Wazuh 4.12.0 vulnerability module
109 views
Skip to first unread message
Henry Valero
Jul 25, 2025, 5:58:00 PM7/25/25
to Wazuh | Mailing List
Hi all,
I installed Wazuh in distributed mode, one component on each server: Indexer, Manager, and Dashboard. After completing the installation process, I changed the system password using the Wazuh script. Everything seems to be working fine, but when I check the vulnerability module, it shows no information. On the server, I was able to take the following screenshots attached. How can I solve this problem?
Atte,
Henry
hasitha.u...@wazuh.com
Jul 26, 2025, 12:05:14 AM7/26/25
to Wazuh | Mailing List
Hi Henry,
No vulnerabilities reported in the Wazuh dashboard, or the wazuh-states-vulnerabilities-* index has not been created. The manager logs might show messages like IndexerConnector initialization failed for index 'X', retrying until the connection is successful.
Possible reasons:
Vulnerability detector
Indexer connector
wazuh-keystore
Set the indexer username and password in the wazuh-keystore (Run this command on the Wazuh manager node)
echo 'admin' | /var/ossec/bin/wazuh-keystore -f indexer -k username
echo 'admin' | /var/ossec/bin/wazuh-keystore -f indexer -k password
Verify the indexer connector configuration at /var/ossec/etc/ossec.conf.
Ensure:
The <host> section contains the correct Wazuh indexer URL. The host FQDN/IP address must match the certificate details.
The <ssl> section specifies the correct paths for the certificate, key, and CA files.
Example configuration:
<indexer>
<enabled>yes</enabled>
<hosts>
<host>https://0.0.0.0:9200</host>
</hosts>
<ssl>
<certificate_authorities>
<ca>/etc/filebeat/certs/root-ca.pem</ca>
</certificate_authorities>
<certificate>/etc/filebeat/certs/filebeat.pem</certificate>
<key>/etc/filebeat/certs/filebeat-key.pem</key>
</ssl>
</indexer>
Replace 0.0.0.0 with the IP address or hostname of your Wazuh indexer node.
You can find this value in the Filebeat configuration file at /etc/filebeat/filebeat.yml. Ensure that the <certificate> and <key> names match the files located in /etc/filebeat/certs/
curl --cacert <ROOT_CA> --cert <CERTIFICATE_PEM> --key <CERTIFICATE_KEY> -u <USER>:<PASS> -XGET https://<INDEXER_IP_ADDRESS>:9200/_cluster/health
<ROOT_CA>, <CERTIFICATE_PEM>, <CERTIFICATE_KEY>: Certificate paths.
<USER> and <PASS>: Admin credentials.
<INDEXER_IP_ADDRESS>: IP address of the Wazuh indexer.
For more details, you can refer to these guides.
https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/FAQ.html#communication-issues-between-the-wazuh-server-and-the-wazuh-indexer
https://documentation.wazuh.com/current/user-manual/user-administration/password-management.html#passwords-distributed
Please check the configuration setup correctly, try restarting all components, and let me know if the issue still persists.
No vulnerabilities reported in the Wazuh dashboard, or the wazuh-states-vulnerabilities-* index has not been created. The manager logs might show messages like IndexerConnector initialization failed for index 'X', retrying until the connection is successful.
Possible reasons:
Vulnerability detector
Indexer connector
wazuh-keystore
Set the indexer username and password in the wazuh-keystore (Run this command on the Wazuh manager node)
echo 'admin' | /var/ossec/bin/wazuh-keystore -f indexer -k username
echo 'admin' | /var/ossec/bin/wazuh-keystore -f indexer -k password
Verify the indexer connector configuration at /var/ossec/etc/ossec.conf.
Ensure:
The <host> section contains the correct Wazuh indexer URL. The host FQDN/IP address must match the certificate details.
The <ssl> section specifies the correct paths for the certificate, key, and CA files.
Example configuration:
<indexer>
<enabled>yes</enabled>
<hosts>
<host>https://0.0.0.0:9200</host>
</hosts>
<ssl>
<certificate_authorities>
<ca>/etc/filebeat/certs/root-ca.pem</ca>
</certificate_authorities>
<certificate>/etc/filebeat/certs/filebeat.pem</certificate>
<key>/etc/filebeat/certs/filebeat-key.pem</key>
</ssl>
</indexer>
Replace 0.0.0.0 with the IP address or hostname of your Wazuh indexer node.
You can find this value in the Filebeat configuration file at /etc/filebeat/filebeat.yml. Ensure that the <certificate> and <key> names match the files located in /etc/filebeat/certs/
curl --cacert <ROOT_CA> --cert <CERTIFICATE_PEM> --key <CERTIFICATE_KEY> -u <USER>:<PASS> -XGET https://<INDEXER_IP_ADDRESS>:9200/_cluster/health
<ROOT_CA>, <CERTIFICATE_PEM>, <CERTIFICATE_KEY>: Certificate paths.
ls -lh /etc/filebeat/certs
<USER> and <PASS>: Admin credentials.
<INDEXER_IP_ADDRESS>: IP address of the Wazuh indexer.
For more details, you can refer to these guides.
https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/FAQ.html#communication-issues-between-the-wazuh-server-and-the-wazuh-indexer
https://documentation.wazuh.com/current/user-manual/user-administration/password-management.html#passwords-distributed
Please check the configuration setup correctly, try restarting all components, and let me know if the issue still persists.
hasitha.u...@wazuh.com
Jul 29, 2025, 4:44:15 AM7/29/25
to Wazuh | Mailing List
Hi Henry
Let me know if the issue has been resolved or if you need further assistance on this.
Let me know if the issue has been resolved or if you need further assistance on this.
Henry Valero
Aug 1, 2025, 5:11:20 PM8/1/25
to Wazuh | Mailing List
Hi,
I have updated the admin password and the vulnerabilities can now be seen, however there is a number of events 4375 that have remained in a pending evaluation status and are not moving, likewise in the events tab no events are displayed.
Atte,
hasitha.u...@wazuh.com
Aug 2, 2025, 1:00:59 AM8/2/25
to Wazuh | Mailing List
Hi Henry
The Vulnerability Detection module creates alerts when new vulnerabilities are found or when existing ones are fixed because of updates, package removals, or system upgrades.
Check expanding the time if the alert triggered on a previous date.
OS Alerts:
These alerts aren’t generated during the first scan.
If the agent is syncing with the manager for the first time, it won’t detect any recent OS changes or patches.
Package Alerts:
Alerts are triggered when installing or removing a package causes changes in the vulnerability list.
But this only happens if the agent detects the change during a regular Syscollector scan.
If changes happen while the agent is stopped, or if you restart the agent to force a report, no alerts are generated.
Other things to keep in mind:
Cluster setups: If an agent connects to a different node, it syncs its data, but no alerts are generated during this initial sync.
Content updates: When vulnerability data is updated, all agents are re-scanned. However, no alerts are generated during this update scan.
You can check this document to learn more:
https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/how-it-works.html
For testing, the Events section should show an alert if a new vulnerability is detected or resolved. Try installing an older version of VLC Player:
https://www.videolan.org/vlc/releases/2.2.3.html
Vulnerabilities in pending status are pending to be evaluated, and when they are evaluated, the value will be updated; you don't have to do anything.
Let me know the update on this.
I'm happy to hear that the vulnerability dashboard is now functioning properly.
Firstly, you need to understand that vulnerability scan results and alerts are two different things. Scan results are shown in the Dashboard and inventory section of the Vulnerability Dashboard, while alerts appear in the events section of the Vulnerability Dashboard.The Vulnerability Detection module creates alerts when new vulnerabilities are found or when existing ones are fixed because of updates, package removals, or system upgrades.
Check expanding the time if the alert triggered on a previous date.
OS Alerts:
These alerts aren’t generated during the first scan.
If the agent is syncing with the manager for the first time, it won’t detect any recent OS changes or patches.
Package Alerts:
Alerts are triggered when installing or removing a package causes changes in the vulnerability list.
But this only happens if the agent detects the change during a regular Syscollector scan.
If changes happen while the agent is stopped, or if you restart the agent to force a report, no alerts are generated.
Other things to keep in mind:
Cluster setups: If an agent connects to a different node, it syncs its data, but no alerts are generated during this initial sync.
Content updates: When vulnerability data is updated, all agents are re-scanned. However, no alerts are generated during this update scan.
You can check this document to learn more:
https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/how-it-works.html
For testing, the Events section should show an alert if a new vulnerability is detected or resolved. Try installing an older version of VLC Player:
https://www.videolan.org/vlc/releases/2.2.3.html
Vulnerabilities in pending status are pending to be evaluated, and when they are evaluated, the value will be updated; you don't have to do anything.
Let me know the update on this.
Reply all
Reply to author
Forward
0 new messages