WAZUH VULNERBAILITY MODULE NOT WORKING
2,050 views
Skip to first unread message
saman javed
Jan 9, 2023, 4:06:12 AM1/9/23
to Wazuh mailing list
Hi,
i have configured wazuh vulnerability module but it is not showing any data.
any help is appreciated as i am naive to it.
1-below is configuration
<!-- System inventory -->
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="yes">yes</ports>
<processes>yes</processes>
<!-- Database synchronization settings -->
<synchronization>
<max_eps>10</max_eps>
</synchronization>
</wodle>
<sca>
<enabled>yes</enabled>
<scan_on_start>yes</scan_on_start>
<interval>12h</interval>
<skip_nfs>yes</skip_nfs>
</sca>
<vulnerability-detector>
<enabled>yes</enabled>
<interval>5m</interval>
<min_full_scan_interval>4h</min_full_scan_interval>
<run_on_start>yes</run_on_start>
<!-- Ubuntu OS vulnerabilities -->
<provider name="canonical">
<enabled>yes</enabled>
<os>trusty</os>
<os>xenial</os>
<os>bionic</os>
<os>focal</os>
<os>jammy</os>
<update_interval>1h</update_interval>
</provider>
<!-- Debian OS vulnerabilities -->
<provider name="debian">
<enabled>yes</enabled>
<os>stretch</os>
<os>buster</os>
<os>bullseye</os>
<update_interval>1h</update_interval>
</provider>
<!-- RedHat OS vulnerabilities -->
<provider name="redhat">
<enabled>yes</enabled>
<os>5</os>
<os>6</os>
<os>7</os>
<os>8</os>
<os>9</os>
<update_interval>1h</update_interval>
</provider>
<!-- Amazon Linux OS vulnerabilities -->
<provider name="alas">
<enabled>yes</enabled>
<os>amazon-linux</os>
<os>amazon-linux-2</os>
<update_interval>1h</update_interval>
</provider>
<!-- Arch OS vulnerabilities -->
<provider name="arch">
<enabled>yes</enabled>
<update_interval>1h</update_interval>
</provider>
<!-- Windows OS vulnerabilities -->
<provider name="msu">
<enabled>yes</enabled>
<update_interval>1h</update_interval>
</provider>
<!-- Aggregate vulnerabilities -->
<provider name="nvd">
<enabled>yes</enabled>
<update_from_year>2010</update_from_year>
<update_interval>1h</update_interval>
</provider>
</vulnerability-detector>
<!-- File integrity monitoring -->
<syscheck>
<disabled>no</disabled>
<!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>43200</frequency>
<scan_on_start>yes</scan_on_start>
<!-- Generate alert when new file detected -->
<alert_new_files>yes</alert_new_files>
<!-- Don't ignore files that change more than 'frequency' times -->
<auto_ignore frequency="10" timeframe="3600">no</auto_ignore>
<!-- Directories to check (perform all possible verifications) -->
<directories>/etc,/usr/bin,/usr/sbin</directories>
<directories>/bin,/sbin,/boot</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/random.seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<!-- File types to ignore -->
<ignore type="sregex">.log$|.swp$</ignore>
<!-- Check the file, but never compute the diff -->
<nodiff>/etc/ssl/private.key</nodi
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="yes">yes</ports>
<processes>yes</processes>
<!-- Database synchronization settings -->
<synchronization>
<max_eps>10</max_eps>
</synchronization>
</wodle>
<sca>
<enabled>yes</enabled>
<scan_on_start>yes</scan_on_start>
<interval>12h</interval>
<skip_nfs>yes</skip_nfs>
</sca>
<vulnerability-detector>
<enabled>yes</enabled>
<interval>5m</interval>
<min_full_scan_interval>4h</min_full_scan_interval>
<run_on_start>yes</run_on_start>
<!-- Ubuntu OS vulnerabilities -->
<provider name="canonical">
<enabled>yes</enabled>
<os>trusty</os>
<os>xenial</os>
<os>bionic</os>
<os>focal</os>
<os>jammy</os>
<update_interval>1h</update_interval>
</provider>
<!-- Debian OS vulnerabilities -->
<provider name="debian">
<enabled>yes</enabled>
<os>stretch</os>
<os>buster</os>
<os>bullseye</os>
<update_interval>1h</update_interval>
</provider>
<!-- RedHat OS vulnerabilities -->
<provider name="redhat">
<enabled>yes</enabled>
<os>5</os>
<os>6</os>
<os>7</os>
<os>8</os>
<os>9</os>
<update_interval>1h</update_interval>
</provider>
<!-- Amazon Linux OS vulnerabilities -->
<provider name="alas">
<enabled>yes</enabled>
<os>amazon-linux</os>
<os>amazon-linux-2</os>
<update_interval>1h</update_interval>
</provider>
<!-- Arch OS vulnerabilities -->
<provider name="arch">
<enabled>yes</enabled>
<update_interval>1h</update_interval>
</provider>
<!-- Windows OS vulnerabilities -->
<provider name="msu">
<enabled>yes</enabled>
<update_interval>1h</update_interval>
</provider>
<!-- Aggregate vulnerabilities -->
<provider name="nvd">
<enabled>yes</enabled>
<update_from_year>2010</update_from_year>
<update_interval>1h</update_interval>
</provider>
</vulnerability-detector>
<!-- File integrity monitoring -->
<syscheck>
<disabled>no</disabled>
<!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>43200</frequency>
<scan_on_start>yes</scan_on_start>
<!-- Generate alert when new file detected -->
<alert_new_files>yes</alert_new_files>
<!-- Don't ignore files that change more than 'frequency' times -->
<auto_ignore frequency="10" timeframe="3600">no</auto_ignore>
<!-- Directories to check (perform all possible verifications) -->
<directories>/etc,/usr/bin,/usr/sbin</directories>
<directories>/bin,/sbin,/boot</directories>
<!-- Files/directories to ignore -->
<ignore>/etc/mtab</ignore>
<ignore>/etc/hosts.deny</ignore>
<ignore>/etc/mail/statistics</ignore>
<ignore>/etc/random-seed</ignore>
<ignore>/etc/random.seed</ignore>
<ignore>/etc/adjtime</ignore>
<ignore>/etc/httpd/logs</ignore>
<ignore>/etc/utmpx</ignore>
<ignore>/etc/wtmpx</ignore>
<ignore>/etc/cups/certs</ignore>
<ignore>/etc/dumpdates</ignore>
<ignore>/etc/svc/volatile</ignore>
<!-- File types to ignore -->
<ignore type="sregex">.log$|.swp$</ignore>
<!-- Check the file, but never compute the diff -->
<nodiff>/etc/ssl/private.key</nodi
2- below is ossec logs and error
[root@siem-loadbalancer01 ~]# cat /var/ossec/logs/ossec.log | grep ulnerab2023/01/09 00:01:08 wazuh-modulesd:vulnerability-detector: WARNING: (5500): The 'Red Hat Enterprise Linux 6' database could not be fetched.
2023/01/09 00:01:08 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Red Hat Enterprise Linux 7' database update.
2023/01/09 00:02:59 wazuh-modulesd:vulnerability-detector: WARNING: (5500): The 'Red Hat Enterprise Linux 7' database could not be fetched.
2023/01/09 00:02:59 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Red Hat Enterprise Linux 8' database update.
2023/01/09 00:04:49 wazuh-modulesd:vulnerability-detector: WARNING: (5500): The 'Red Hat Enterprise Linux 8' database could not be fetched.
2023/01/09 00:04:49 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Red Hat Enterprise Linux 9' database update.
2023/01/09 00:06:38 wazuh-modulesd:vulnerability-detector: WARNING: (5500): The 'Red Hat Enterprise Linux 9' database could not be fetched.
2023/01/09 00:06:38 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'JSON Red Hat Enterprise Linux' database update.
2023/01/09 00:07:53 wazuh-modulesd:vulnerability-detector: WARNING: (5547): There was no valid response to 'https://access.redhat.com/labs/securitydataapi/cve.json?after=1999-01-01&per_page=1000&page=1' after '3' attempts. Trying the next page.
2023/01/09 00:09:09 wazuh-modulesd:vulnerability-detector: WARNING: (5547): There was no valid response to 'https://access.redhat.com/labs/securitydataapi/cve.json?after=1999-01-01&per_page=1000&page=2' after '3' attempts. Trying the next page.
2023/01/09 00:10:25 wazuh-modulesd:vulnerability-detector: WARNING: (5547): There was no valid response to 'https://access.redhat.com/labs/securitydataapi/cve.json?after=1999-01-01&per_page=1000&page=3' after '3' attempts. Trying the next page.
2023/01/09 00:11:41 wazuh-modulesd:vulnerability-detector: WARNING: (5547): There was no valid response to 'https://access.redhat.com/labs/securitydataapi/cve.json?after=1999-01-01&per_page=1000&page=4' after '3' attempts. Trying the next page.
2023/01/09 00:12:57 wazuh-modulesd:vulnerability-detector: WARNING: (5547): There was no valid response to 'https://access.redhat.com/labs/securitydataapi/cve.json?after=1999-01-01&per_page=1000&page=5' after '3' attempts. Trying the next page.
2023/01/09 00:14:11 wazuh-modulesd:vulnerability-detector: WARNING: (5547): There was no valid response to 'https://access.redhat.com/labs/securitydataapi/cve.json?after=1999-01-01&per_page=1000&page=6' after '3' attempts. Trying the next page.
2023/01/09 00:14:11 wazuh-modulesd:vulnerability-detector: ERROR: (5553): The allowed number of failed pages (5) has been exhausted. The feed will not be updated.
2023/01/09 00:14:11 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Amazon Linux 1' database update.
2023/01/09 00:17:51 wazuh-modulesd:vulnerability-detector: WARNING: (5500): The 'Amazon Linux 1' database could not be fetched.
2023/01/09 00:17:51 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Amazon Linux 2' database update.
2023/01/09 00:21:31 wazuh-modulesd:vulnerability-detector: WARNING: (5500): The 'Amazon Linux 2' database could not be fetched.
2023/01/09 00:21:31 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Arch Linux' database update.
2023/01/09 00:22:52 wazuh-modulesd:vulnerability-detector: WARNING: (5522): There was no valid response to 'https://security.archlinux.org/issues/all.json' after '3' attempts.
2023/01/09 00:22:52 wazuh-modulesd:vulnerability-detector: WARNING: (5500): The 'Arch Linux' database could not be fetched.
2023/01/09 00:22:52 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'National Vulnerability Database' database update.
2023/01/09 00:23:58 wazuh-modulesd:vulnerability-detector: WARNING: (5522): There was no valid response to 'https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2010.meta' after '3' attempts.
2023/01/09 00:23:58 wazuh-modulesd:vulnerability-detector: WARNING: (5500): The 'National Vulnerability Database' database could not be fetched.
2023/01/09 00:23:58 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Microsoft Security Update' database update.
2023/01/09 00:27:37 wazuh-modulesd:vulnerability-detector: WARNING: (5500): The 'Microsoft Security Update' database could not be fetched.
2023/01/09 00:27:37 wazuh-modulesd:vulnerability-detector: ERROR: (5513): CVE database could not be updated.
2023/01/09 00:27:37 wazuh-modulesd:vulnerability-detector: INFO: (5431): Starting vulnerability scan.
2023/01/09 00:27:37 wazuh-modulesd:vulnerability-detector: ERROR: (5582): Unavailable vulnerabilities at the NVD database. The scan is aborted.
2023/01/09 00:27:38 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'JSON Red Hat Enterprise Linux' database update.
2023/01/09 00:28:52 wazuh-modulesd:vulnerability-detector: WARNING: (5547): There was no valid response to 'https://access.redhat.com/labs/securitydataapi/cve.json?after=1999-01-01&per_page=1000&page=1' after '3' attempts. Trying the next page.
2023/01/09 00:30:07 wazuh-modulesd:vulnerability-detector: WARNING: (5547): There was no valid response to 'https://access.redhat.com/labs/securitydataapi/cve.json?after=1999-01-01&per_page=1000&page=2' after '3' attempts. Trying the next page.
2023/01/09 00:31:22 wazuh-modulesd:vulnerability-detector: WARNING: (5547): There was no valid response to 'https://access.redhat.com/labs/securitydataapi/cve.json?after=1999-01-01&per_page=1000&page=3' after '3' attempts. Trying the next page.
2023/01/09 00:32:37 wazuh-modulesd:vulnerability-detector: WARNING: (5547): There was no valid response to 'https://access.redhat.com/labs/securitydataapi/cve.json?after=1999-01-01&per_page=1000&page=4' after '3' attempts. Trying the next page.
2023/01/09 00:33:53 wazuh-modulesd:vulnerability-detector: WARNING: (5547): There was no valid response to 'https://access.redhat.com/labs/securitydataapi/cve.json?after=1999-01-01&per_page=1000&page=5' after '3' attempts. Trying the next page.
2023/01/09 00:35:07 wazuh-modulesd:vulnerability-detector: WARNING: (5547): There was no valid response to 'https://access.redhat.com/labs/securitydataapi/cve.json?after=1999-01-01&per_page=1000&page=6' after '3' attempts. Trying the next page.
2023/01/09 00:35:07 wazuh-modulesd:vulnerability-detector: ERROR: (5553): The allowed number of failed pages (5) has been exhausted. The feed will not be updated.
2023/01/09 00:35:07 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Amazon Linux 1' database update.
2023/01/09 00:38:51 wazuh-modulesd:vulnerability-detector: WARNING: (5500): The 'Amazon Linux 1' database could not be fetched.
2023/01/09 00:38:51 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Amazon Linux 2' database update.
2023/01/09 00:42:32 wazuh-modulesd:vulnerability-detector: WARNING: (5500): The 'Amazon Linux 2' database could not be fetched.
2023/01/09 00:42:32 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Arch Linux' database update.
2023/01/09 00:43:55 wazuh-modulesd:vulnerability-detector: WARNING: (5522): There was no valid response to 'https://security.archlinux.org/issues/all.json' after '3' attempts.
2023/01/09 00:43:55 wazuh-modulesd:vulnerability-detector: WARNING: (5500): The 'Arch Linux' database could not be fetched.
2023/01/09 00:43:55 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'National Vulnerability Database' database update.
2023/01/09 00:45:00 wazuh-modulesd:vulnerability-detector: WARNING: (5522): There was no valid response to 'https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2010.meta' after '3' attempts.
2023/01/09 00:45:00 wazuh-modulesd:vulnerability-detector: WARNING: (5500): The 'National Vulnerability Database' database could not be fetched.
2023/01/09 00:45:00 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Microsoft Security Update' database update.
2023/01/09 00:48:41 wazuh-modulesd:vulnerability-detector: WARNING: (5500): The 'Microsoft Security Update' database could not be fetched.
2023/01/09 00:48:41 wazuh-modulesd:vulnerability-detector: ERROR: (5513): CVE database could not be updated.
2023/01/09 00:48:42 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Ubuntu Trusty' database update.
2023/01/09 00:50:33 wazuh-modulesd:vulnerability-detector: WARNING: (5500): The 'Ubuntu Trusty' database could not be fetched.
2023/01/09 00:50:33 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Ubuntu Xenial' database update.
2023/01/09 00:52:22 wazuh-modulesd:vulnerability-detector: WARNING: (5500): The 'Ubuntu Xenial' database could not be fetched.
2023/01/09 00:52:22 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Ubuntu Bionic' database update.
2023/01/09 00:54:13 wazuh-modulesd:vulnerability-detector: WARNING: (5500): The 'Ubuntu Bionic' database could not be fetched.
2023/01/09 00:54:13 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Ubuntu Focal' database update.
2023/01/09 00:56:03 wazuh-modulesd:vulnerability-detector: WARNING: (5500): The 'Ubuntu Focal' database could not be fetched.
2023/01/09 00:56:03 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Ubuntu Jammy' database update.
2023/01/09 00:57:53 wazuh-modulesd:vulnerability-detector: WARNING: (5500): The 'Ubuntu Jammy' database could not be fetched.
2023/01/09 00:57:53 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Debian Stretch' database update.
2023/01/09 00:59:44 wazuh-modulesd:vulnerability-detector: WARNING: (5500): The 'Debian Stretch' database could not be fetched.
2023/01/09 00:59:44 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Debian Buster' database update.
2023/01/09 01:01:33 wazuh-modulesd:vulnerability-detector: WARNING: (5500): The 'Debian Buster' database could not be fetched.
2023/01/09 01:01:33 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Debian Bullseye' database update.
2023/01/09 01:03:24 wazuh-modulesd:vulnerability-detector: WARNING: (5500): The 'Debian Bullseye' database could not be fetched.
2023/01/09 01:03:24 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Red Hat Enterprise Linux 5' database update.
2023/01/09 01:05:16 wazuh-modulesd:vulnerability-detector: WARNING: (5500): The 'Red Hat Enterprise Linux 5' database could not be fetched.
2023/01/09 01:05:16 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Red Hat Enterprise Linux 6' database update.
2023/01/09 01:07:08 wazuh-modulesd:vulnerability-detector: WARNING: (5500): The 'Red Hat Enterprise Linux 6' database could not be fetched.
2023/01/09 01:07:08 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Red Hat Enterprise Linux 7' database update.
2023/01/09 01:08:59 wazuh-modulesd:vulnerability-detector: WARNING: (5500): The 'Red Hat Enterprise Linux 7' database could not be fetched.
2023/01/09 01:08:59 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Red Hat Enterprise Linux 8' database update.
2023/01/09 01:10:50 wazuh-modulesd:vulnerability-detector: WARNING: (5500): The 'Red Hat Enterprise Linux 8' database could not be fetched.
2023/01/09 01:10:50 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Red Hat Enterprise Linux 9' database update.
2023/01/09 01:12:39 wazuh-modulesd:vulnerability-detector: WARNING: (5500): The 'Red Hat Enterprise Linux 9' database could not be fetched.
2023/01/09 01:12:39 wazuh-modulesd:vulnerability-detector: ERROR: (5513): CVE database could not be updated.
2023/01/09 01:12:39 wazuh-modulesd:vulnerability-detector: INFO: (5431): Starting vulnerability scan.
2023/01/09 01:12:39 wazuh-modulesd:vulnerability-detector: ERROR: (5582): Unavailable vulnerabilities at the NVD database. The scan is aborted.
2023/01/09 01:12:40 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Ubuntu Trusty' database update.
2023/01/09 01:14:31 wazuh-modulesd:vulnerability-detector: WARNING: (5500): The 'Ubuntu Trusty' database could not be fetched.
2023/01/09 01:14:31 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Ubuntu Xenial' database update.
2023/01/09 01:16:21 wazuh-modulesd:vulnerability-detector: WARNING: (5500): The 'Ubuntu Xenial' database could not be fetched.
2023/01/09 01:16:21 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Ubuntu Bionic' database update.
2023/01/09 01:18:11 wazuh-modulesd:vulnerability-detector: WARNING: (5500): The 'Ubuntu Bionic' database could not be fetched.
2023/01/09 01:18:11 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Ubuntu Focal' database update.
2023/01/09 01:20:01 wazuh-modulesd:vulnerability-detector: WARNING: (5500): The 'Ubuntu Focal' database could not be fetched.
2023/01/09 01:20:01 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Ubuntu Jammy' database update.
2023/01/09 01:21:51 wazuh-modulesd:vulnerability-detector: WARNING: (5500): The 'Ubuntu Jammy' database could not be fetched.
2023/01/09 01:21:51 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Debian Stretch' database update.
2023/01/09 01:23:40 wazuh-modulesd:vulnerability-detector: WARNING: (5500): The 'Debian Stretch' database could not be fetched.
2023/01/09 01:23:40 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Debian Buster' database update.
2023/01/09 01:25:30 wazuh-modulesd:vulnerability-detector: WARNING: (5500): The 'Debian Buster' database could not be fetched.
2023/01/09 01:25:30 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Debian Bullseye' database update.
2023/01/09 01:27:21 wazuh-modulesd:vulnerability-detector: WARNING: (5500): The 'Debian Bullseye' database could not be fetched.
2023/01/09 01:27:21 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Red Hat Enterprise Linux 5' database update.
2023/01/09 01:29:10 wazuh-modulesd:vulnerability-detector: WARNING: (5500): The 'Red Hat Enterprise Linux 5' database could not be fetched.
2023/01/09 01:29:10 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Red Hat Enterprise Linux 6' database update.
2023/01/09 01:31:01 wazuh-modulesd:vulnerability-detector: WARNING: (5500): The 'Red Hat Enterprise Linux 6' database could not be fetched.
2023/01/09 01:31:01 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Red Hat Enterprise Linux 7' database update.
2023/01/09 01:32:52 wazuh-modulesd:vulnerability-detector: WARNING: (5500): The 'Red Hat Enterprise Linux 7' database could not be fetched.
2023/01/09 01:32:52 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Red Hat Enterprise Linux 8' database update.
2023/01/09 01:34:43 wazuh-modulesd:vulnerability-detector: WARNING: (5500): The 'Red Hat Enterprise Linux 8' database could not be fetched.
2023/01/09 01:34:43 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Red Hat Enterprise Linux 9' database update.
2023/01/09 01:36:36 wazuh-modulesd:vulnerability-detector: WARNING: (5500): The 'Red Hat Enterprise Linux 9' database could not be fetched.
2023/01/09 01:36:36 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'JSON Red Hat Enterprise Linux' database update.
2023/01/09 01:37:50 wazuh-modulesd:vulnerability-detector: WARNING: (5547): There was no valid response to 'https://access.redhat.com/labs/securitydataapi/cve.json?after=1999-01-01&per_page=1000&page=1' after '3' attempts. Trying the next page.
2023/01/09 01:39:05 wazuh-modulesd:vulnerability-detector: WARNING: (5547): There was no valid response to 'https://access.redhat.com/labs/securitydataapi/cve.json?after=1999-01-01&per_page=1000&page=2' after '3' attempts. Trying the next page.
2023/01/09 01:40:21 wazuh-modulesd:vulnerability-detector: WARNING: (5547): There was no valid response to 'https://access.redhat.com/labs/securitydataapi/cve.json?after=1999-01-01&per_page=1000&page=3' after '3' attempts. Trying the next page.
2023/01/09 01:41:36 wazuh-modulesd:vulnerability-detector: WARNING: (5547): There was no valid response to 'https://access.redhat.com/labs/securitydataapi/cve.json?after=1999-01-01&per_page=1000&page=4' after '3' attempts. Trying the next page.
2023/01/09 01:42:50 wazuh-modulesd:vulnerability-detector: WARNING: (5547): There was no valid response to 'https://access.redhat.com/labs/securitydataapi/cve.json?after=1999-01-01&per_page=1000&page=5' after '3' attempts. Trying the next page.
2023/01/09 01:44:06 wazuh-modulesd:vulnerability-detector: WARNING: (5547): There was no valid response to 'https://access.redhat.com/labs/securitydataapi/cve.json?after=1999-01-01&per_page=1000&page=6' after '3' attempts. Trying the next page.
2023/01/09 01:44:06 wazuh-modulesd:vulnerability-detector: ERROR: (5553): The allowed number of failed pages (5) has been exhausted. The feed will not be updated.
2023/01/09 01:44:06 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Amazon Linux 1' database update.
2023/01/09 01:47:48 wazuh-modulesd:vulnerability-detector: WARNING: (5500): The 'Amazon Linux 1' database could not be fetched.
2023/01/09 01:47:48 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Amazon Linux 2' database update.
2023/01/09 01:51:29 wazuh-modulesd:vulnerability-detector: WARNING: (5500): The 'Amazon Linux 2' database could not be fetched.
2023/01/09 01:51:29 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Arch Linux' database update.
2023/01/09 01:52:52 wazuh-modulesd:vulnerability-detector: WARNING: (5522): There was no valid response to 'https://security.archlinux.org/issues/all.json' after '3' attempts.
2023/01/09 01:52:52 wazuh-modulesd:vulnerability-detector: WARNING: (5500): The 'Arch Linux' database could not be fetched.
2023/01/09 01:52:52 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'National Vulnerability Database' database update.
2023/01/09 01:53:56 wazuh-modulesd:vulnerability-detector: WARNING: (5522): There was no valid response to 'https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2010.meta' after '3' attempts.
2023/01/09 01:53:56 wazuh-modulesd:vulnerability-detector: WARNING: (5500): The 'National Vulnerability Database' database could not be fetched.
2023/01/09 01:53:56 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Microsoft Security Update' database update.
2023/01/09 01:57:38 wazuh-modulesd:vulnerability-detector: WARNING: (5500): The 'Microsoft Security Update' database could not be fetched.
2023/01/09 01:57:38 wazuh-modulesd:vulnerability-detector: ERROR: (5513): CVE database could not be updated.
2023/01/09 01:57:39 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'JSON Red Hat Enterprise Linux' database update.
2023/01/09 01:58:53 wazuh-modulesd:vulnerability-detector: WARNING: (5547): There was no valid response to 'https://access.redhat.com/labs/securitydataapi/cve.json?after=1999-01-01&per_page=1000&page=1' after '3' attempts. Trying the next page.
2023/01/09 02:00:10 wazuh-modulesd:vulnerability-detector: WARNING: (5547): There was no valid response to 'https://access.redhat.com/labs/securitydataapi/cve.json?after=1999-01-01&per_page=1000&page=2' after '3' attempts. Trying the next page.
2023/01/09 02:01:25 wazuh-modulesd:vulnerability-detector: WARNING: (5547): There was no valid response to 'https://access.redhat.com/labs/securitydataapi/cve.json?after=1999-01-01&per_page=1000&page=3' after '3' attempts. Trying the next page.
2023/01/09 02:02:39 wazuh-modulesd:vulnerability-detector: WARNING: (5547): There was no valid response to 'https://access.redhat.com/labs/securitydataapi/cve.json?after=1999-01-01&per_page=1000&page=4' after '3' attempts. Trying the next page.
2023/01/09 02:03:54 wazuh-modulesd:vulnerability-detector: WARNING: (5547): There was no valid response to 'https://access.redhat.com/labs/securitydataapi/cve.json?after=1999-01-01&per_page=1000&page=5' after '3' attempts. Trying the next page.
2023/01/09 02:05:09 wazuh-modulesd:vulnerability-detector: WARNING: (5547): There was no valid response to 'https://access.redhat.com/labs/securitydataapi/cve.json?after=1999-01-01&per_page=1000&page=6' after '3' attempts. Trying the next page.
saman javed
Jan 9, 2023, 4:11:23 AM1/9/23
to Wazuh mailing list
dashboard snapshot
Openime Oniagbi
Jan 9, 2023, 4:31:11 AM1/9/23
to Wazuh mailing list
Hi,
Thanks for using Wazuh.
I have noted the errors in your log file. To resolve them, please firstly confirm that your Wazuh server has a working Internet connection to be able to fetch vulnerability information from the web.
If it does not, then ensure it does and then restart the wazuh-manager service.
Let me know if that helps.
Regards,
Openime
Thanks for using Wazuh.
I have noted the errors in your log file. To resolve them, please firstly confirm that your Wazuh server has a working Internet connection to be able to fetch vulnerability information from the web.
If it does not, then ensure it does and then restart the wazuh-manager service.
Let me know if that helps.
Regards,
Openime
saman javed
Jan 11, 2023, 12:06:21 AM1/11/23
to Wazuh mailing list
Hi
<update_interval>1h</update_interval>
</provider>
<!-- Debian OS vulnerabilities -->
<provider name="debian">
<enabled>yes</enabled>
<provider name="debian">
<enabled>yes</enabled>
<update_interval>1h</update_interval>
</provider>
<!-- RedHat OS vulnerabilities -->
<provide
Jan 11 09:54:42 siem- systemd[1]: Starting Wazuh manager...
Jan 11 09:54:43 siem-1 env[64022]: 2023/01/11 09:54:43 wazuh-modulesd: ERROR: 'os' tag required for 'debian' provider.
Jan 11 09:54:43 siem-1 env[64022]: 2023/01/11 09:54:43 wazuh-modulesd: ERROR: (1202): Configuration error at 'etc/ossec.conf'.
Jan 11 09:54:43 siem- env[64022]: wazuh-modulesd: Configuration error. Exiting
Jan 11 09:54:43 siem- systemd[1]: wazuh-manager.service: control process exited, code=exited status=1
Jan 11 09:54:43 siem-systemd[1]: Failed to start Wazuh manager.
Jan 11 09:54:43 siem- systemd[1]: Unit wazuh-manager.service entered failed state.
Jan 11 09:54:43 siem- systemd[1]: wazuh-manager.service failed.
thanks for your reply..
i want to go for offline configuration of vulnerability module...
i have added Debian Security Tracker JSON feed following the configuration documentation https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/offline-update.html
<vulnerability-detector>
<enabled>yes</enabled>
<interval>5m</interval>
<min_full_scan_interval>4h</min_full_scan_interval>
<run_on_start>yes</run_on_start>
<!-- Ubuntu OS vulnerabilities -->
<provider name="canonical">
<enabled>yes</enabled>
<enabled>yes</enabled>
<interval>5m</interval>
<min_full_scan_interval>4h</min_full_scan_interval>
<run_on_start>yes</run_on_start>
<!-- Ubuntu OS vulnerabilities -->
<provider name="canonical">
<enabled>yes</enabled>
<os path="/root/canonical/com.ubuntu.trusty.cve.oval.xml.bz2">trusty</os>
<os path="/root/canonical/com.ubuntu.xenial.cve.oval.xml.bz2">xenial</os>
<os path="/root/canonical/com.ubuntu.bionic.cve.oval.xml.bz2">bionic</os>
<os path="/root/canonical/com.ubuntu.focal.cve.oval.xml.bz2">focal</os>
<os path="/root/canonical/com.ubuntu.jammy.cve.oval.xml.bz2">jammy</os>
<os path="/root/canonical/com.ubuntu.xenial.cve.oval.xml.bz2">xenial</os>
<os path="/root/canonical/com.ubuntu.bionic.cve.oval.xml.bz2">bionic</os>
<os path="/root/canonical/com.ubuntu.focal.cve.oval.xml.bz2">focal</os>
<os path="/root/canonical/com.ubuntu.jammy.cve.oval.xml.bz2">jammy</os>
<update_interval>1h</update_interval>
</provider>
<!-- Debian OS vulnerabilities -->
<provider name="debian">
<enabled>yes</enabled>
<os path="/root/debian/oval-definitions-bullseye.xml">bullseye</os>
<os path="/root/debian/oval-definitions-buster.xml">buster</os>
<update_interval>1h</update_interval>
</provider>
<os path="/root/debian/oval-definitions-buster.xml">buster</os>
<update_interval>1h</update_interval>
</provider>
<provider name="debian">
<enabled>yes</enabled>
<path>/root/debian/json</path>
<update_interval>1h</update_interval>
</provider>
<!-- RedHat OS vulnerabilities -->
<provide
but my wazuh-manager failed to start with error that debian os is nto defined.
Jan 11 09:54:42 siem- systemd[1]: Starting Wazuh manager...
Jan 11 09:54:43 siem-1 env[64022]: 2023/01/11 09:54:43 wazuh-modulesd: ERROR: 'os' tag required for 'debian' provider.
Jan 11 09:54:43 siem-1 env[64022]: 2023/01/11 09:54:43 wazuh-modulesd: ERROR: (1202): Configuration error at 'etc/ossec.conf'.
Jan 11 09:54:43 siem- env[64022]: wazuh-modulesd: Configuration error. Exiting
Jan 11 09:54:43 siem- systemd[1]: wazuh-manager.service: control process exited, code=exited status=1
Jan 11 09:54:43 siem-systemd[1]: Failed to start Wazuh manager.
Jan 11 09:54:43 siem- systemd[1]: Unit wazuh-manager.service entered failed state.
Jan 11 09:54:43 siem- systemd[1]: wazuh-manager.service failed.
how to remove this error.
Openime Oniagbi
Jan 11, 2023, 3:48:56 AM1/11/23
to Wazuh mailing list
Hi,
There is an error in your configuration, which I have highlighted below. You have repeated the Debian configuration twice, and the second one does not contain the os tag. Remove the wrong configuration and restart the Wazuh manager.I hope this helps.
Regards,
Openime
There is an error in your configuration, which I have highlighted below. You have repeated the Debian configuration twice, and the second one does not contain the os tag. Remove the wrong configuration and restart the Wazuh manager.
Regards,
Openime
saman javed
Jan 11, 2023, 4:08:43 AM1/11/23
to Wazuh mailing list
Hi,
<!-- Ubuntu OS vulnerabilities -->
<provider name="canonical">
<enabled>yes</enabled>
<os path="/root/canonical/com.ubuntu.trusty.cve.oval.xml.bz2">trusty</os>
<os path="/root/canonical/com.ubuntu.xenial.cve.oval.xml.bz2">xenial</os>
<os path="/root/canonical/com.ubuntu.bionic.cve.oval.xml.bz2">bionic</os>
<os path="/root/canonical/com.ubuntu.focal.cve.oval.xml.bz2">focal</os>
<os path="/root/canonical/com.ubuntu.jammy.cve.oval.xml.bz2">jammy</os>
<update_interval>1h</update_interval>
</provider>
<!-- Debian OS vulnerabilities -->
<provider name="debian">
<enabled>yes</enabled>
<os path="/root/debian/oval-definitions-bullseye.xml">bullseye</os>
<os path="/root/debian/oval-definitions-buster.xml">buster</os>
i have made folder rh-feed and downloaded rh-generator.sh from github as below
I have removed that configuration mistake.
<!-- Ubuntu OS vulnerabilities -->
<provider name="canonical">
<enabled>yes</enabled>
<os path="/root/canonical/com.ubuntu.trusty.cve.oval.xml.bz2">trusty</os>
<os path="/root/canonical/com.ubuntu.xenial.cve.oval.xml.bz2">xenial</os>
<os path="/root/canonical/com.ubuntu.bionic.cve.oval.xml.bz2">bionic</os>
<os path="/root/canonical/com.ubuntu.focal.cve.oval.xml.bz2">focal</os>
<os path="/root/canonical/com.ubuntu.jammy.cve.oval.xml.bz2">jammy</os>
<update_interval>1h</update_interval>
</provider>
<!-- Debian OS vulnerabilities -->
<provider name="debian">
<enabled>yes</enabled>
<os path="/root/debian/oval-definitions-bullseye.xml">bullseye</os>
<os path="/root/debian/oval-definitions-buster.xml">buster</os>
<path>/root/debian/json</path>
<update_interval>1h</update_interval>
</provider>
<!-- RedHat OS vulnerabilities -->
<update_interval>1h</update_interval>
</provider>
<!-- RedHat OS vulnerabilities -->
<provider name="redhat">
<enabled>yes</enabled>
<enabled>yes</enabled>
<os path="/root/redhat/com.redhat.rhsa-RHEL5.xml.bz2">5</os>
<os path="/root/redhat/rhel-6-including-unpatched.oval.xml.bz2">6</os>
<os path="/root/redhat/rhel-7-including-unpatched.oval.xml.bz2">7</os>
<os path="/root/redhat/rhel-8-including-unpatched.oval.xml.bz2">8</os>
<os path="/root/redhat/rhel-9-including-unpatched.oval.xml.bz2">9</os>
<update_interval>1h</update_interval>
</provider>
<os path="/root/redhat/rhel-6-including-unpatched.oval.xml.bz2">6</os>
<os path="/root/redhat/rhel-7-including-unpatched.oval.xml.bz2">7</os>
<os path="/root/redhat/rhel-8-including-unpatched.oval.xml.bz2">8</os>
<os path="/root/redhat/rhel-9-including-unpatched.oval.xml.bz2">9</os>
<update_interval>1h</update_interval>
</provider>
this is my new configuration..
i have few queries firstly in debian OS Vulnerabilities configuration there is need for Debian Security Tracker JSON feed as per https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/offline-update.html documentation. I have downloaded json feed from https://security-tracker.debian.org/tracker/data/json and have file name json in my folder .. am i giving it correctly in configuration ( <path>/root/debian/json</path> ) compare to provided by documentation (<path>/local_path/security_tracker_local.json</path>)
also in Redhat OS Vulnerbaility for Red Hat Security Data JSON feed enable we need to run script ./rh-generator.sh /local_path/rh-feed.
i have made folder rh-feed and downloaded rh-generator.sh from github as below
[root@siem-loadbalancer01 rh-feed]# ls
rh-generator.sh
rh-generator.sh
when i run it i get following error
[root@siem-loadbalancer01 rh-feed]# ./rh-generator.sh
./rh-generator.sh: line 8: syntax error near unexpected token `newline'
./rh-generator.sh: line 8: `<!DOCTYPE html>'
./rh-generator.sh: line 8: syntax error near unexpected token `newline'
./rh-generator.sh: line 8: `<!DOCTYPE html>'
any help how to run this script what is the purpose of it.
rh-generator.sh
Openime Oniagbi
Jan 11, 2023, 12:24:12 PM1/11/23
to Wazuh mailing list
Hi,
The script automates downloading the feed and checking for API downtime. The script downloads all the CVE data since the year 1999 by default. We recommend you use the default starting year to maintain a more comprehensive vulnerability database.
The output from the script shows that you may have downloaded the wrong script. Please check https://github.com/wazuh/wazuh/blob/master/tools/vulnerability-detector/rh-generator.sh for the right script.
Regards,
Openime
The script automates downloading the feed and checking for API downtime. The script downloads all the CVE data since the year 1999 by default. We recommend you use the default starting year to maintain a more comprehensive vulnerability database.
The output from the script shows that you may have downloaded the wrong script. Please check https://github.com/wazuh/wazuh/blob/master/tools/vulnerability-detector/rh-generator.sh for the right script.
Regards,
Openime
saman javed
Jan 12, 2023, 12:42:16 AM1/12/23
to Wazuh mailing list
Hi,
I have downloaded it from same link
Just Ask
Jan 19, 2023, 10:24:41 AM1/19/23
to Wazuh mailing list
I am having a similar issue. I have downloaded the Red Hat script from https://github.com/wazuh/wazuh/blob/master/tools/vulnerability-detector/rh-generator.sh to do the offline vulnerability detection but the script does not seem to be working I have had it running for 3 days and I am receiving the same error (Page download failed (302200), retrying...) The log files are not giving me an information I did got to the Red Hat link and noticed that the api web address has been modified so I changed it in the script but I am still receiving the error. Not sure if this is ongoing due to not being able to find any reference to it on Wazuh pages.
Openime Oniagbi
Jan 20, 2023, 7:04:38 AM1/20/23
to Wazuh mailing list
Hi,
[root@localhost Desktop]# ./rh-generator.sh \feed
Fetching https://access.redhat.com/labs/securitydataapi/cve.json?after=1999-01-01&per_page=1000&page=1
Fetching https://access.redhat.com/labs/securitydataapi/cve.json?after=1999-01-01&per_page=1000&page=2
Fetching https://access.redhat.com/labs/securitydataapi/cve.json?after=1999-01-01&per_page=1000&page=3
Fetching https://access.redhat.com/labs/securitydataapi/cve.json?after=1999-01-01&per_page=1000&page=4
Fetching https://access.redhat.com/labs/securitydataapi/cve.json?after=1999-01-01&per_page=1000&page=5
Fetching https://access.redhat.com/labs/securitydataapi/cve.json?after=1999-01-01&per_page=1000&page=6
Fetching https://access.redhat.com/labs/securitydataapi/cve.json?after=1999-01-01&per_page=1000&page=7
Fetching https://access.redhat.com/labs/securitydataapi/cve.json?after=1999-01-01&per_page=1000&page=8
Fetching https://access.redhat.com/labs/securitydataapi/cve.json?after=1999-01-01&per_page=1000&page=9
^C
[root@localhost Desktop]# cd feed
[root@localhost feed]# ls
redhat-feed1.json redhat-feed2.json redhat-feed3.json redhat-feed4.json redhat-feed5.json redhat-feed6.json redhat-feed7.json redhat-feed8.json
[root@localhost feed]#
I just tried the script now, and it worked.
Please ensure your Wazuh server has Internet access and that there is no Firewall restriction on the server.
I hope this helps.
Regards,
[root@localhost Desktop]# ./rh-generator.sh \feed
Fetching https://access.redhat.com/labs/securitydataapi/cve.json?after=1999-01-01&per_page=1000&page=1
Fetching https://access.redhat.com/labs/securitydataapi/cve.json?after=1999-01-01&per_page=1000&page=2
Fetching https://access.redhat.com/labs/securitydataapi/cve.json?after=1999-01-01&per_page=1000&page=3
Fetching https://access.redhat.com/labs/securitydataapi/cve.json?after=1999-01-01&per_page=1000&page=4
Fetching https://access.redhat.com/labs/securitydataapi/cve.json?after=1999-01-01&per_page=1000&page=5
Fetching https://access.redhat.com/labs/securitydataapi/cve.json?after=1999-01-01&per_page=1000&page=6
Fetching https://access.redhat.com/labs/securitydataapi/cve.json?after=1999-01-01&per_page=1000&page=7
Fetching https://access.redhat.com/labs/securitydataapi/cve.json?after=1999-01-01&per_page=1000&page=8
Fetching https://access.redhat.com/labs/securitydataapi/cve.json?after=1999-01-01&per_page=1000&page=9
^C
[root@localhost Desktop]# cd feed
[root@localhost feed]# ls
redhat-feed1.json redhat-feed2.json redhat-feed3.json redhat-feed4.json redhat-feed5.json redhat-feed6.json redhat-feed7.json redhat-feed8.json
[root@localhost feed]#
I just tried the script now, and it worked.
Please ensure your Wazuh server has Internet access and that there is no Firewall restriction on the server.
I hope this helps.
Regards,
Openime
Just Ask
Jan 23, 2023, 2:13:32 PM1/23/23
to Wazuh mailing list
The server has internet access behind a proxy but I was able to use the nvd-
generator and I can get to the red hat feed website from the server the rh-generator.sh script just doesn't work it cant make a connection not sure what the difference would be. I did test the script without firewall settings received the same error.
Message has been deleted
Openime Oniagbi
Jan 24, 2023, 3:26:52 AM1/24/23
to Wazuh mailing list
Hi,
The script works, so it is definitely a connection problem.
I have attached the script in case the one you're using has an error. Please run this on your host machine and send me the output if you still encounter errors.
I have attached the script in case the one you're using has an error. Please run this on your host machine and send me the output if you still encounter errors.
Regards,
Openime
Openime
Just Ask
Jan 25, 2023, 11:23:11 AM1/25/23
to Wazuh mailing list
still no luck but did find the issue, I traced the url and found that it is leaving the country and connecting in Germany our company had geolocate so locations so it being blocked. Is there another way of getting the feeds to load into wazuh?
Openime Oniagbi
Jan 25, 2023, 12:02:27 PM1/25/23
to Wazuh mailing list
Hi,
You can download the files to a machine or server without those geo-location restrictions, and then copy the files to the Wazuh server.
Then, you can configure Wazuh to fetch the files using the path option.
You can download the files to a machine or server without those geo-location restrictions, and then copy the files to the Wazuh server.
Then, you can configure Wazuh to fetch the files using the path option.
<provider name="redhat">
<enabled>yes</enabled>
<enabled>yes</enabled>
<os path="/local_path/com.redhat.rhsa-RHEL5.xml.bz2">5</os>
<os path="/local_path/rhel-6-including-unpatched.oval.xml.bz2">6</os>
<os path="/local_path/rhel-7-including-unpatched.oval.xml.bz2">7</os>
<os path="/local_path/rhel-8-including-unpatched.oval.xml.bz2">8</os>
<os path="/local_path/rhel-9-including-unpatched.oval.xml.bz2">9</os>
<update_interval>1h</update_interval>
</provider>
<os path="/local_path/rhel-6-including-unpatched.oval.xml.bz2">6</os>
<os path="/local_path/rhel-7-including-unpatched.oval.xml.bz2">7</os>
<os path="/local_path/rhel-8-including-unpatched.oval.xml.bz2">8</os>
<os path="/local_path/rhel-9-including-unpatched.oval.xml.bz2">9</os>
<update_interval>1h</update_interval>
</provider>
I hope this helps.
Regards,
Regards,
Openime
Reply all
Reply to author
Forward
0 new messages