiterate an important point regarding the behavior you’re seeing: during the first scan, no new vulnerability events or alerts are generated. This initial scan is used to build and refresh the internal inventory database, which is then used as a baseline for future comparisons.

Additionally, every time the Wazuh agent service is restarted, a fresh inventory scan is triggered. However, this scan does not generate new vulnerability alerts by itself, it only refreshes the internal data so that subsequent scans can compare changes and generate events if applicable.

By default, Syscheck runs every 12 hours (43200 seconds). For testing purposes, you can temporarily reduce this interval (for example, to 1 hour or even 10 minutes) and then re-run your vulnerability test.

Also, I noticed that this ossec.conf did not have the vulnerability setting enabled, was this the agent ossec.conf or manager?

The block below is the default vulnerability detection settings in the Wazuh manager configuration file at /var/ossec/etc/ossec.conf.

<vulnerability-detection>
   <enabled>yes</enabled>
   <index-status>yes</index-status>
   <feed-update-interval>60m</feed-update-interval>
</vulnerability-detection>

I'll suggest doublechecking https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/configuring-scans.html 

Please note: do not restart the Wazuh agent service this time. After adjusting the interval, let the scan run naturally and then share the resulting logs with us so we can continue the analysis.

Thanks, and we’ll be happy to review the results with you.

[saurav shukla]

everything look like this but still no vulnerability is showing 

<vulnerability-detection>

   <enabled>yes</enabled>

   <index-status>yes</index-status>

   <feed-update-interval>60m</feed-update-interval>

</vulnerability-detection>

--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/04d971c0-6008-4b21-bff3-403b924bd5bbn%40googlegroups.com.

[josue....@wazuh.com]

Could you please review the Wazuh manager-side logs to verify whether there are any issues related to the indexer connector or any associated errors?

cat /var/ossec/logs/ossec.log | grep -i -E "error|warn|vuln|index"

We have reviewed the logs shared so far, which appear to be from the agent side. To continue the investigation, it would be helpful if you could share the relevant logs from the manager again so we can validate the behavior on that side as well.

For testing, you can download an old version of a package and validate if it was detected by the Wazuh vulnerability scan.

For example, you can download the older version of the VLC player in your linux endpoint.
https://www.videolan.org/vlc/releases/2.0.0.html

Make sure you do not restart the manager service in between.
You will get the Alert on the vulnerability after your next scheduled scan.

Thanks