problem with vulnerability scanner in wazuh

4,123 views

Skip to first unread message

Ilian Georgiev

unread,

Sep 21, 2022, 5:41:20 AM9/21/22

to Wazuh mailing list

My name is ilian georgiev. i am a new in wazuh nature. And of course i have a first problems. you can see on the pictures. So, when i receive for the first time this mistake. i change eve single version of wazuh server - OVA also and agents. Also i test with windows xp, 7 and i receive the same mistake. Also i make 90 % of the proposals. And every single time i receive this mistake

Doc1.docx

Matias Pereyra

unread,

Sep 21, 2022, 9:23:09 AM9/21/22

to Wazuh mailing list

Hello! And welcome to Wazuh.

If you are not seeing any vulnerabilities for your Window agents, first we are going to confirm that the configuration is correct and that there are no error messages in the logs.

In the agent:

As you can see in the Running a vulnerability scan documentation section, confirm that under the section <wodle name="syscollector"> in the configuration file ossec.conf you have syscollector enabled and you are scanning both packages and hotfixes

</wodle>

In the manager:

In the same documentation section, we can see the required configuration for the manager. The module and the related feeds have to be enabled. The vulnerability detector section in the manager's ossec.conf file should look like this to scan Windows agents (you can add another provider sections if you have agents of different OS). Have you restarted your manager after applying the changes to the configuration?

<vulnerability-detector>
<enabled>yes</enabled>
<interval>5m</interval>
<run_on_start>yes</run_on_start>
<provider name="msu">

<update_interval>1h</update_interval>

</provider>
<provider name="nvd">
<enabled>yes</enabled>
<update_from_year>2010</update_from_year>
<update_interval>1h</update_interval>
</provider>
</vulnerability-detector>

Please upload your oseec.log file so we can analyze it (remember first to delete any sensitive information). We are looking for the logs that confirm that the scan run successfully and that no errors were found.

We'll continue with the results of these tests.

Regards.

Ilian Georgiev

unread,

Sep 22, 2022, 5:05:28 PM9/22/22

to Wazuh mailing list

i make again every thing howto you say and

the result from log

[root-manager ~]# tail /var/ossec/logs/ossec.log
2022/09/23 00:02:42 wazuh-modulesd:database: INFO: Module started.
2022/09/23 00:02:42 wazuh-modulesd:download: INFO: Module started
2022/09/23 00:02:42 wazuh-modulesd:control: INFO: Starting control thread.
2022/09/23 00:02:42 ossec-analysisd: INFO: Total rules enabled: '3568'
2022/09/23 00:02:42 ossec-analysisd: INFO: Started (pid: 13128).
2022/09/23 00:02:43 ossec-logcollector: INFO: Started (pid: 13148).
2022/09/23 00:02:43 ossec-remoted: INFO: (4111): Maximum number of agents allowed: '100000'.
2022/09/23 00:02:43 ossec-remoted: INFO: (1410): Reading authentication keys file.
2022/09/23 00:02:43 wazuh-modulesd:syscollector: INFO: Module started.
2022/09/23 00:02:44 wazuh-modulesd:syscollector: INFO: Starting evaluation.
but

on the dashboard

There are no results for selected time range. Try another one.

Matias Pereyra

unread,

Sep 22, 2022, 6:25:04 PM9/22/22

to Wazuh mailing list

Hi again!

Please, upload the full ossec.log file for both manager and agent so we can analyze them. The portion you share doesn't show any message from vulnerability detector.
Don't forget to include the configuration file ossec.conf also.

Regards.

Ilian Georgiev

unread,

Sep 23, 2022, 5:33:17 AM9/23/22

to Wazuh mailing list

manager - ossec.log

[root@manager logs]# tail /var/ossec/logs/ossec.log
2022/09/23 12:09:38 wazuh-modulesd:vulnerability-detector: INFO: (5452): Starting vulnerability scanning.
2022/09/23 12:09:38 wazuh-modulesd:vulnerability-detector: INFO: (5453): Vulnerability scanning finished.
2022/09/23 12:14:39 wazuh-modulesd:vulnerability-detector: INFO: (5452): Starting vulnerability scanning.
2022/09/23 12:14:39 wazuh-modulesd:vulnerability-detector: INFO: (5453): Vulnerability scanning finished.
2022/09/23 12:19:40 wazuh-modulesd:vulnerability-detector: INFO: (5452): Starting vulnerability scanning.
2022/09/23 12:19:40 wazuh-modulesd:vulnerability-detector: INFO: (5453): Vulnerability scanning finished.
2022/09/23 12:23:30 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2022/09/23 12:23:38 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2022/09/23 12:24:41 wazuh-modulesd:vulnerability-detector: INFO: (5452): Starting vulnerability scanning.
2022/09/23 12:24:41 wazuh-modulesd:vulnerability-detector: INFO: (5453): Vulnerability scanning finished.

manager - ossec.conf

<ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>
<logall>yes</logall>
<logall_json>yes</logall_json>
<email_notification>no</email_notification>
<smtp_server>smtp.example.wazuh.com</smtp_server>
<email_from>oss...@example.wazuh.com</email_from>
<email_to>reci...@example.wazuh.com</email_to>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
</global>
<alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>12</email_alert_level>
</alerts>
<logging>
<log_format>plain</log_format>
</logging>
<remote>
<connection>secure</connection>
<port>1514</port>
<protocol>udp</protocol>
<queue_size>131072</queue_size>
</remote>

<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>

<vulnerability-detector>
<enabled>yes</enabled>
<interval>5m</interval>
<run_on_start>yes</run_on_start>
<provider name="msu">
<enabled>yes</enabled>
<update_interval>1h</update_interval>
</provider>
<provider name="nvd">
<enabled>yes</enabled>
<update_from_year>2010</update_from_year>
<update_interval>1h</update_interval>
</provider>
</vulnerability-detector>

<global>
<white_list>127.0.0.1</white_list>
<white_list>^localhost.localdomain$</white_list>
<white_list>172.20.1.2</white_list>
</global>
<command>
<name>disable-account</name>
<executable>disable-account.sh</executable>
<expect>user</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>restart-ossec</name>
<executable>restart-ossec.sh</executable>
<expect/>
</command>
<command>
<name>firewall-drop</name>
<executable>firewall-drop.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>host-deny</name>
<executable>host-deny.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>route-null</name>
<executable>route-null.sh</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>win_route-null</name>
<executable>route-null.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>win_route-null-2012</name>
<executable>route-null-2012.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>netsh</name>
<executable>netsh.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<command>
<name>netsh-win-2016</name>
<executable>netsh-win-2016.cmd</executable>
<expect>srcip</expect>
<timeout_allowed>yes</timeout_allowed>
</command>
<ruleset>
<decoder_dir>ruleset/decoders</decoder_dir>
<rule_dir>ruleset/rules</rule_dir>
<rule_exclude>0215-policy_rules.xml</rule_exclude>
<list>etc/lists/audit-keys</list>
<list>etc/lists/amazon/aws-eventnames</list>
<list>etc/lists/security-eventchannel</list>
<decoder_dir>etc/decoders</decoder_dir>
<rule_dir>etc/rules</rule_dir>
</ruleset>
<cluster>
<name>wazuh</name>
<node_name>worker01-node</node_name>
<key>c98b62a9b6169ac5f67dae55ae4a9088</key>
<node_type>master</node_type>
<port>1516</port>
<bind_addr>0.0.0.0</bind_addr>
<nodes>
<node>master</node>
</nodes>
<hidden>no</hidden>
<disabled>yes</disabled>
</cluster>
</ossec_config>
<ossec_config>
<auth>
<disabled>yes</disabled>
<port>1515</port>
<use_source_ip>no</use_source_ip>
<force_insert>yes</force_insert>
<force_time>0</force_time>
<purge>yes</purge>
<use_password>no</use_password>
<limit_maxagents>yes</limit_maxagents>
<ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>

<ssl_verify_host>no</ssl_verify_host>
<ssl_manager_cert>/var/ossec/etc/sslmanager.cert</ssl_manager_cert>
<ssl_manager_key>/var/ossec/etc/sslmanager.key</ssl_manager_key>
<ssl_auto_negotiate>no</ssl_auto_negotiate>
</auth>
</ossec_config>

agent - ossec.log

2022/09/23 00:10:11 ossec-agent: ERROR: (1758): Unable to open registry key: 'System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP'.
2022/09/23 00:10:13 ossec-agent: ERROR: (1758): Unable to open registry key: 'System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSIn'.
2022/09/23 00:10:13 ossec-agent: ERROR: (1758): Unable to open registry key: 'System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSOut'.
2022/09/23 00:10:13 ossec-agent: ERROR: (1758): Unable to open registry key: 'System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap'.
2022/09/23 00:10:13 ossec-agent: ERROR: (1758): Unable to open registry key: 'System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo'.
2022/09/23 00:11:07 ossec-agent: ERROR: (1758): Unable to open registry key: 'System\CurrentControlSet\Services\PolicyAgent\Parameters\Cache'.
2022/09/23 00:16:00 ossec-agent: ERROR: (1758): Unable to open registry key: 'Software\Microsoft\Windows\CurrentVersion\RunOnceEx'.
2022/09/23 00:19:23 rootcheck: INFO: Starting rootcheck scan.
2022/09/23 00:19:29 rootcheck: INFO: Ending rootcheck scan.
2022/09/23 00:19:29 ossec-agent: INFO: Starting syscheck real-time monitoring.
2022/09/23 00:29:33 ossec-agent: INFO: Pausing syscheck real-time monitoring.
2022/09/23 00:29:35 rootcheck: INFO: Starting rootcheck scan.
2022/09/23 00:29:40 rootcheck: INFO: Ending rootcheck scan.
2022/09/23 00:29:40 ossec-agent: INFO: Starting syscheck scan.
2022/09/23 00:48:51 ossec-agent: ERROR: (1758): Unable to open registry key: 'System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP'.
2022/09/23 00:48:53 ossec-agent: ERROR: (1758): Unable to open registry key: 'System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSIn'.
2022/09/23 00:48:53 ossec-agent: ERROR: (1758): Unable to open registry key: 'System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSOut'.
2022/09/23 00:48:53 ossec-agent: ERROR: (1758): Unable to open registry key: 'System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap'.
2022/09/23 00:48:53 ossec-agent: ERROR: (1758): Unable to open registry key: 'System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo'.
2022/09/23 00:49:43 ossec-agent: ERROR: (1758): Unable to open registry key: 'System\CurrentControlSet\Services\PolicyAgent\Parameters\Cache'.
2022/09/23 00:54:13 ossec-agent: ERROR: (1758): Unable to open registry key: 'Software\Microsoft\Windows\CurrentVersion\RunOnceEx'.
2022/09/23 00:57:30 ossec-agent: INFO: Ending syscheck scan.
2022/09/23 00:57:32 ossec-agent: INFO: Resuming syscheck real-time monitoring.
2022/09/23 08:30:04 ossec-agent: ERROR: (1218): Unable to send message to 'server': No error
2022/09/23 08:30:06 ossec-agent: ERROR: (1218): Unable to send message to 'server': No error
2022/09/23 08:30:08 ossec-agent: ERROR: (1218): Unable to send message to 'server': No error
2022/09/23 08:30:10 ossec-agent: ERROR: (1218): Unable to send message to 'server': No error
2022/09/23 08:30:12 ossec-agent: ERROR: (1218): Unable to send message to 'server': No error
2022/09/23 08:30:14 ossec-agent: WARNING: Server unavailable. Setting lock.
2022/09/23 08:30:14 ossec-agent: ERROR: (1218): Unable to send message to 'server': No error
2022/09/23 08:30:16 ossec-agent: ERROR: (1218): Unable to send message to 'server': No error
2022/09/23 08:30:19 ossec-agent: ERROR: (1218): Unable to send message to 'server': No error
2022/09/23 08:30:23 ossec-agent: ERROR: (1218): Unable to send message to 'server': No error
2022/09/23 08:30:28 ossec-agent: ERROR: (1218): Unable to send message to 'server': No error
2022/09/23 08:30:34 ossec-agent: ERROR: (1218): Unable to send message to 'server': No error
2022/09/23 08:30:41 ossec-agent: ERROR: (1218): Unable to send message to 'server': No error
2022/09/23 08:30:49 ossec-agent: ERROR: (1218): Unable to send message to 'server': No error
2022/09/23 08:30:58 ossec-agent: ERROR: (1218): Unable to send message to 'server': No error
2022/09/23 08:31:08 ossec-agent: ERROR: (1218): Unable to send message to 'server': No error
2022/09/23 08:31:19 ossec-agent: ERROR: (1218): Unable to send message to 'server': No error
2022/09/23 08:31:31 ossec-agent: ERROR: (1218): Unable to send message to 'server': No error
2022/09/23 08:31:44 ossec-agent: ERROR: (1218): Unable to send message to 'server': No error
2022/09/23 08:31:58 ossec-agent: ERROR: (1218): Unable to send message to 'server': No error
2022/09/23 08:32:13 ossec-agent: ERROR: (1218): Unable to send message to 'server': No error
2022/09/23 08:32:29 ossec-agent: ERROR: (1218): Unable to send message to 'server': No error
2022/09/23 08:32:46 ossec-agent: ERROR: (1218): Unable to send message to 'server': No error
2022/09/23 08:33:04 ossec-agent: ERROR: (1218): Unable to send message to 'server': No error
2022/09/23 08:33:23 ossec-agent: ERROR: (1218): Unable to send message to 'server': No error
2022/09/23 08:33:43 ossec-agent: ERROR: (1218): Unable to send message to 'server': No error
2022/09/23 08:34:05 ossec-agent: ERROR: (1114): Error during select()-call due to [(0)-(No error)].
2022/09/23 08:34:05 ossec-agent: INFO: Trying to connect to server (192.168.160.147:1514).
2022/09/23 08:37:28 ossec-agent: ERROR: (1114): Error during select()-call due to [(0)-(No error)].
2022/09/23 08:37:28 ossec-agent: INFO: Trying to connect to server (192.168.160.147:1514).
2022/09/23 08:41:42 ossec-agent: ERROR: (1114): Error during select()-call due to [(0)-(No error)].
2022/09/23 08:41:42 ossec-agent: INFO: Trying to connect to server (192.168.160.147:1514).
2022/09/23 08:46:07 ossec-agent: ERROR: (1114): Error during select()-call due to [(0)-(No error)].
2022/09/23 08:46:07 ossec-agent: INFO: Trying to connect to server (192.168.160.147:1514).
2022/09/23 08:51:26 ossec-agent: ERROR: (1114): Error during select()-call due to [(0)-(No error)].
2022/09/23 08:51:26 ossec-agent: INFO: Trying to connect to server (192.168.160.147:1514).

agent - ossec.config

<ossec_config>

<client>
<server>
<address>192.168.160.147</address>
<port>1514</port>
<protocol>udp</protocol>
</server>
</client>

<client_buffer>

<disable>no</disable>
<queue_size>5000</queue_size>
<events_per_second>500</events_per_second>
</client_buffer>


<localfile>
<location>Application</location>
<log_format>eventlog</log_format>
</localfile>

<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447]</query>
</localfile>

<localfile>
<location>System</location>
<log_format>eventlog</log_format>
</localfile>

<localfile>
<location>C:\Program Files (x86)\ossec-agent\active-response\active-responses.log</location>
<log_format>syslog</log_format>
</localfile>


<rootcheck>
<disabled>no</disabled>
<windows_audit>./shared/win_audit_rcl.txt</windows_audit>
<windows_apps>./shared/win_applications_rcl.txt</windows_apps>
<windows_malware>./shared/win_malware_rcl.txt</windows_malware>
</rootcheck>


<syscheck>

<frequency>43200</frequency>


<disabled>no</disabled>


<directories check_all="yes">%WINDIR%/regedit.exe</directories>
<directories check_all="yes">%WINDIR%/system.ini</directories>
<directories check_all="yes">%WINDIR%/win.ini</directories>

<directories check_all="yes">%WINDIR%/SysNative/at.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/attrib.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/cacls.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/cmd.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/drivers/etc</directories>
<directories check_all="yes">%WINDIR%/SysNative/eventcreate.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/ftp.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/lsass.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/net.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/net1.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/netsh.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/reg.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/regedt32.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/regsvr32.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/runas.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/sc.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/schtasks.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/sethc.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/subst.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/wbem/WMIC.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/WindowsPowerShell\v1.0\powershell.exe</directories>
<directories check_all="yes">%WINDIR%/SysNative/winrm.vbs</directories>


<directories check_all="yes">%WINDIR%/System32/at.exe</directories>
<directories check_all="yes">%WINDIR%/System32/attrib.exe</directories>
<directories check_all="yes">%WINDIR%/System32/cacls.exe</directories>
<directories check_all="yes">%WINDIR%/System32/cmd.exe</directories>
<directories check_all="yes">%WINDIR%/System32/drivers/etc</directories>
<directories check_all="yes">%WINDIR%/System32/eventcreate.exe</directories>
<directories check_all="yes">%WINDIR%/System32/ftp.exe</directories>
<directories check_all="yes">%WINDIR%/System32/net.exe</directories>
<directories check_all="yes">%WINDIR%/System32/net1.exe</directories>
<directories check_all="yes">%WINDIR%/System32/netsh.exe</directories>
<directories check_all="yes">%WINDIR%/System32/reg.exe</directories>
<directories check_all="yes">%WINDIR%/System32/regedit.exe</directories>
<directories check_all="yes">%WINDIR%/System32/regedt32.exe</directories>
<directories check_all="yes">%WINDIR%/System32/regsvr32.exe</directories>
<directories check_all="yes">%WINDIR%/System32/runas.exe</directories>
<directories check_all="yes">%WINDIR%/System32/sc.exe</directories>
<directories check_all="yes">%WINDIR%/System32/schtasks.exe</directories>
<directories check_all="yes">%WINDIR%/System32/sethc.exe</directories>
<directories check_all="yes">%WINDIR%/System32/subst.exe</directories>
<directories check_all="yes">%WINDIR%/System32/wbem/WMIC.exe</directories>
<directories check_all="yes">%WINDIR%/System32/WindowsPowerShell\v1.0\powershell.exe</directories>
<directories check_all="yes">%WINDIR%/System32/winrm.vbs</directories>

<directories check_all="yes" realtime="yes">%PROGRAMDATA%/Microsoft/Windows/Start Menu/Programs/Startup</directories>

<ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ignore>


<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Classes\Protocols</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Policies</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer</windows_registry>

<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg</windows_registry>

<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon</windows_registry>

<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components</windows_registry>


<registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users</registry_ignore>
<registry_ignore type="sregex">\Enum$</registry_ignore>
</syscheck>

<active-response>
<disabled>no</disabled>
<ca_store>wpk_root.pem</ca_store>
</active-response>


<logging>
<log_format>plain</log_format>
</logging>

</ossec_config>

Matias Pereyra

unread,

Sep 23, 2022, 2:44:20 PM9/23/22

to Wazuh mailing list

Hi, thank you very much for all the information provided.
Now we can know where is the cause of this issue.

The configuration of both the agent and the manager seems correct.
But these logs in the manager show that the agents aren't being scanned at all

2022/09/23 12:09:38 wazuh-modulesd:vulnerability-detector: INFO: (5452): Starting vulnerability scanning.
2022/09/23 12:09:38 wazuh-modulesd:vulnerability-detector: INFO: (5453): Vulnerability scanning finished.

We expect something like this

2022/09/23 11:09:32 wazuh-modulesd:vulnerability-detector: INFO: (5431): Starting vulnerability scan.
2022/09/23 11:09:32 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent 'XXX' vulnerabilities.
2022/09/23 11:09:32 wazuh-modulesd:vulnerability-detector: INFO: (5471): Finished vulnerability assessment for agent 'XXX'
2022/09/23 11:09:32 wazuh-modulesd:vulnerability-detector: INFO: (5472): Vulnerability scan finished.

There are many reasons why Vulnerability Detector may skip agents during the scan. One of them is the agent isn't active (connected to the manager).
It seems the agent is unable to reach the manager

2022/09/23 08:30:14 ossec-agent: WARNING: Server unavailable. Setting lock.

Could you tell me what is the Wazuh version of both the agent and manager?

My first suggestion is to change the communication protocol.

You are using UDP as but I'd change it to TCP. This is more reliable.

In the manager:

Update the <remote> configuration block

<remote>
<connection>secure</connection>
<port>1514</port>

In the agent:

Don't forget to restart both to apply changes and try again.
Please upload both ossec.log files after the test so we can see if anything has changed.

Regards.

Ilian Georgiev

unread,

Sep 24, 2022, 6:32:41 PM9/24/22

to Wazuh mailing list

server - wazuh3.11.4_7.6.0.ova

manager - ossec.log

2022/09/25 01:04:29 ossec-remoted: INFO: (1410): Reading authentication keys file.
2022/09/25 01:04:29 wazuh-modulesd:syscollector: INFO: Module started.
2022/09/25 01:04:30 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2022/09/25 01:04:33 wazuh-modulesd:vulnerability-detector: INFO: (5461): Starting National Vulnerability Database database update.
2022/09/25 01:04:36 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2022/09/25 01:04:48 wazuh-modulesd:vulnerability-detector: WARNING: (5489): There was no valid response to 'https://nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-2010.meta' after 3 attempts.
2022/09/25 01:04:48 wazuh-modulesd:vulnerability-detector: WARNING: (5400): National Vulnerability Database database could not be fetched.
2022/09/25 01:04:48 wazuh-modulesd:vulnerability-detector: ERROR: (5426): CVE database could not be updated.
2022/09/25 01:04:48 wazuh-modulesd:vulnerability-detector: INFO: (5452): Starting vulnerability scanning.
2022/09/25 01:04:48 wazuh-modulesd:vulnerability-detector: INFO: (5453): Vulnerability scanning finished.

manager - ossec.conf

</remote>
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<hotfixes>yes</hotfixes>
<ports all="no">yes</ports>
<processes>yes</processes>

agent - v.3.0.0

agent - ossec.log

2022/09/25 00:50:50 ossec-agent: ERROR: (1216): Unable to connect to '192.168.160.147'.

2022/09/25 00:51:00 ossec-agent: INFO: Trying to connect to server (192.168.160.147:1514).

2022/09/25 00:51:01 ossec-agent: ERROR: (1216): Unable to connect to '192.168.160.147'.

2022/09/25 00:51:11 ossec-agent: INFO: Trying to connect to server (192.168.160.147:1514).

2022/09/25 00:51:12 ossec-agent: ERROR: (1216): Unable to connect to '192.168.160.147'.

2022/09/25 00:51:22 ossec-agent: INFO: Trying to connect to server (192.168.160.147:1514).

2022/09/25 00:51:23 ossec-agent: ERROR: (1216): Unable to connect to '192.168.160.147'.

2022/09/25 00:51:33 ossec-agent: INFO: Trying to connect to server (192.168.160.147:1514).

2022/09/25 00:51:34 ossec-agent: ERROR: (1216): Unable to connect to '192.168.160.147'.

2022/09/25 00:51:35 ossec-agent: INFO: Received exit signal.

2022/09/25 00:51:35 ossec-agent: INFO: Exiting...

2022/09/25 00:51:35 ossec-agent: INFO: Using notify time: 10 and max time to reconnect: 60

2022/09/25 00:51:36 ossec-agent: INFO: Started (pid: 1660).

2022/09/25 00:51:36 ossec-agent: INFO: (1410): Reading authentication keys file.

2022/09/25 00:51:36 ossec-agent: INFO: Assigning counter for agent win7_1: '2:2933'.

2022/09/25 00:51:36 ossec-agent: INFO: Assigning sender counter: 2:5169

2022/09/25 00:51:36 ossec-agent: INFO: Trying to connect to server (192.168.160.147:1514).

2022/09/25 00:51:36 ossec-agent: INFO: Starting syscheckd thread.

2022/09/25 00:51:36 ossec-agent: INFO: (4102): Connected to the server (192.168.160.147:1514).

2022/09/25 00:51:36 rootcheck: INFO: Started (pid: 1660).

2022/09/25 00:51:36 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile'.

2022/09/25 00:51:36 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\cmdfile'.

2022/09/25 00:51:36 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\comfile'.

2022/09/25 00:51:36 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\exefile'.

2022/09/25 00:51:36 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\piffile'.

2022/09/25 00:51:36 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects'.

2022/09/25 00:51:36 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Directory'.

2022/09/25 00:51:36 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder'.

2022/09/25 00:51:36 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols'.

2022/09/25 00:51:36 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols [x64]'.

2022/09/25 00:51:36 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Policies'.

2022/09/25 00:51:36 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Policies [x64]'.

2022/09/25 00:51:36 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Security'.

2022/09/25 00:51:36 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer'.

2022/09/25 00:51:36 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer [x64]'.

2022/09/25 00:51:36 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services'.

2022/09/25 00:51:36 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs'.

2022/09/25 00:51:36 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg'.

2022/09/25 00:51:36 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run'.

2022/09/25 00:51:36 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run [x64]'.

2022/09/25 00:51:36 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce'.

2022/09/25 00:51:36 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce [x64]'.

2022/09/25 00:51:36 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx'.

2022/09/25 00:51:36 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL'.

2022/09/25 00:51:36 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL [x64]'.

2022/09/25 00:51:36 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies'.

2022/09/25 00:51:36 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies [x64]'.

2022/09/25 00:51:36 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows'.

2022/09/25 00:51:36 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows [x64]'.

2022/09/25 00:51:36 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon'.

2022/09/25 00:51:36 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon [x64]'.

2022/09/25 00:51:36 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components'.

2022/09/25 00:51:36 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components [x64]'.

2022/09/25 00:51:36 ossec-agent: INFO: Started (pid: 1660).

2022/09/25 00:51:36 ossec-agent: INFO: System is Vista or newer (Microsoft Windows 7 Professional Service Pack 1 [Ver: 6.1.7601] - Wazuh v3.0.0).

2022/09/25 00:51:36 ossec-agent: INFO: (1951): Analyzing event log: 'Application'.

2022/09/25 00:51:36 ossec-agent: INFO: (1951): Analyzing event log: 'Security'.

2022/09/25 00:51:36 ossec-agent: INFO: (1951): Analyzing event log: 'System'.

2022/09/25 00:51:36 ossec-agent: INFO: (1950): Analyzing file: 'C:\Program Files (x86)\ossec-agent\active-response\active-responses.log'.

2022/09/25 00:51:36 ossec-agent: INFO: Started (pid: 1660).

2022/09/25 00:52:06 ossec-agent: INFO: Syscheck scan frequency: 43200 seconds

2022/09/25 00:52:36 ossec-agent: INFO: Starting syscheck scan (forwarding database).

2022/09/25 00:52:36 ossec-agent: INFO: Starting syscheck database (pre-scan).

2022/09/25 00:52:44 ossec-agent: INFO: Initializing real time file monitoring engine.

2022/09/25 00:52:44 ossec-agent: INFO: Real time file monitoring engine started.

2022/09/25 00:52:44 ossec-agent: INFO: Finished creating syscheck database (pre-scan completed).

2022/09/25 00:52:54 ossec-agent: INFO: Ending syscheck scan (forwarding database).

2022/09/25 00:53:24 ossec-agent: INFO: Received exit signal.

2022/09/25 00:53:24 ossec-agent: INFO: Exiting...

2022/09/25 00:53:24 ossec-agent: INFO: Using notify time: 10 and max time to reconnect: 60

2022/09/25 00:53:24 ossec-agent: INFO: Started (pid: 3176).

2022/09/25 00:53:24 ossec-agent: INFO: (1410): Reading authentication keys file.

2022/09/25 00:53:24 ossec-agent: INFO: Assigning counter for agent win7_1: '2:2933'.

2022/09/25 00:53:24 ossec-agent: INFO: Assigning sender counter: 2:5287

2022/09/25 00:53:24 ossec-agent: INFO: Trying to connect to server (192.168.160.147:1514).

2022/09/25 00:53:24 ossec-agent: INFO: (4102): Connected to the server (192.168.160.147:1514).

2022/09/25 00:53:24 ossec-agent: INFO: System is Vista or newer (Microsoft Windows 7 Professional Service Pack 1 [Ver: 6.1.7601] - Wazuh v3.0.0).

2022/09/25 00:53:24 ossec-agent: INFO: (1951): Analyzing event log: 'Application'.

2022/09/25 00:53:24 ossec-agent: INFO: Starting syscheckd thread.

2022/09/25 00:53:24 rootcheck: INFO: Started (pid: 3176).

2022/09/25 00:53:24 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile'.

2022/09/25 00:53:24 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\cmdfile'.

2022/09/25 00:53:24 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\comfile'.

2022/09/25 00:53:24 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\exefile'.

2022/09/25 00:53:24 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\piffile'.

2022/09/25 00:53:24 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects'.

2022/09/25 00:53:24 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Directory'.

2022/09/25 00:53:24 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder'.

2022/09/25 00:53:24 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols'.

2022/09/25 00:53:24 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols [x64]'.

2022/09/25 00:53:24 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Policies'.

2022/09/25 00:53:24 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Policies [x64]'.

2022/09/25 00:53:24 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Security'.

2022/09/25 00:53:24 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer'.

2022/09/25 00:53:24 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer [x64]'.

2022/09/25 00:53:24 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services'.

2022/09/25 00:53:24 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs'.

2022/09/25 00:53:24 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg'.

2022/09/25 00:53:24 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run'.

2022/09/25 00:53:24 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run [x64]'.

2022/09/25 00:53:24 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce'.

2022/09/25 00:53:24 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce [x64]'.

2022/09/25 00:53:24 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx'.

2022/09/25 00:53:24 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL'.

2022/09/25 00:53:24 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL [x64]'.

2022/09/25 00:53:24 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies'.

2022/09/25 00:53:24 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies [x64]'.

2022/09/25 00:53:24 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows'.

2022/09/25 00:53:24 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows [x64]'.

2022/09/25 00:53:24 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon'.

2022/09/25 00:53:24 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon [x64]'.

2022/09/25 00:53:24 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components'.

2022/09/25 00:53:24 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components [x64]'.

2022/09/25 00:53:24 ossec-agent: INFO: (1951): Analyzing event log: 'Security'.

2022/09/25 00:53:24 ossec-agent: INFO: Started (pid: 3176).

2022/09/25 00:53:24 ossec-agent: INFO: (1951): Analyzing event log: 'System'.

2022/09/25 00:53:24 ossec-agent: INFO: (1950): Analyzing file: 'C:\Program Files (x86)\ossec-agent\active-response\active-responses.log'.

2022/09/25 00:53:24 ossec-agent: INFO: Started (pid: 3176).

2022/09/25 00:53:32 ossec-agent: INFO: Received exit signal.

2022/09/25 00:53:32 ossec-agent: INFO: Exiting...

2022/09/25 00:53:34 ossec-agent: INFO: Using notify time: 10 and max time to reconnect: 60

2022/09/25 00:53:34 ossec-agent: INFO: Started (pid: 3840).

2022/09/25 00:53:34 ossec-agent: INFO: (1410): Reading authentication keys file.

2022/09/25 00:53:34 ossec-agent: INFO: Assigning counter for agent win7_1: '2:2933'.

2022/09/25 00:53:34 ossec-agent: INFO: Assigning sender counter: 2:5292

2022/09/25 00:53:34 ossec-agent: INFO: Trying to connect to server (192.168.160.147:1514).

2022/09/25 00:53:34 ossec-agent: INFO: Starting syscheckd thread.

2022/09/25 00:53:34 ossec-agent: INFO: (4102): Connected to the server (192.168.160.147:1514).

2022/09/25 00:53:34 ossec-agent: INFO: System is Vista or newer (Microsoft Windows 7 Professional Service Pack 1 [Ver: 6.1.7601] - Wazuh v3.0.0).

2022/09/25 00:53:34 ossec-agent: INFO: (1951): Analyzing event log: 'Application'.

2022/09/25 00:53:34 rootcheck: INFO: Started (pid: 3840).

2022/09/25 00:53:34 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile'.

2022/09/25 00:53:34 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\cmdfile'.

2022/09/25 00:53:34 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\comfile'.

2022/09/25 00:53:34 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\exefile'.

2022/09/25 00:53:34 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\piffile'.

2022/09/25 00:53:34 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects'.

2022/09/25 00:53:34 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Directory'.

2022/09/25 00:53:34 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder'.

2022/09/25 00:53:34 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols'.

2022/09/25 00:53:34 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols [x64]'.

2022/09/25 00:53:34 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Policies'.

2022/09/25 00:53:34 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Policies [x64]'.

2022/09/25 00:53:34 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Security'.

2022/09/25 00:53:34 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer'.

2022/09/25 00:53:34 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer [x64]'.

2022/09/25 00:53:34 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services'.

2022/09/25 00:53:34 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs'.

2022/09/25 00:53:34 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg'.

2022/09/25 00:53:34 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run'.

2022/09/25 00:53:34 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run [x64]'.

2022/09/25 00:53:34 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce'.

2022/09/25 00:53:34 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce [x64]'.

2022/09/25 00:53:34 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx'.

2022/09/25 00:53:34 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL'.

2022/09/25 00:53:34 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL [x64]'.

2022/09/25 00:53:34 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies'.

2022/09/25 00:53:34 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies [x64]'.

2022/09/25 00:53:34 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows'.

2022/09/25 00:53:34 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows [x64]'.

2022/09/25 00:53:34 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon'.

2022/09/25 00:53:34 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon [x64]'.

2022/09/25 00:53:34 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components'.

2022/09/25 00:53:34 ossec-agent: INFO: Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components [x64]'.

2022/09/25 00:53:34 ossec-agent: INFO: Started (pid: 3840).

2022/09/25 00:53:34 ossec-agent: INFO: (1951): Analyzing event log: 'Security'.

2022/09/25 00:53:34 ossec-agent: INFO: (1951): Analyzing event log: 'System'.

2022/09/25 00:53:34 ossec-agent: INFO: (1950): Analyzing file: 'C:\Program Files (x86)\ossec-agent\active-response\active-responses.log'.

2022/09/25 00:53:34 ossec-agent: INFO: Started (pid: 3840).

2022/09/25 00:53:41 ossec-agent: ERROR: (1137): Lost connection with manager. Setting lock.

2022/09/25 00:53:44 ossec-agent: WARNING: Process locked. Waiting for permission...

2022/09/25 00:53:48 ossec-agent: INFO: Trying to connect to server (192.168.160.147:1514).

2022/09/25 00:53:48 ossec-agent: INFO: (4102): Connected to the server (192.168.160.147:1514).

2022/09/25 00:53:48 ossec-agent: INFO: Server responded. Releasing lock.

2022/09/25 00:53:49 ossec-agent: INFO: Lock free. Continuing...

2022/09/25 00:54:09 ossec-agent: INFO: Syscheck scan frequency: 43200 seconds

2022/09/25 00:54:39 ossec-agent: INFO: Starting syscheck scan (forwarding database).

2022/09/25 00:54:41 ossec-agent: INFO: Starting syscheck database (pre-scan).

2022/09/25 00:54:47 ossec-agent: INFO: Initializing real time file monitoring engine.

2022/09/25 00:54:47 ossec-agent: INFO: Real time file monitoring engine started.

2022/09/25 00:54:47 ossec-agent: INFO: Finished creating syscheck database (pre-scan completed).

2022/09/25 00:54:57 ossec-agent: INFO: Ending syscheck scan (forwarding database).

2022/09/25 00:55:21 ossec-agent: ERROR: (1137): Lost connection with manager. Setting lock.

2022/09/25 00:55:28 ossec-agent: INFO: Trying to connect to server (192.168.160.147:1514).

2022/09/25 00:55:28 ossec-agent: INFO: (4102): Connected to the server (192.168.160.147:1514).

2022/09/25 00:55:28 ossec-agent: INFO: Server responded. Releasing lock.

2022/09/25 00:57:11 ossec-agent: ERROR: (1137): Lost connection with manager. Setting lock.

2022/09/25 00:57:11 ossec-agent: WARNING: Process locked. Waiting for permission...

2022/09/25 00:57:18 ossec-agent: INFO: Trying to connect to server (192.168.160.147:1514).

2022/09/25 00:57:18 ossec-agent: INFO: (4102): Connected to the server (192.168.160.147:1514).

2022/09/25 00:57:18 ossec-agent: INFO: Server responded. Releasing lock.

2022/09/25 00:57:21 ossec-agent: INFO: Lock free. Continuing...

2022/09/25 01:04:06 ossec-agent: ERROR: (1137): Lost connection with manager. Setting lock.

2022/09/25 01:04:08 ossec-agent: WARNING: Process locked. Waiting for permission...

2022/09/25 01:04:12 ossec-agent: WARNING: Process locked. Waiting for permission...

2022/09/25 01:04:13 ossec-agent: INFO: Trying to connect to server (192.168.160.147:1514).

2022/09/25 01:04:13 ossec-agent: INFO: (4102): Connected to the server (192.168.160.147:1514).

2022/09/25 01:04:13 ossec-agent: INFO: Server responded. Releasing lock.

2022/09/25 01:04:17 ossec-agent: INFO: Lock free. Continuing...

2022/09/25 01:04:18 ossec-agent: INFO: Lock free. Continuing...

2022/09/25 01:04:57 ossec-agent: ERROR: (1137): Lost connection with manager. Setting lock.

2022/09/25 01:04:59 ossec-agent: WARNING: Process locked. Waiting for permission...

2022/09/25 01:05:04 ossec-agent: INFO: Trying to connect to server (192.168.160.147:1514).

2022/09/25 01:05:04 ossec-agent: INFO: (4102): Connected to the server (192.168.160.147:1514).

2022/09/25 01:05:04 ossec-agent: INFO: Server responded. Releasing lock.

2022/09/25 01:05:09 ossec-agent: INFO: Lock free. Continuing...

2022/09/25 01:08:49 ossec-agent: ERROR: (1137): Lost connection with manager. Setting lock.

2022/09/25 01:08:50 ossec-agent: WARNING: Process locked. Waiting for permission...

2022/09/25 01:08:50 ossec-agent: ERROR: (1218): Unable to send message to 'server': No error

2022/09/25 01:08:56 ossec-agent: INFO: Trying to connect to server (192.168.160.147:1514).

2022/09/25 01:08:56 ossec-agent: INFO: (4102): Connected to the server (192.168.160.147:1514).

2022/09/25 01:08:56 ossec-agent: INFO: Server responded. Releasing lock.

2022/09/25 01:09:00 ossec-agent: INFO: Lock free. Continuing...

agent - ossec.config

<ossec_config>

<client>
<server>
<address>192.168.160.147</address>
<port>1514</port>

Ilian Georgiev

unread,

Sep 24, 2022, 6:34:59 PM9/24/22

to Wazuh mailing list

manager - ossec.log
Sun Sep 25 01:32:53 UTC 2022
[root@manager ~]# tail /var/ossec/logs/ossec.log
2022/09/25 01:13:56 wazuh-modulesd:vulnerability-detector: WARNING: (5400): National Vulnerability Database database could not be fetched.
2022/09/25 01:13:56 wazuh-modulesd:vulnerability-detector: ERROR: (5426): CVE database could not be updated.
2022/09/25 01:13:56 wazuh-modulesd:vulnerability-detector: INFO: (5452): Starting vulnerability scanning.
2022/09/25 01:13:56 wazuh-modulesd:vulnerability-detector: INFO: (5453): Vulnerability scanning finished.
2022/09/25 01:18:57 wazuh-modulesd:vulnerability-detector: INFO: (5452): Starting vulnerability scanning.
2022/09/25 01:18:57 wazuh-modulesd:vulnerability-detector: INFO: (5453): Vulnerability scanning finished.
2022/09/25 01:23:58 wazuh-modulesd:vulnerability-detector: INFO: (5452): Starting vulnerability scanning.
2022/09/25 01:23:58 wazuh-modulesd:vulnerability-detector: INFO: (5453): Vulnerability scanning finished.
2022/09/25 01:28:59 wazuh-modulesd:vulnerability-detector: INFO: (5452): Starting vulnerability scanning.

Ilian Georgiev

unread,

Sep 26, 2022, 11:34:32 AM9/26/22

to Wazuh mailing list

i upgrade my version and the result is the same. i can not use the vulnerability

Matias Pereyra

unread,

Sep 26, 2022, 5:44:45 PM9/26/22

to Wazuh mailing list

Hello again and thank you very much for the information provided and the tests carried out.

I can see that you had an old Wazuh version, what is the version now of both the manager and the agent after the upgrade? are you using the last stable release?

The error messages changed a bit, but the agent still is having problems connecting with the manager. See the messages

2022/09/25 01:04:57 ossec-agent: ERROR: (1137): Lost connection with manager. Setting lock.

If the agent can't send its inventory and isn't connected when the scan begins, vulnerability detector won't be able to scan it.
If you run this command in the manager, you'll be able to confirm the state of the agent

/var/ossec/bin/agent_control -l

Are you working in a local network? Can you run these commands in the agent to validate the communication?

ping 192.168.160.147 -c 5

nc -zv 192.168.160.147 1514 1515

There are also some connectivity issues in the manager that prevent the correct database update, can you verify the connectivity of the manager with the internet? have you configured a firewall, proxy, etc.?

2022/09/25 01:04:48 wazuh-modulesd:vulnerability-detector: WARNING: (5400): National Vulnerability Database database could not be fetched.
2022/09/25 01:04:48 wazuh-modulesd:vulnerability-detector: ERROR: (5426): CVE database could not be updated.

Regards.

Ilian Georgiev

unread,

Sep 27, 2022, 1:56:33 AM9/27/22

to Wazuh mailing list

/var/ossec/bin/agent_control -l

[wazuh@wazuh-manager ~]$ sudo /var/ossec/bin/agent_control -l
[sudo] password for wazuh:

Wazuh agent_control. List of available agents:
ID: 000, Name: wazuh-manager (server), IP: 127.0.0.1, Active/Local
ID: 001, Name: win7, IP: 192.168.160.156, Active

==========================================================================================================================

Are you working in a local network? Can you run these commands in the agent to validate the communication?

On my laptop i have two VM one with wazuh-manager 4.2.7_1.13.2.ova - without FIREWALL

and other with win 7 with wazuh-agent 4.2.7 also with disable service on FIREWALL

=======================================================================================================================

So, my new data

wazuh-manager ossec.conf

<ossec_config>
<global>
<jsonout_output>yes</jsonout_output>
<alerts_log>yes</alerts_log>

<email_notification>no</email_notification>
<smtp_server>smtp.example.wazuh.com</smtp_server>
<email_from>oss...@example.wazuh.com</email_from>
<email_to>reci...@example.wazuh.com</email_to>
<email_maxperhour>12</email_maxperhour>
<email_log_source>alerts.log</email_log_source>
</global>
<alerts>
<log_alert_level>3</log_alert_level>
<email_alert_level>12</email_alert_level>
</alerts>
<logging>
<log_format>plain</log_format>
</logging>
<remote>
<connection>secure</connection>
<port>1514</port>
<protocol>tcp</protocol>

<queue_size>131072</queue_size>
</remote>
<sca>
<enabled>yes</enabled>
<scan_on_start>yes</scan_on_start>
<interval>12h</interval>
<skip_nfs>yes</skip_nfs>
</sca>

<synchronization>
<max_eps>10</max_eps>
</synchronization>
</wodle>
<vulnerability-detector>
<enabled>yes</enabled>
<interval>5m</interval>

<ignore_time>6h</ignore_time>
<run_on_start>yes</run_on_start>
<provider name="canonical">
<enabled>no</enabled>
<os>trusty</os>
<os>xenial</os>
<os>bionic</os>
<os>focal</os>
<update_interval>1h</update_interval>
</provider>
<provider name="debian">
<enabled>no</enabled>
<os>wheezy</os>
<os>stretch</os>
<os>jessie</os>
<os>buster</os>
<update_interval>1h</update_interval>
</provider>
<provider name="redhat">
<enabled>no</enabled>

<update_from_year>2010</update_from_year>
<update_interval>1h</update_interval>
</provider>
<provider name="nvd">
<enabled>yes</enabled>

<update_interval>1h</update_interval>
</provider>
</vulnerability-detector>
<global>
<white_list>127.0.0.1</white_list>
<white_list>^localhost.localdomain$</white_list>

<white_list>10.0.2.3</white_list>

<node_name>node01</node_name>
<node_type>master</node_type>
<key/>

</nodes>
<hidden>no</hidden>
<disabled>yes</disabled>
</cluster>
</ossec_config>
<ossec_config>
<auth>

<port>1515</port>
<use_source_ip>no</use_source_ip>
<force_insert>yes</force_insert>
<force_time>0</force_time>
<purge>yes</purge>
<use_password>no</use_password>
<limit_maxagents>yes</limit_maxagents>
<ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>

<ssl_verify_host>no</ssl_verify_host>
<ssl_manager_cert>/var/ossec/etc/sslmanager.cert</ssl_manager_cert>
<ssl_manager_key>/var/ossec/etc/sslmanager.key</ssl_manager_key>
<ssl_auto_negotiate>no</ssl_auto_negotiate>
</auth>
</ossec_config>

wazuh-manager ossec.log

[wazuh@wazuh-manager ~]$ sudo tail /var/ossec/logs/ossec.log
[sudo] password for wazuh:
2022/09/27 08:30:19 wazuh-modulesd:vulnerability-detector: WARNING: (5500): The 'National Vulnerability Database' database could not be fetched.
2022/09/27 08:30:19 wazuh-modulesd:vulnerability-detector: ERROR: (5513): CVE database could not be updated.
2022/09/27 08:30:19 wazuh-modulesd:vulnerability-detector: INFO: (5431): Starting vulnerability scan.
2022/09/27 08:30:19 wazuh-modulesd:vulnerability-detector: ERROR: (5582): Unavailable vulnerabilities at the NVD database. The scan is aborted.
2022/09/27 08:35:20 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'National Vulnerability Database' database update.
2022/09/27 08:35:35 wazuh-modulesd:vulnerability-detector: WARNING: (5522): There was no valid response to 'https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2010.meta' after '3' attempts.
2022/09/27 08:35:35 wazuh-modulesd:vulnerability-detector: WARNING: (5500): The 'National Vulnerability Database' database could not be fetched.
2022/09/27 08:35:35 wazuh-modulesd:vulnerability-detector: ERROR: (5513): CVE database could not be updated.
2022/09/27 08:35:35 wazuh-modulesd:vulnerability-detector: INFO: (5431): Starting vulnerability scan.
2022/09/27 08:35:35 wazuh-modulesd:vulnerability-detector: ERROR: (5582): Unavailable vulnerabilities at the NVD database. The scan is aborted.

wazuh-agent ossec-conf

<!--

Wazuh - Agent - Default configuration for Windows

More info at: https://documentation.wazuh.com

Mailing list: https://groups.google.com/forum/#!forum/wazuh

-->

<ossec_config>

</server>

</client>

<client_buffer>

<queue_size>5000</queue_size>

<events_per_second>500</events_per_second>

</client_buffer>

</wodle>

<scan-on-start>yes</scan-on-start>

<java_path>wodles\java</java_path>

<ciscat_path>wodles\cis-cat</ciscat_path>

</wodle>

<active-response>

<ca_store>wpk_root.pem</ca_store>

</active-response>

<log_format>plain</log_format>

</logging>

</ossec_config>

wazuh-agent ossec.log

2022/09/27 00:00:10 wazuh-agent: INFO: Starting new log after rotation.

2022/09/27 00:06:34 wazuh-modulesd:syscollector: INFO: Starting evaluation.

2022/09/27 00:06:34 wazuh-modulesd:syscollector: INFO: Evaluation finished.

2022/09/27 01:06:35 wazuh-modulesd:syscollector: INFO: Starting evaluation.

2022/09/27 01:06:35 wazuh-modulesd:syscollector: INFO: Evaluation finished.

2022/09/27 02:06:36 wazuh-modulesd:syscollector: INFO: Starting evaluation.

2022/09/27 02:06:36 wazuh-modulesd:syscollector: INFO: Evaluation finished.

2022/09/27 03:06:37 wazuh-modulesd:syscollector: INFO: Starting evaluation.

2022/09/27 03:06:37 wazuh-modulesd:syscollector: INFO: Evaluation finished.

2022/09/27 04:06:38 wazuh-modulesd:syscollector: INFO: Starting evaluation.

2022/09/27 04:06:38 wazuh-modulesd:syscollector: INFO: Evaluation finished.

2022/09/27 05:06:39 wazuh-modulesd:syscollector: INFO: Starting evaluation.

2022/09/27 05:06:39 wazuh-modulesd:syscollector: INFO: Evaluation finished.

2022/09/27 06:06:35 rootcheck: INFO: Starting rootcheck scan.

2022/09/27 06:06:40 rootcheck: INFO: Ending rootcheck scan.

2022/09/27 06:06:40 wazuh-modulesd:syscollector: INFO: Starting evaluation.

2022/09/27 06:06:40 wazuh-modulesd:syscollector: INFO: Evaluation finished.

2022/09/27 06:06:45 wazuh-agent: INFO: (6008): File integrity monitoring scan started.

2022/09/27 06:06:58 wazuh-agent: INFO: (6009): File integrity monitoring scan ended.

2022/09/27 07:06:41 wazuh-modulesd:syscollector: INFO: Starting evaluation.

2022/09/27 07:06:41 wazuh-modulesd:syscollector: INFO: Evaluation finished.

2022/09/27 08:06:42 wazuh-modulesd:syscollector: INFO: Starting evaluation.

2022/09/27 08:06:43 wazuh-modulesd:syscollector: INFO: Evaluation finished.

Matias Pereyra

unread,

Sep 27, 2022, 9:24:41 AM9/27/22

to Wazuh mailing list

Hi!

Now we see the agent is properly connected and there are no more connection error messages in the agent. Those are good news.

There is one last thing that is preventing the manager from starting the vulnerability detector scan

2022/09/27 08:35:35 wazuh-modulesd:vulnerability-detector: WARNING: (5500): The 'National Vulnerability Database' database could not be fetched.

2022/09/27 08:35:35 wazuh-modulesd:vulnerability-detector: ERROR: (5582): Unavailable vulnerabilities at the NVD database. The scan is aborted.

If the NVD database can't be fetched, the scan is aborted.
We see this message that suggests that the manager's VM hasn't connectivity

2022/09/27 08:35:35 wazuh-modulesd:vulnerability-detector: WARNING: (5522): There was no valid response to 'https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2010.meta' after '3' attempts.

I've tested that this link is valid, you could also check this from a new terminal in the manager with the command

curl -O https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2010.meta

If this fails, it means your VM can't reach the internet and you will require a different network configuration to download the vulnerability's information. Please fix this first and try again.

Another option is to configure an Offline Update. This requires you previously download the databases in a host with internet access and then upload them to the VM so the Wazuh manager can read them from a local folder.

Regards.

Ilian Georgiev

unread,

Sep 27, 2022, 11:51:44 AM9/27/22

to Wazuh mailing list

I've tested that this link is valid, you could also check this from a new terminal in the manager with the command

curl -O https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2010.meta

where is this terminal?

===============================================================================================

when i ping 8.8.8.8 -> network is unreachable

Matias Pereyra

unread,

Sep 28, 2022, 7:26:19 PM9/28/22

to Wazuh mailing list

Hi!
I just suggested to try the curl command in the same way you tested ping. But it isn't necessary now.

It seems that your VM can't reach the network so it won't download any vulnerability data.
In order to help you, I need to know how you configured your VM, are you using Virtual Box?

Here you have more information about this issue

https://authmane512.medium.com/solve-connect-network-is-unreachable-issue-with-virtualbox-1f32f3cb5ade
https://www.dev2qa.com/how-to-resolve-ubuntu-virtualbox-network-is-unreachable-error/
https://www.youtube.com/watch?v=B28SnW8eQQY

Regards.

Ilian Georgiev

unread,

Sep 29, 2022, 11:43:42 AM9/29/22

to Wazuh mailing list

Hello Bro,

I have ext connection

[root@wazuh-manager ~]# sudo tail /var/ossec/logs/ossec.log
2022/09/29 18:31:07 sca: INFO: Starting Security Configuration Assessment scan.
2022/09/29 18:31:07 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'National Vulnerability Database' database update.
2022/09/29 18:31:07 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/cis_centos7_linux.yml'
2022/09/29 18:31:07 wazuh-modulesd:syscollector: INFO: Module started.
2022/09/29 18:31:07 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2022/09/29 18:31:11 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2022/09/29 18:31:13 wazuh-syscheckd: INFO: (6009): File integrity monitoring scan ended.
2022/09/29 18:31:41 sca: INFO: Evaluation finished for policy '/var/ossec/ruleset/sca/cis_centos7_linux.yml'
2022/09/29 18:31:41 sca: INFO: Security Configuration Assessment scan finished. Duration: 34 seconds.
2022/09/29 18:32:05 rootcheck: INFO: Ending rootcheck scan.

But

I have da same result There are no results for selected time range. Try another one about vulnerability.

Ilian Georgiev

unread,

Sep 29, 2022, 11:51:13 AM9/29/22

to Wazuh mailing list

manager -

[root@wazuh-manager ~]# curl -O https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2010.meta
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 165 100 165 0 0 153 0 0:00:01 0:00:01 --:--:-- 154

agent -

2022/09/29 18:25:22 wazuh-agent: INFO: Received exit signal.

2022/09/29 18:25:22 wazuh-agent: INFO: Set pending exit signal.

2022/09/29 18:25:22 wazuh-modulesd:syscollector: INFO: Stop received for Syscollector.

2022/09/29 18:25:22 wazuh-modulesd:syscollector: INFO: Module finished.

2022/09/29 18:25:22 wazuh-agent: INFO: Exiting...

2022/09/29 18:25:22 wazuh-agent: INFO: (1314): Shutdown received. Deleting responses.

2022/09/29 18:25:23 wazuh-agent: INFO: Using notify time: 10 and max time to reconnect: 60

2022/09/29 18:25:23 wazuh-agent: INFO: (1410): Reading authentication keys file.

2022/09/29 18:25:23 wazuh-agent: INFO: Started (pid: 360).

2022/09/29 18:25:23 wazuh-agent: INFO: Using AES as encryption method.

2022/09/29 18:25:23 wazuh-agent: INFO: Trying to connect to server (192.168.160.147:1514/tcp).

2022/09/29 18:25:23 wazuh-agent: INFO: (4102): Connected to the server (192.168.160.147:1514/tcp).

2022/09/29 18:25:24 wazuh-agent: WARNING: The check_winaudit option is deprecated in favor of the SCA module.

2022/09/29 18:25:24 rootcheck: INFO: Started (pid: 360).

2022/09/29 18:25:24 wazuh-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Software\Classes\batfile'.

2022/09/29 18:25:24 wazuh-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Software\Classes\cmdfile'.

2022/09/29 18:25:24 wazuh-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Software\Classes\comfile'.

2022/09/29 18:25:24 wazuh-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Software\Classes\exefile'.

2022/09/29 18:25:24 wazuh-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Software\Classes\piffile'.

2022/09/29 18:25:24 wazuh-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects'.

2022/09/29 18:25:24 wazuh-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Software\Classes\Directory'.

2022/09/29 18:25:24 wazuh-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Software\Classes\Folder'.

2022/09/29 18:25:24 wazuh-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols'.

2022/09/29 18:25:24 wazuh-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols'.

2022/09/29 18:25:24 wazuh-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Software\Policies'.

2022/09/29 18:25:24 wazuh-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Software\Policies'.

2022/09/29 18:25:24 wazuh-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Security'.

2022/09/29 18:25:24 wazuh-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer'.

2022/09/29 18:25:24 wazuh-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer'.

2022/09/29 18:25:24 wazuh-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services'.

2022/09/29 18:25:24 wazuh-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs'.

2022/09/29 18:25:24 wazuh-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run'.

2022/09/29 18:25:24 wazuh-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run'.

2022/09/29 18:25:24 wazuh-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce'.

2022/09/29 18:25:24 wazuh-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL'.

2022/09/29 18:25:24 wazuh-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL'.

2022/09/29 18:25:24 wazuh-agent: INFO: (6207): Ignore 'file' sregex '.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$'

2022/09/29 18:25:24 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\Security\Policy\Secrets'

2022/09/29 18:25:24 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users'

2022/09/29 18:25:24 wazuh-agent: INFO: (6207): Ignore 'registry' sregex '\Enum$'

2022/09/29 18:25:24 wazuh-agent: INFO: Started (pid: 360).

2022/09/29 18:25:24 wazuh-agent: INFO: Windows version is 6.0 or newer. (Microsoft Windows 7 Professional Service Pack 1 [Ver: 6.1.7601] - Wazuh v4.2.7).

2022/09/29 18:25:24 wazuh-agent: INFO: (1951): Analyzing event log: 'Application'.

2022/09/29 18:25:24 wazuh-modulesd:agent-upgrade: INFO: (8153): Module Agent Upgrade started.

2022/09/29 18:25:24 wazuh-modulesd:ciscat: WARNING: No evals defined. Exiting...

2022/09/29 18:25:24 wazuh-modulesd:syscollector: INFO: Module started.

2022/09/29 18:25:24 wazuh-modulesd:syscollector: INFO: Starting evaluation.

2022/09/29 18:25:24 wazuh-agent: INFO: (1951): Analyzing event log: 'Security'.

2022/09/29 18:25:24 wazuh-agent: INFO: (1951): Analyzing event log: 'System'.

2022/09/29 18:25:24 wazuh-agent: INFO: (1950): Analyzing file: 'C:\Program Files (x86)\ossec-agent\active-response\active-responses.log'.

2022/09/29 18:25:25 wazuh-agent: INFO: Started (pid: 360).

2022/09/29 18:25:25 wazuh-modulesd:syscollector: INFO: Evaluation finished.

2022/09/29 18:25:25 wazuh-agent: INFO: (6000): Starting daemon...

2022/09/29 18:25:25 wazuh-agent: INFO: (6010): File integrity monitoring scan frequency: 43200 seconds

2022/09/29 18:25:25 wazuh-agent: INFO: (6008): File integrity monitoring scan started.

2022/09/29 18:25:25 rootcheck: INFO: Starting rootcheck scan.

2022/09/29 18:25:30 rootcheck: INFO: Ending rootcheck scan.

2022/09/29 18:25:39 wazuh-agent: INFO: (6009): File integrity monitoring scan ended.

2022/09/29 18:25:39 wazuh-agent: INFO: (6012): Real-time file integrity monitoring started.

2022/09/29 18:31:31 wazuh-agent: ERROR: (1137): Lost connection with manager. Setting lock.

2022/09/29 18:31:31 wazuh-agent: INFO: Closing connection to server (192.168.160.147:1514/tcp).

2022/09/29 18:31:31 wazuh-agent: INFO: Trying to connect to server (192.168.160.147:1514/tcp).

2022/09/29 18:31:32 wazuh-agent: ERROR: (1216): Unable to connect to '192.168.160.147:1514/tcp': 'No connection could be made because the target machine actively refused it.'.

2022/09/29 18:31:42 wazuh-agent: INFO: Trying to connect to server (192.168.160.147:1514/tcp).

2022/09/29 18:31:43 wazuh-agent: ERROR: (1216): Unable to connect to '192.168.160.147:1514/tcp': 'No connection could be made because the target machine actively refused it.'.

2022/09/29 18:31:53 wazuh-agent: INFO: Trying to connect to server (192.168.160.147:1514/tcp).

2022/09/29 18:31:53 wazuh-agent: INFO: (4102): Connected to the server (192.168.160.147:1514/tcp).

2022/09/29 18:31:53 wazuh-agent: INFO: Server responded. Releasing lock.

2022/09/29 18:32:32 wazuh-agent: INFO: Received exit signal.

2022/09/29 18:32:32 wazuh-agent: INFO: Set pending exit signal.

2022/09/29 18:32:32 wazuh-modulesd:syscollector: INFO: Stop received for Syscollector.

2022/09/29 18:32:32 wazuh-modulesd:syscollector: INFO: Module finished.

2022/09/29 18:32:32 wazuh-agent: INFO: Exiting...

2022/09/29 18:32:32 wazuh-agent: INFO: (1314): Shutdown received. Deleting responses.

2022/09/29 18:32:33 wazuh-agent: INFO: Using notify time: 10 and max time to reconnect: 60

2022/09/29 18:32:34 wazuh-agent: INFO: (1410): Reading authentication keys file.

2022/09/29 18:32:34 wazuh-agent: INFO: Started (pid: 3712).

2022/09/29 18:32:34 wazuh-agent: INFO: Using AES as encryption method.

2022/09/29 18:32:34 wazuh-agent: INFO: Trying to connect to server (192.168.160.147:1514/tcp).

2022/09/29 18:32:34 wazuh-agent: WARNING: The check_winaudit option is deprecated in favor of the SCA module.

2022/09/29 18:32:34 rootcheck: INFO: Started (pid: 3712).

2022/09/29 18:32:34 wazuh-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Software\Classes\batfile'.

2022/09/29 18:32:34 wazuh-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Software\Classes\cmdfile'.

2022/09/29 18:32:34 wazuh-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Software\Classes\comfile'.

2022/09/29 18:32:34 wazuh-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Software\Classes\exefile'.

2022/09/29 18:32:34 wazuh-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Software\Classes\piffile'.

2022/09/29 18:32:34 wazuh-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects'.

2022/09/29 18:32:34 wazuh-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Software\Classes\Directory'.

2022/09/29 18:32:34 wazuh-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Software\Classes\Folder'.

2022/09/29 18:32:34 wazuh-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols'.

2022/09/29 18:32:34 wazuh-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols'.

2022/09/29 18:32:34 wazuh-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Software\Policies'.

2022/09/29 18:32:34 wazuh-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Software\Policies'.

2022/09/29 18:32:34 wazuh-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Security'.

2022/09/29 18:32:34 wazuh-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer'.

2022/09/29 18:32:34 wazuh-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer'.

2022/09/29 18:32:34 wazuh-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services'.

2022/09/29 18:32:34 wazuh-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs'.

2022/09/29 18:32:34 wazuh-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run'.

2022/09/29 18:32:34 wazuh-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run'.

2022/09/29 18:32:34 wazuh-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce'.

2022/09/29 18:32:34 wazuh-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL'.

2022/09/29 18:32:34 wazuh-agent: INFO: (6356): Maximum file size limit to generate diff information configured to '51200 KB' for 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL'.

2022/09/29 18:32:34 wazuh-agent: INFO: (6207): Ignore 'file' sregex '.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$'

2022/09/29 18:32:34 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\Security\Policy\Secrets'

2022/09/29 18:32:34 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users'

2022/09/29 18:32:34 wazuh-agent: INFO: (6207): Ignore 'registry' sregex '\Enum$'

2022/09/29 18:32:34 wazuh-agent: INFO: Started (pid: 3712).

2022/09/29 18:32:34 wazuh-agent: INFO: (4102): Connected to the server (192.168.160.147:1514/tcp).

2022/09/29 18:32:34 wazuh-agent: INFO: Windows version is 6.0 or newer. (Microsoft Windows 7 Professional Service Pack 1 [Ver: 6.1.7601] - Wazuh v4.2.7).

2022/09/29 18:32:34 wazuh-agent: INFO: (1951): Analyzing event log: 'Application'.

2022/09/29 18:32:34 wazuh-agent: INFO: (1951): Analyzing event log: 'Security'.

2022/09/29 18:32:34 wazuh-modulesd:agent-upgrade: INFO: (8153): Module Agent Upgrade started.

2022/09/29 18:32:34 wazuh-modulesd:ciscat: WARNING: No evals defined. Exiting...

2022/09/29 18:32:34 wazuh-agent: INFO: (1951): Analyzing event log: 'System'.

2022/09/29 18:32:34 wazuh-agent: INFO: (6000): Starting daemon...

2022/09/29 18:32:34 wazuh-agent: INFO: (6010): File integrity monitoring scan frequency: 43200 seconds

2022/09/29 18:32:34 wazuh-agent: INFO: (6008): File integrity monitoring scan started.

2022/09/29 18:32:34 rootcheck: INFO: Starting rootcheck scan.

2022/09/29 18:32:34 wazuh-agent: INFO: (1950): Analyzing file: 'C:\Program Files (x86)\ossec-agent\active-response\active-responses.log'.

2022/09/29 18:32:35 wazuh-modulesd:syscollector: INFO: Module started.

2022/09/29 18:32:35 wazuh-modulesd:syscollector: INFO: Starting evaluation.

2022/09/29 18:32:35 wazuh-agent: INFO: Started (pid: 3712).

2022/09/29 18:32:35 wazuh-modulesd:syscollector: INFO: Evaluation finished.

2022/09/29 18:32:40 rootcheck: INFO: Ending rootcheck scan.

2022/09/29 18:32:53 wazuh-agent: INFO: (6009): File integrity monitoring scan ended.

2022/09/29 18:32:53 wazuh-agent: INFO: (6012): Real-time file integrity monitoring started.

Ilian Georgiev

unread,

Sep 29, 2022, 11:57:59 AM9/29/22

to Wazuh mailing list

manager-

[root@wazuh-manager ~]# sudo tail /var/ossec/logs/ossec.log

2022/09/29 18:32:05 rootcheck: INFO: Ending rootcheck scan.

2022/09/29 18:46:20 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'National Vulnerability Database' feed finished successfully.
2022/09/29 18:46:20 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Microsoft Security Update' database update.
2022/09/29 18:46:20 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Microsoft Security Update' feed finished successfully.
2022/09/29 18:46:20 wazuh-modulesd:vulnerability-detector: INFO: (5431): Starting vulnerability scan.
2022/09/29 18:46:21 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '000' vulnerabilities.
2022/09/29 18:46:21 wazuh-modulesd:vulnerability-detector: WARNING: (5575): Unavailable vulnerability data for the agent '000' OS. Skipping it.
2022/09/29 18:46:21 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '001' vulnerabilities.
2022/09/29 18:46:43 wazuh-modulesd:vulnerability-detector: INFO: (5471): Finished vulnerability assessment for agent '001'
2022/09/29 18:46:43 wazuh-modulesd:vulnerability-detector: INFO: (5472): Vulnerability scan finished.

But the result is the same! in the pictures you may view

1111111.docx

Matias Pereyra

unread,

Sep 30, 2022, 4:14:28 PM9/30/22

to Wazuh mailing list

Hello again!

Now that you have fixed the connectivity issue, the database is properly downloaded and the scan for agent 001 has run

2022/09/29 18:46:21 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '001' vulnerabilities.
2022/09/29 18:46:43 wazuh-modulesd:vulnerability-detector: INFO: (5471): Finished vulnerability assessment for agent '001'

But if after this you don't see any vulnerability for the agent, we could enable the debug logs to see what is happening.

In the manager:

Add the line wazuh_modules.debug=2 to the file /var/ossec/etc/local_internal_options.conf
Save the changes and restart the manager with the command systemctl restart wazuh-manager

Now the ossec.log file should have detailed information about the scan and we'll know if there is a problem with the scan.

Also, optionally, you could solve this error message

2022/09/29 18:46:21 wazuh-modulesd:vulnerability-detector: WARNING: (5575): Unavailable vulnerability data for the agent '000' OS. Skipping it.

By enabling the feeds for the rest of the operating systems in the ossec.conf file of the manager

<provider name="canonical">
<enabled>yes</enabled>

<os>trusty</os>
<os>xenial</os>
<os>bionic</os>
<os>focal</os>

<os>jammy</os>
<update_interval>1h</update_interval>
</provider>


<provider name="redhat">
<enabled>yes</enabled>
<os>5</os>
<os>6</os>
<os>7</os>
<os>8</os>
<os>9</os>
<update_interval>1h</update_interval>
</provider>

Regards.

Ilian Georgiev

unread,

Oct 3, 2022, 4:04:45 AM10/3/22

to Wazuh mailing list

So every thing its ok, but know MITRE Attack integrity monitoring disappeared

Ilian Georgiev

unread,

Oct 3, 2022, 4:16:16 AM10/3/22

to Wazuh mailing list

O no no, the problem continue, when set up 1 hour the problem you may see on the pictures. the problem stopped when i changed on 7 days.

All of this you may see on the pictures

1111111.docx

Ilian Georgiev

unread,

Oct 3, 2022, 4:42:18 AM10/3/22

to Wazuh mailing list

im sorry i forgot

wazuh manager - ossec.log

====================================================================================

[wazuh@wazuh-manager ~]$ sudo tail /var/ossec/logs/ossec.log

2022/10/01 01:48:18 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2022/10/01 01:48:22 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2022/10/01 01:48:23 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'National Vulnerability Database' database update.
2022/10/01 01:54:23 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'National Vulnerability Database' feed finished successfully.
2022/10/01 01:54:23 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Microsoft Security Update' database update.
2022/10/01 01:54:23 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Microsoft Security Update' feed finished successfully.
2022/10/01 01:54:23 wazuh-modulesd:vulnerability-detector: INFO: (5431): Starting vulnerability scan.
2022/10/01 01:54:23 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '000' vulnerabilities.
2022/10/01 01:54:23 wazuh-modulesd:vulnerability-detector: WARNING: (5575): Unavailable vulnerability data for the agent '000' OS. Skipping it.
2022/10/01 01:54:23 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '011' vulnerabilities.

[wazuh@wazuh-manager ~]$ sudo tail /var/ossec/logs/ossec.log

2022/10/01 01:48:23 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'National Vulnerability Database' database update.
2022/10/01 01:54:23 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'National Vulnerability Database' feed finished successfully.
2022/10/01 01:54:23 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Microsoft Security Update' database update.
2022/10/01 01:54:23 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Microsoft Security Update' feed finished successfully.
2022/10/01 01:54:23 wazuh-modulesd:vulnerability-detector: INFO: (5431): Starting vulnerability scan.
2022/10/01 01:54:23 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '000' vulnerabilities.
2022/10/01 01:54:23 wazuh-modulesd:vulnerability-detector: WARNING: (5575): Unavailable vulnerability data for the agent '000' OS. Skipping it.
2022/10/01 01:54:23 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '011' vulnerabilities.
2022/10/01 01:54:47 wazuh-modulesd:vulnerability-detector: INFO: (5471): Finished vulnerability assessment for agent '011'
2022/10/01 01:54:47 wazuh-modulesd:vulnerability-detector: INFO: (5472): Vulnerability scan finished.
[wazuh@wazuh-manager ~]$

[wazuh@wazuh-manager ~]$ sudo tail /var/ossec/logs/ossec.log
[sudo] password for wazuh:

2022/10/01 02:14:51 wazuh-modulesd:vulnerability-detector: WARNING: (5575): Unavailable vulnerability data for the agent '000' OS. Skipping it.
2022/10/01 02:14:51 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '011' vulnerabilities.
2022/10/01 02:14:52 wazuh-modulesd:vulnerability-detector: INFO: (5471): Finished vulnerability assessment for agent '011'
2022/10/01 02:14:52 wazuh-modulesd:vulnerability-detector: INFO: (5472): Vulnerability scan finished.
2022/10/01 02:19:53 wazuh-modulesd:vulnerability-detector: INFO: (5431): Starting vulnerability scan.
2022/10/01 02:19:53 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '000' vulnerabilities.
2022/10/01 02:19:53 wazuh-modulesd:vulnerability-detector: WARNING: (5575): Unavailable vulnerability data for the agent '000' OS. Skipping it.
2022/10/01 02:19:53 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '011' vulnerabilities.
2022/10/01 02:19:53 wazuh-modulesd:vulnerability-detector: INFO: (5471): Finished vulnerability assessment for agent '011'
2022/10/01 02:19:53 wazuh-modulesd:vulnerability-detector: INFO: (5472): Vulnerability scan finished.

[wazuh@wazuh-manager ~]$ sudo tail /var/ossec/logs/ossec.log
[sudo] password for wazuh:

2022/10/01 02:34:56 wazuh-modulesd:vulnerability-detector: WARNING: (5575): Unavailable vulnerability data for the agent '000' OS. Skipping it.
2022/10/01 02:34:56 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '011' vulnerabilities.
2022/10/01 02:34:56 wazuh-modulesd:vulnerability-detector: INFO: (5471): Finished vulnerability assessment for agent '011'
2022/10/01 02:34:56 wazuh-modulesd:vulnerability-detector: INFO: (5472): Vulnerability scan finished.
2022/10/01 02:39:57 wazuh-modulesd:vulnerability-detector: INFO: (5431): Starting vulnerability scan.
2022/10/01 02:39:57 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '000' vulnerabilities.
2022/10/01 02:39:57 wazuh-modulesd:vulnerability-detector: WARNING: (5575): Unavailable vulnerability data for the agent '000' OS. Skipping it.
2022/10/01 02:39:57 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '011' vulnerabilities.
2022/10/01 02:39:57 wazuh-modulesd:vulnerability-detector: INFO: (5471): Finished vulnerability assessment for agent '011'
2022/10/01 02:39:57 wazuh-modulesd:vulnerability-detector: INFO: (5472): Vulnerability scan finished.
[wazuh@wazuh-manager ~]$

Miguel Angel Cazajous

unread,

Oct 3, 2022, 1:48:47 PM10/3/22

to Wazuh mailing list

Hi kashalotche,

I will continue helping with this issue since Matías took some days off.

Let me know first some information.

If I understood correctly you are using the Wazuh OVA as manager and Windows 7 as an agent. Is that correct? Please confirm
Please share the output of these commands (execute them in your manager)
/var/ossec/bin/manage_agents -V
/var/ossec/bin/agent_control -i <windows_7_agent_id> (for example agent_control -i 001)
The output of these commands (execute them in your manager). You should get something different from zero.
sqlite3 /var/ossec/queue/vulnerabilities/cve.db 'select count(*) from nvd_cve'
sqlite3 /var/ossec/queue/vulnerabilities/cve.db 'select count(*) from msu'

Now try the following

Stop your manager
/var/ossec/bin/wazuh-control stop
Change the verbosity of wazuh modules with this command
sed -i 's/$wazuh_modules\.debug=$.*/\12/' /var/ossec/etc/internal_options.conf
Force baseline scan (please replace <windows_7_agent_id> with the id of your agent).
sqlite3 /var/ossec/queue/db/<windows_7_agent_id>.db 'update vuln_metadata set last_full_scan = 0'
Start your manager
/var/ossec/bin/wazuh-control start
Share the output of these commands. (Execute them in your manager)
sqlite3 /var/ossec/queue/db/001.db 'select count(*) from vuln_cves'
grep -E "vulnerability.title" /var/ossec/logs/alerts/alerts.log | wc -l

If you want to share an image you can upload images using this option.

Regards!

Ilian Georgiev

unread,

Oct 5, 2022, 3:48:25 AM10/5/22

to Wazuh mailing list

If I understood correctly you are using the Wazuh OVA as manager and Windows 7 as an agent. Is that correct? Please confirm - YES
[wazuh@wazuh-manager ~]$ sudo /var/ossec/bin/manage_agents -V
[sudo] password for wazuh:

Wazuh v4.2.7 - Wazuh Inc.

This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License (version 2) as
published by the Free Software Foundation. For more details, go to
https://www.gnu.org/licenses/gpl.html
[wazuh@wazuh-manager ~]$ sudo /var/ossec/bin/agent_control -i 011

Wazuh agent_control. Agent information:
Agent ID: 011
Agent Name: 192.168.160.150
IP address: 192.168.160.150
Status: Active

Operating system: Microsoft Windows 7 Professional Service Pack 1
Client version: Wazuh v4.2.7
Configuration hash: ab73af41699f13fdd81903b5f23d8d00
Shared file hash: 2c45c95db2954d2c7d0ea533f09e81a5
Last keep alive: 1664964279

Syscheck last started at: Wed Oct 5 05:49:53 2022
Syscheck last ended at: Wed Oct 5 05:50:19 2022

Rootcheck last started at: Unknown

===================================================================================================

[wazuh@wazuh-manager ~]$ sudo sqlite3 /var/ossec/queue/db/011.db 'select count(*) from vuln_cves'
1361

[wazuh@wazuh-manager ~]$ sudo grep -E "vulnerability.title" /var/ossec/logs/alerts/alerts.log | wc -l
2729

======================================================================================================

[wazuh@wazuh-manager ~]$ sudo tail /var/ossec/logs/ossec.log
[sudo] password for wazuh:

2022/10/05 10:31:19 wazuh-modulesd:vulnerability-detector[11123] wm_vuln_detector.c:2167 at wm_vuldet_check_agent_vulnerabilities(): INFO: (5450): Analyzing agent '000' vulnerabilities.
2022/10/05 10:31:19 wazuh-modulesd:vulnerability-detector[11123] wm_vuln_detector.c:2176 at wm_vuldet_check_agent_vulnerabilities(): WARNING: (5575): Unavailable vulnerability data for the agent '000' OS. Skipping it.
2022/10/05 10:31:19 wazuh-modulesd:vulnerability-detector[11123] wm_vuln_detector.c:2167 at wm_vuldet_check_agent_vulnerabilities(): INFO: (5450): Analyzing agent '011' vulnerabilities.
2022/10/05 10:31:19 wazuh-modulesd:vulnerability-detector[11123] wm_vuln_detector.c:4446 at wm_vuldet_get_software_info(): DEBUG: (5437): Collecting agent '011' software.
2022/10/05 10:31:19 wazuh-modulesd:vulnerability-detector[11123] wm_vuln_detector.c:4464 at wm_vuldet_get_software_info(): DEBUG: (5439): A partial scan will be run on agent '011'
2022/10/05 10:31:19 wazuh-modulesd:vulnerability-detector[11123] wm_vuln_detector.c:4672 at wm_vuldet_get_software_info(): DEBUG: (5445): No changes have been found with respect to the last package inventory or no packages have been indexed for agent '011'
2022/10/05 10:31:19 wazuh-modulesd:vulnerability-detector[11123] wm_vuln_detector.c:2216 at wm_vuldet_check_agent_vulnerabilities(): INFO: (5471): Finished vulnerability assessment for agent '011'
2022/10/05 10:31:19 wazuh-modulesd:vulnerability-detector[11123] wm_vuln_detector.c:2217 at wm_vuldet_check_agent_vulnerabilities(): DEBUG: (5470): It took '0' seconds to 'scan' vulnerabilities in agent '011'
2022/10/05 10:31:19 wazuh-modulesd:vulnerability-detector[11123] wm_vuln_detector.c:7144 at wm_vuldet_run_scan(): INFO: (5472): Vulnerability scan finished.
2022/10/05 10:31:19 wazuh-modulesd:vulnerability-detector[11123] wm_vuln_detector.c:7191 at wm_vuldet_run_sleep(): DEBUG: Sleeping for 300 seconds...

================================================================================================================

But the problem continue

You may see in the pictures

12qw.odt

Miguel Angel Cazajous

unread,

Oct 5, 2022, 10:24:33 AM10/5/22

to Wazuh mailing list

Hi,

What is the problem you see? According to the images you shared in that .odt file I see that the vulnerabilities for agent 11 which is a Windows 7 are properly shown in the UI

If you sum those results, the value is similar to the one using grep in your alerts.log file. Which is 2729, according to your response.

Of course, if you reduce the scope of the results to the last 15 minutes, it is expected to not find any results.

Also, the logs you shared said that the partial scan did not find any new package to scan. Thus, there're no new vulnerabilities to show.

2022/10/05 10:31:19 wazuh-modulesd:vulnerability-detector[11123] wm_vuln_detector.c:4672 at wm_vuldet_get_software_info(): DEBUG: (5445): No changes have been found with respect to the last package inventory or no packages have been indexed for agent '011'

You can tweak the options for vulnerability detector to change the behavior of scans and alerts. Please refer to this guide

https://documentation.wazuh.com/4.2/user-manual/capabilities/vulnerability-detection/how-it-works.html#scan-types

Regards!

Ilian Georgiev

unread,

Oct 12, 2022, 5:42:18 AM10/12/22

to Wazuh mailing list

every thing its ok!!!!!

But now i have not report from MITRE ATT&CK and Integrity monitoring. the result is the same!
============================================================================

There are no results for selected time range. Try another one!!!

Miguel Angel Cazajous

unread,

Oct 12, 2022, 10:00:35 AM10/12/22

to Wazuh mailing list

Hi kashalotche,

If everything related to the vulnerability detector is solved, I suggest opening another question for these other issues so any owner of those features can take a look. Regards!

Reply all

Reply to author

Forward

0 new messages