vulnerability events

[Aamir Sohail]

Hey hii

Ihave installed wazuh 4.8 vulnerability detection logs are not coming in event section but in dashboard section its visible, have attached the screenshot unable to find the reason.

[Francis Timilehin Jeremiah]

Hello, is this a new installation? Events appear in the VD module’s Events tab only after new vulnerabilities are detected or resolved, following a scan by the Wazuh Syscollector module. By default, this scan runs every hour. Please avoid restarting the agent during this period, as doing so can prevent detected changes from appearing on the Wazuh dashboard. You may already see events in the tab now. If not, try remediating a vulnerability, wait for the next Syscollector scan to complete, and then check the dashboard again.

[Francis Timilehin Jeremiah]

Hello, do you have it figured out now? Also, check this documentation for more information - https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/how-it-works.html#alert-generation.

[Aamir Sohail]

hey hi thanks @Franci

the vm is up more that two dayz Im just attaching the ossec file, hope everything is configured well in it

the counting is already there
root@events:~# curl -k -u admin:admin https://192.168.100.253:9200/wazuh-states-vulnerabilities-*/_count
{"count":4012,"_shards":{"total":1,"successful":1,"skipped":0,"failed":0}}root@eventshield:~# curl -k -u admin:admin https://192.168.100.253:9200/wazuh-states-vulnerabilities-*nano /var/ossec/etc/rules/local_rules.xml

only the logs are not coming on the event section in dashboard

[Ali Zaib]

Try Check by selecting explorer agent

On Mon, Feb 2, 2026, 2:48 PM Aamir Sohail <rana.pr...@gmail.com> wrote:

Hey hii

Ihave installed wazuh 4.8 vulnerability detection logs are not coming in event section but in dashboard section its visible, have attached the screenshot unable to find the reason.

--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/c2af3675-854a-440d-8d37-241b50d633f2n%40googlegroups.com.

[Francis Timilehin Jeremiah]

Hello, I just followed the instructions above and I was able to generate alerts on the Events tab of the Wazuh vulnerability detection module. I used Suricata as an example, At first no alerts were generated in the Events tab. You will notice in the next image that I have a vulnerable Suricata package on an endpoint which allows it to be affected by several CVEs. After remediating the vulnerability by uninstalling the package, you can see that after the next Wazuh Syscollector scan, alerts are being generated in the tab of interest. Please visit the Wazuh Vulnerability Detection documentation for more information: https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/how-it-works.html#alert-generation

The default time for the Wazuh Syscollector module scan is 1 hour. Wait one hour or reduce the scan time. 

<!-- System inventory -->
  <wodle name="syscollector">
    <disabled>no</disabled>
    <interval>1h</interval>
    <scan_on_start>yes</scan_on_start>
    <hardware>yes</hardware>
    <os>yes</os>
    <network>yes</network>
    <packages>yes</packages>
    <ports all="no">yes</ports>
    <processes>yes</processes>

    <!-- Database synchronization settings -->
    <synchronization>
      <max_eps>10</max_eps>
    </synchronization>
  </wodle>

 It also looked like you used an extra (/) in the <offline-url> tag in your ossec.conf file. It doesn't seem to affect the VD module though but you should remove it and do a Wazuh server restart before remediating any vulnerability.

I uninstalled the vulnerable Suricata package and see that alerts have now been generated on the Events tab.

 

Let me know if you still have issues.

Regards,

Francis

[WENWEN H]

Hello, everyone:
My problem is similar to this guy's. There have been security incidents on the host, but the log related to vulnerability detection is missing. After reviewing your communication and checking the ossec.conf file myself, I didn't find any issues. However, I often see such error messages in the logs. Does it have any impact?

[Md. Nazmur Sakib]

Hi Aamir,


There are no vulnerability alert triggers for the initial or baseline vulnerability scan. The vulnerability alerts are triggered once the initial scan is done if a vulnerable package is
added, removed, or fixed after that.

The vulnerability scan depends on the syscollector scan for the package information, and the vulnerability scan is done periodically on the updated package information from the syscollector scan.

You can change the syscollector <interval> configuration from the agent's ossec.conf to do a faster syscollector scan.

  <!-- System inventory -->

   <wodle name="syscollector">

     <disabled>no</disabled>

     <interval>5m</interval>

Refer to the Syscollector configuration for more information.

With the above configuration, the syscollector will now run a scan every 5 min. But keeping the interval value very short can increase CPU usage and I/O pressure on the agent's server.

Alerts related to package changes are triggered only when a vulnerability is added or removed from the inventory due to a vulnerable package being installed, fixed or removed. This requires that the event be captured during a scheduled Syscollector scan. If the changes are made to packages while the Wazuh agent is in a stopped state, no alerts will be triggered. Also, if these changes are only detected after the Wazuh agent is restarted, no alert will be triggered. But you will be able to see the changes in the inventory section.

Let us know if you need any further information on this.