Server upgraded but still listed as running the old OS

21 views
Skip to first unread message

Xavier Mertens

unread,
Feb 23, 2026, 1:10:11 AM (yesterday) Feb 23
to Wazuh | Mailing List
I performed an upgrade on an Ubuntu server (running the Wazuh agent).
Wazuh collects data, sees the agent etc... BUT the agent is still listed in the Manager as executed on the previous OS version (and associated vulnerabilities).
How to fix this? I did not see relevant info in the documentation...
/x

Bony V John

unread,
Feb 23, 2026, 2:10:40 AM (yesterday) Feb 23
to Wazuh | Mailing List

Hi,

The OS, hardware, and package details are collected by the Syscollector module on the Wazuh agent. By default, Syscollector runs every hour and sends the collected information to the Wazuh manager. These details are then indexed into the wazuh-states-* index.

If the OS details are not updated yet, you can follow the troubleshooting steps below:


By default, the Wazuh agent runs the Syscollector scan every hour. It collects package and system details from the endpoint and forwards them to the Wazuh server.

Run the following command on the endpoint CLI:

cat /var/ossec/logs/ossec.log | grep -iE "syscollector"

If it is running every hour, it should show output similar to:
2025/12/02 11:14:07 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2025/12/02 11:14:10 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2025/12/02 12:14:12 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2025/12/02 12:14:43 wazuh-modulesd:syscollector: INFO: Evaluation finished.

If Syscollector is not running, check the Wazuh agent ossec.conf file using this Wazuh documentation.

If Syscollector is running fine on the endpoint, then on the Wazuh manager, check whether there are any agent sync issues or indexer connection errors in ossec.log. Run the below command on the Wazuh manager CLI:
cat /var/ossec/logs/ossec.log | grep -iE "sync|indexer-connector|error|warn"

Check if there are any error or warning logs related to agent sync or indexer connection.
If you find indexer authentication errors, you can update the Wazuh Indexer username and password in the Wazuh manager keystore using the wazuh-keystore tool:
echo '<WAZUH_INDEXER_USERNAME>' | /var/ossec/bin/wazuh-keystore -f indexer -k username
echo '<WAZUH_INDEXER_PASSWORD>' | /var/ossec/bin/wazuh-keystore -f indexer -k password

Replace <WAZUH_INDEXER_USERNAME> and <WAZUH_INDEXER_PASSWORD> with the correct credentials.

Also, verify the <indexer> configuration section in the Wazuh manager ossec.conf file. You can refer to the Wazuh documentation for configuration validation and more details about updating the keystore.

Xavier Mertens

unread,
Feb 23, 2026, 2:29:01 AM (yesterday) Feb 23
to Bony V John, Wazuh | Mailing List
Hi Bony,

Thank you for the quick followup…

Syscollector is running fine, no sync errors, and events are properly processed by the Manager. It’s just the OS version that is wrong, all the rest is fine.

Update: I’ve absolutely no idea but… it’s fine now!? The server has been upgraded 2 weeks ago, I just discovered the issue this morning, I just restarted the agent.

Ok, weird! :)

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/YB-gNwiVFPg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/fa6dcb8f-b480-45db-8b81-ff58d52ace5bn%40googlegroups.com.

Bony V John

unread,
Feb 23, 2026, 11:07:20 PM (9 hours ago) Feb 23
to Wazuh | Mailing List
Hi,

If the issue still persists, please check the <wodle name="syscollector"> configuration block on the agent and ensure the <os> tag is set to yes to enable OS scanning. This can be verified in the following file on the agent: /var/ossec/etc/ossec.conf 

Also, verify the current OS details on the Ubuntu endpoint by running the following command:
cat /etc/os-release

This will display the OS information of the endpoint. Please share the output with us.  

On the Wazuh dashboard, go to:

Hamburger icon (top left) > Server management > Dev Tools

Run the following command to check the OS details stored in Wazuh:

GET /syscollector/<agent-id>/os

Replace <agent-id> with the agent ID of your Ubuntu server that is experiencing the issue.

This should return the OS details stored on the Wazuh manager. Please share the full output with us.

Additionally, please share a screenshot showing where the incorrect OS details are being displayed.

These details will help us analyze the issue further.

Reply all
Reply to author
Forward
0 new messages