Vulnerability detection not showing events in version 4.14.2
40 views
Skip to first unread message
Prabhat Lolam
May 18, 2026, 7:20:17 AM (5 days ago) May 18
to wa...@googlegroups.com
Hi,
Currently I am working on Wazuh version 4.14.2, everything in working fine but in the Vulnerability Detection tab, I can view the Counts and inventory of vulnerabilities across all agents but the Events section shows nothing.
From the Inventory tab, I am not seeing the status (Active, Solved, or Pending) for any vulnerability.
I have attached a screenshot for your reference.
Addititionally I am testing for application level vulnerability like MongoDB, Redis, RabbitMQ, Nginx etc. Does anyone has tested application level vulnerabilities.
Md. Nazmur Sakib
May 18, 2026, 7:57:06 AM (5 days ago) May 18
to Wazuh | Mailing List
Hi Prabhat,
The vulnerability information you see on the inventory is from the Wazuh state index. This inventory contains all the vulnerabilities currently available on endpoints.
On the events, you will be able to see the alerts from the wazuh-alerts index.
The vulnerability scan depends on the syscollector scan for the package information, and the vulnerability scan is done periodically on the updated package information from the syscollector scan.
Refer to the Syscollector configuration for more information.
Alerts related to package changes are triggered only when a vulnerability is added or removed from the inventory due to installing or removing a package. This requires that the event be captured during a scheduled Syscollector scan. If the changes are made to packages while the Wazuh agent is in a stopped state, no alerts will be triggered. Also, if these changes are only detected after the Wazuh agent is restarted, no alert will be triggered. But you will be able to see the changes in the inventory section.
Ref: Alert generation
Let me know if you need any further information.
The vulnerability information you see on the inventory is from the Wazuh state index. This inventory contains all the vulnerabilities currently available on endpoints.
On the events, you will be able to see the alerts from the wazuh-alerts index.
The vulnerability scan depends on the syscollector scan for the package information, and the vulnerability scan is done periodically on the updated package information from the syscollector scan.
Refer to the Syscollector configuration for more information.
Alerts related to package changes are triggered only when a vulnerability is added or removed from the inventory due to installing or removing a package. This requires that the event be captured during a scheduled Syscollector scan. If the changes are made to packages while the Wazuh agent is in a stopped state, no alerts will be triggered. Also, if these changes are only detected after the Wazuh agent is restarted, no alert will be triggered. But you will be able to see the changes in the inventory section.
Ref: Alert generation
Let me know if you need any further information.
Prabhat Lolam
May 19, 2026, 2:49:23 AM (4 days ago) May 19
to Md. Nazmur Sakib, Wazuh | Mailing List
Hi Nazmur,
Thanks for the update. I have refer the link for syscollector configuration.
Below is the configuration from agent and manager for syslog collector. Can you guide us more on this? How can I get events in Vulnerability section.
Wazuh-agent - /var/ossec/etc/ossec.conf
<!-- System inventory -->
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="yes">yes</ports>
<processes>yes</processes>
<users>yes</users>
<groups>yes</groups>
<services>yes</services>
<browser_extensions>yes</browser_extensions>
<!-- Database synchronization settings -->
<synchronization>
<max_eps>10</max_eps>
</synchronization>
</wodle>
Wazuh-manager - /var/ossec/etc/ossec.conf
<!-- System inventory -->
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="yes">yes</ports>
<processes>yes</processes>
<users>yes</users>
<groups>yes</groups>
<services>yes</services>
<browser_extensions>yes</browser_extensions>
<!-- Database synchronization settings -->
<synchronization>
<max_eps>10</max_eps>
</synchronization>
</wodle>
<sca>
<enabled>yes</enabled>
<scan_on_start>yes</scan_on_start>
<interval>12h</interval>
<skip_nfs>yes</skip_nfs>
</sca>
<vulnerability-detection>
<enabled>yes</enabled>
<index-status>yes</index-status>
<feed-update-interval>60m</feed-update-interval>
</vulnerability-detection>
<indexer>
<enabled>yes</enabled>
<hosts>
<host>https://127.0.0.1:9200</host>
</hosts>
<ssl>
<certificate_authorities>
<ca>/etc/filebeat/certs/root-ca.pem</ca>
</certificate_authorities>
<certificate>/etc/filebeat/certs/wazuh-server.pem</certificate>
<key>/etc/filebeat/certs/wazuh-server-key.pem</key>
</ssl>
</indexer>
<!-- System inventory -->
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="yes">yes</ports>
<processes>yes</processes>
<users>yes</users>
<groups>yes</groups>
<services>yes</services>
<browser_extensions>yes</browser_extensions>
<!-- Database synchronization settings -->
<synchronization>
<max_eps>10</max_eps>
</synchronization>
</wodle>
Wazuh-manager - /var/ossec/etc/ossec.conf
<!-- System inventory -->
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="yes">yes</ports>
<processes>yes</processes>
<users>yes</users>
<groups>yes</groups>
<services>yes</services>
<browser_extensions>yes</browser_extensions>
<!-- Database synchronization settings -->
<synchronization>
<max_eps>10</max_eps>
</synchronization>
</wodle>
<sca>
<enabled>yes</enabled>
<scan_on_start>yes</scan_on_start>
<interval>12h</interval>
<skip_nfs>yes</skip_nfs>
</sca>
<vulnerability-detection>
<enabled>yes</enabled>
<index-status>yes</index-status>
<feed-update-interval>60m</feed-update-interval>
</vulnerability-detection>
<indexer>
<enabled>yes</enabled>
<hosts>
<host>https://127.0.0.1:9200</host>
</hosts>
<ssl>
<certificate_authorities>
<ca>/etc/filebeat/certs/root-ca.pem</ca>
</certificate_authorities>
<certificate>/etc/filebeat/certs/wazuh-server.pem</certificate>
<key>/etc/filebeat/certs/wazuh-server-key.pem</key>
</ssl>
</indexer>
--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/8e1b1eb6-294b-4b15-bc78-87ba201f9fb6n%40googlegroups.com.
Md. Nazmur Sakib
May 19, 2026, 4:50:59 AM (4 days ago) May 19
to Wazuh | Mailing List
The configurations look good to me.
Wazuh does not trigger any alerts for the base level scan(for the first vulnerability scan) after adding the agent. It triggers any alerts if there are any changes in the vulnerable package or software after that.
Ref: Alert generation
To test if it is generating alerts for changes in the vulnerability. You can change the syscollector <interval> configuration on an agent to 5 min.
<wodle name="syscollector">
<disabled>no</disabled>
<interval>5m</interval>
Now restart the agent.
Now, add an old version of a software package or remove a vulnerable package like wget.
Do not restart any services in between and check the vulnerability dashboard events in 5/6 min after uninstalling the vulnerable package.
Let me know the findings.
If you still face any issues. Check the Wazuh manager’s ossec logs to find out if the vulnerability and indexer connector are working correctly.
cat /var/ossec/logs/ossec.log | grep -iE "vulnerability|indexer-connector|error|warn"
Reply all
Reply to author
Forward
0 new messages