Discrepancy in Vulnerability Count Across Endpoints — Need Guidance for Accurate Reporting

58 views
Skip to first unread message

Dex Perry

unread,
Jul 24, 2025, 10:11:22 AM7/24/25
to Wazuh | Mailing List

Hi Team,

I’m currently working on preparing a vulnerability report using Wazuh, and I’ve noticed something concerning. I’m monitoring 10 endpoints (mix of Windows 10, Windows 11, and Ubuntu Linux 22.04), and although they’re all maintained under the same organization with similar software and policies, the vulnerability counts vary widely across systems.

Screenshot is attached.

As you can see, some Windows systems are showing zero vulnerabilities, while others show limited counts, and the Linux system shows a very high count.

  1. Why is there such a huge difference in vulnerability detection among these endpoints?

  2. What steps should I take to ensure that all agents report vulnerabilities accurately and completely?

This is important as I’m preparing a weekly dashboard for leadership using this data, and I want to make sure I’m not missing anything due to misconfiguration or scanning issues.

Any help or pointers would be greatly appreciated.

Thanks & Regards,

Screenshot 2025-07-24 191946.png

Damian Nicastro

unread,
Jul 24, 2025, 11:11:06 AM7/24/25
to Wazuh | Mailing List
Hello Dex:

I hope you are fine.
The Wazuh vulns module works with a System Inventory that every hour runs a scan in each wazuh-agent machine. This Inventory contains OS and packages versions that are compared with the Wazuh CTI information and based on the matches, it will create a report of vulnerabilities. For more information about how Wazuh vulnerability detection (VD) works, please read:

With that being said, there might be some issues that could generate false positives. But, in order to determine this, you need to check CVE by CVE and analyze if it is correctly reported or not in each machine. If you find some discrepancy, you can check if there are problems with the system inventory for that machine or there is some error during the run of VD module. For the first case, you can check the line below in wazuh-agent log. In Windows, the file is in "C:\Program Files (x86)\ossec-agent\ossec.log" and in Linux machines "/var/ossec/logs/ossec.log"

2025/07/24 11:45:59 wazuh-modulesd:syscollector: INFO: Starting evaluation.

By default, the scans are done every hour. For this reason, the timestamp should not be older than one hour. If this is happening, probably the "syscollector" is having some issues or is disabled. You can check the config and you must have a block like the one below in the "C:\Program Files (x86)\ossec-agent\ossec.conf" file for Win and "/var/ossec/etc/ossec.conf" for Linux:
...
<!-- System inventory -->
  <wodle name="syscollector">
    <disabled>no</disabled>
    <interval>1h</interval>
    <scan_on_start>yes</scan_on_start>
    <hardware>yes</hardware>
    <os>yes</os>
    <network>yes</network>
    <packages>yes</packages>
    <ports all="no">yes</ports>
    <processes>yes</processes>

    <!-- Database synchronization settings -->
    <synchronization>
      <max_eps>10</max_eps>
    </synchronization>
  </wodle>
...

If everything is fine, you can check for errors or warning related to "syscollector" in the logs mentioned.
You can also check the last Inventory scan of each agent in the web UI going to the "three lines" >> "Agents management" >> "Summary" and select the agent you want to check. In the top right, click on "Inventory data" and you will see when was the last scan:

2025-07-24 12_02_12-Wazuh and 10 more pages - [InPrivate] - Microsoft​ Edge.png

If everything is fine with the Inventory, you have to check for errors of the VD in all the wazuh-manager nodes:
# less /var/ossec/logs/ossec.log | grep -i vulnera | grep -iE 'WARN|ERROR'

Also, esure that your wazuh-manager machine is connected to internet to receive all the vulns repository info. If it is not connected, you must set the offline VD using this doc:
https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/configuring-scans.html#offline-vulnerability-detection 

I hope this helps.
Thanks

Dex Perry

unread,
Jul 31, 2025, 2:02:43 AM7/31/25
to Wazuh | Mailing List

Hi Damian,

Thank you for the detailed explanation. I’ve gone ahead and followed the steps you outlined, and here are my observations:

  •  Those agents are active and reporting as expected.

  •  The syscollector configuration is present and correctly enabled on all agents.

  • Vulnerability detection is enabled, and I can see the latest inventory scan times in the Wazuh UI.

  •  I have also restarted the agent, but the affected ones still report 0 vulnerabilities.

Regarding the agent logs:

  • On Windows agents, I couldn’t find the file C:\Program Files (x86)\ossec-agent\ossec.log, but under the logs folder, I found several .log files by month.

 I have attached a log file

I haven’t configured offline vulnerability detection yet, as the manager has internet connectivity.

At this point, since the inventory and config seem fine and no errors are visible, I’m unsure why vulnerabilities aren't being populated for these agents.

Could you please advise on what else I can check or try?

Thanks again for your help.

Best regards,

logdata.txt

Dex Perry

unread,
Aug 7, 2025, 1:04:16 AM8/7/25
to Wazuh | Mailing List

Hi Damian,

I hope you’re doing well. I just wanted to follow up on my previous mail regarding the vulnerability detection issue on some agents. I’ve gone through the steps you shared earlier, but the affected agents are still showing 0 vulns.

Could you please let me know if there’s anything else I can check or try? 

  In my previous email, I attached the logs from one of the endpoints that is showing 0 vulnerabilities.  

Thanks again for your time and support.

Best regards,

Reply all
Reply to author
Forward
0 new messages