Problems with vulnerability events

22 views
Skip to first unread message

Analytics FG

unread,
Mar 12, 2026, 1:07:53 PM (4 days ago) Mar 12
to Wazuh | Mailing List

Hi everyone,

We are using Wazuh 4.14.3 on Debian GNU/Linux 12 (bookworm).

Recently, we've noticed a significant number of missing vulnerability events.
In the Vulnerability Inventory, we can see several agents with active vulnerabilities, but no events are generated when the status of the affected packages changes.

For example:
When we update a vulnerable package, it correctly disappears from the inventory, but no "solved" event is fired.

We've been using Wazuh with the same agents for a long time, and in the past, the behavior was different — events used to be generated as expected.
Now, not all package status changes trigger events, and the issue seems to occur randomly.

We haven't changed any configuration in the last year.

Is anyone else experiencing the same issue?

Thanks in advance for any insights.


Jorge Ardila

unread,
Mar 12, 2026, 2:08:43 PM (4 days ago) Mar 12
to Wazuh | Mailing List
Hi Analytics FG.

Hi,

In Wazuh, the Vulnerability Inventory and the alerts generated by the vulnerability detection module are handled separately, so it is possible for the inventory to update without generating a corresponding alert.

According to the Wazuh documentation, alerts are generated only when a vulnerability is added to or removed from the inventory as a result of a package change detected during a Syscollector scan cycle. If the package update occurs while the agent is stopped, or the change is detected outside the normal scan cycle, the inventory may be updated but no Solved event will be generated.

You can see this behavior described in the documentation:
https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/how-it-works.html

Best regards.

Reply all
Reply to author
Forward
0 new messages