Not seeing new Solved and Active events in Vulnerability Management

[Bob Barrett]

Hello,

One of my Wazuh servers, Solved and Active events no longer appear in Data vulnerability status.  I do see that Wazuh is detecting vulnerabilities, but there are no more data.vulnerability.status events.  When using Vulnerability Detection, I see current detections in the Inventory view, but nothing in the Events view.  Problem started about 2-3 months ago.  I tried clearing the vulnerability cache but that did not help.  

Wazuh is running 4.12.0.

Thanks in advance for advice.

Bob

[hasitha.u...@wazuh.com]

Hi Bob,

The Vulnerability Detection module generates alerts upon the detection of new vulnerabilities or the resolution of existing vulnerabilities, such as through package updates, removals, or system upgrades. However, while these conditions are necessary, they are not always enough for alert generation, which depends on specific detection scenarios.

Operating System Alerts Operating system alerts are not generated during the initial inventory scan. Upon the first sync of a Wazuh agent with the Wazuh manager, changes to the operating system version or recent patches are not seen as new events. Alerts are triggered only in later scans upon detection of such changes.

Package Alerts Alerts about package changes are generated only when a vulnerability is added to or removed from the inventory due to package installation or removal. This requires that the event be captured during a scheduled Syscollector scan. No alerts will be generated if changes occur while the Wazuh agent is stopped or if they are detected right after an agent restart.

Additional Considerations

• In a clustered environment, when a Wazuh agent reconnects to a different manager node, it syncs its inventory with the new node. However, this initial sync does not generate alerts, even if changes exist.
• Upon updating vulnerability content (such as CVE definitions, translations, or mapping rules) on the server, all agents are rechecked to keep results accurate. No alerts are generated during this initial recheck triggered by content updates.
  

Ref: https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/how-it-works.html
Let me know while accessing to the Vulnerability detection -> Events tab, showing any error or any data.

First, make sure that Syscollector scanning is running properly on the endpoint. On one of the monitored agents (preferably one with an active vulnerability showing this issue), run:
cat /var/ossec/logs/ossec.log | grep -iE "syscollector"
If Syscollector is running correctly, you should see output similar to:

1. 2025/08/22 05:12:35 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2. 2025/08/22 05:12:46 wazuh-modulesd:syscollector: INFO: Evaluation finished.
3. 2025/08/22 06:12:47 wazuh-modulesd:syscollector: INFO: Starting evaluation.
4. 2025/08/22 06:12:58 wazuh-modulesd:syscollector: INFO: Evaluation finished.

Run the following command to check for errors related to vulnerabilities, Syscollector, or synchronization on the Wazuh manager:
cat /var/ossec/logs/ossec.log | grep -iE "error|warn|crit|fatal|syscollector|sync"

For testing, the Events section should show an alert if a new vulnerability is detected or resolved. Try installing an older version of VLC Player:
https://www.videolan.org/vlc/releases/2.2.3.html

Let me know the update on this.

[Bob Barrett]

Your response explains my misunderstanding of Solved and Active status.  I assumed these events were triggered by the detection of a vulnerability, not by the package.  If I have a Windows Server, and it does not get patched for several months, the new vulnerabilities that will be found each month after patch Tuesday will not trigger an Active status.  But if I do patch eventually, this would trigger a Solved status.  Do I understand this correctly?

Thanks.

[hasitha.u...@wazuh.com]

Hi Bob,

Yes, that's exactly right—new CVEs added monthly won't trigger "Active" alerts on an unpatched system since the package inventory hasn't changed (and content updates don't generate alerts). Patching would detect the resolution during the next Syscollector scan, triggering a "Solved" alert.

For more details, you can refer to this. https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/how-it-works.html Let me know if you have more questions!

[Josep M Gorro]

Hello hasitha.upekshitha

I've tried installing old vlan version on an agent and nothing appears.

I've experienced this behavior since October 30. No inventory, no dashboard and no events on vulnerability manager.

ossec.log does not shown other messages than Start and finish evaluation.

Could you please help me finding where could be the problem?

For your info, I tried to proceed stopping vulnerability scan and start it again (the index structure has not been modified because it contains yet the changes) as proposed in https://www.reddit.com/r/Wazuh/comments/1i133si/vulnerability_detection_empty_after_upgrade_to/

Thanks.

El dia dimecres, 1 d’octubre del 2025 a les 6:13:36 UTC+2, hasitha.u...@wazuh.com va escriure:

[Josep M Gorro]

An update that could be important.

After some time, the vlan vulnerability has appeared. Really happy.

So I proceed to remove them. After some minutes more the vulnerability records disapears from inventory but events are still empty. Nothing appears. And I remember that, when a vulnerability is fixed, it appears here as solved.

Hope this helps to find the issue.

Thanks.

El dia divendres, 14 de novembre del 2025 a les 21:14:26 UTC+1, Josep M Gorro va escriure: