Issues Adding Vulnerability Feeds (ver 4.12 - Amazon Linux)

[Chris Ark]

Hello Everyone,

I'm running into issues adding additional vulnerability feeds to my Wazuh 4.12 Amazon Linux instance. I have performed the following and let it sit for appx 24hrs, and it yielded zero results.
Its worth noting that Wazuh is detecting minimal application vulnerabilities:


1) I added the two additional MSU & NVD Feeds


  <vulnerability-detection>
    <enabled>yes</enabled>
    <index-status>yes</index-status>
    <feed-update-interval>60m</feed-update-interval>

       <!-- Windows OS vulnerabilities -->
    <provider name="msu">
      <enabled>yes</enabled>
      <update_interval>1h</update_interval>
    </provider>

    <!-- Aggregate vulnerabilities -->
    <provider name="nvd">
      <enabled>yes</enabled>
      <update_from_year>2010</update_from_year>
      <update_interval>1h</update_interval>
    </provider>
 </vulnerability-detection>



2) Restarted the Wazuh Manager

3) Ran sudo tail -f /var/ossec/logs/ossec.log | grep vulnerability-detector (and nothing appears)

3) Ran sudo cat /var/ossec/queue/vulnerabilities/cve.db (and it returns: "No such file or directory")

4) sudo tail -f /var/ossec/logs/ossec.log   (to view logs and this is all i'm getting:)

2025/08/14 06:12:25 wazuh-modulesd:database: INFO: Module started.
2025/08/14 06:12:25 wazuh-modulesd:download: INFO: Module started.
2025/08/14 06:12:25 wazuh-modulesd:control: INFO: Starting control thread.
2025/08/14 06:12:25 sca: INFO: Starting evaluation of policy: '/var/ossec/ruleset/sca/cis_amazon_linux_2023.yml'
2025/08/14 06:12:25 indexer-connector: INFO: IndexerConnector initialized successfully for index: wazuh-states-vulnerabilities-wazuh-server.
2025/08/14 06:12:26 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2025/08/14 06:12:26 wazuh-modulesd:vulnerability-scanner: INFO: Vulnerability scanner module started.
2025/08/14 06:12:40 sca: INFO: Evaluation finished for policy '/var/ossec/ruleset/sca/cis_amazon_linux_2023.yml'
2025/08/14 06:12:40 sca: INFO: Security Configuration Assessment scan finished. Duration: 15 seconds.
2025/08/14 06:13:08 rootcheck: INFO: Ending rootcheck scan.

______________________________________________

Not sure what is going wrong but any insight is appreciated.

Chris

[Md. Nazmur Sakib]

Hi Chris,

From 4.8 and above, the vulnerability configuration has been changed.

The configuration now looks like this:

<vulnerability-detection>

   <enabled>yes</enabled>

   <index-status>yes</index-status>

   <feed-update-interval>60m</feed-update-interval>

</vulnerability-detection>


This is not a supported configuration in Wazuh version 4.12

      <!-- Windows OS vulnerabilities -->

    <provider name="msu">

      <enabled>yes</enabled>

      <update_interval>1h</update_interval>

    </provider>

    <!-- Aggregate vulnerabilities -->

    <provider name="nvd">

      <enabled>yes</enabled>

      <update_from_year>2010</update_from_year>

      <update_interval>1h</update_interval>

    </provider>

Check this to learn more:
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/vuln-detector.html

https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/configuring-scans.html

From 4.8, Wazuh introduced cit feed. Now, Wazuh manager doesn't collect feeds from individual OS feeds; it collects feeds from its own cit feeds.

Check these documents to learn more:
https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/how-it-works.html#wazuh-cyber-threat-intelligence-cti-platform
https://wazuh.com/blog/introducing-wazuh-4-8-0/



Follow this to configure the vulnerability detection module in 4.12.

Edit the /var/ossec/etc/ossec.conf file to include the new <vulnerability-detection> block. Remove the old <vulnerability-detector> block if it exists.

The updated configuration enables the Wazuh Vulnerability Detection module to index vulnerabilities and alerts, with the vulnerability feed refreshing every 60 minutes. Add the following block to the configuration file:

<vulnerability-detection>

   <enabled>yes</enabled>

   <index-status>yes</index-status>

   <feed-update-interval>60m</feed-update-interval>

</vulnerability-detection>

Configure the indexer block

Ensure the <indexer> block contains the details of your Wazuh indexer host. During the upgrade, a default <indexer> configuration is added under <ossec_conf> if none exists in /var/ossec/etc/ossec.conf. By default, the configuration includes one host with the IP address 0.0.0.0:

<indexer>

   <enabled>yes</enabled>

   <hosts>

      <host>https://0.0.0.0:9200</host>

   </hosts>

   <ssl>

      <certificate_authorities>

         <ca>/etc/filebeat/certs/root-ca.pem</ca>

      </certificate_authorities>

      <certificate>/etc/filebeat/certs/filebeat.pem</certificate>

      <key>/etc/filebeat/certs/filebeat-key.pem</key>

   </ssl>

</indexer>

Replace 0.0.0.0 with the IP address or hostname of your Wazuh indexer node. You can find this value in the Filebeat configuration file at /etc/filebeat/filebeat.yml. Ensure that the <certificate> and <key> names match the files located in /etc/filebeat/certs/.

If using a Wazuh indexer cluster, add a <host> entry in the Wazuh manager /var/ossec/etc/ossec.conf file for each node in the cluster. For example, for a two-node configuration:

<hosts>

   <host>https://10.0.0.1:9200</host>

   <host>https://10.0.0.2:9200</host>

</hosts>

The Wazuh server will prioritize reporting to the first indexer node in the list and switch to the next available node if it becomes unavailable.

Store Wazuh indexer credentials

Save the Wazuh indexer username and password into the Wazuh manager keystore using the Wazuh-keystore tool:

echo 'admin' | /var/ossec/bin/wazuh-keystore -f indexer -k username

echo '<admin_PASSWORD>' | /var/ossec/bin/wazuh-keystore -f indexer -k password



Let me know if you need further assistance.

[Chris Ark]

And I failed to mention that I made sure the Wazuh Indexer IP matched the IP Addresses within the FileBeat config file and verified certificate paths were matching. Please see screenshot below:

[Md. Nazmur Sakib]

Please update this part of the configuration.

With this:

<vulnerability-detection>

   <enabled>yes</enabled>

   <index-status>yes</index-status>

   <feed-update-interval>60m</feed-update-interval>

</vulnerability-detection>

You do not need to define each feed individually from version 4.8 and above.

After changing the configuration, restart the manager.

After that, if you still face issues, share ossec.log using this command.
sudo cat /var/ossec/logs/ossec.log | grep -i -E "vulnerability|error|warn"

Let me know the update on the issue.

[Chris Ark]

Thank you so much for the return email. I have since reverted / updated the ossec file vulnerability section back to including only:

<vulnerability-detection>

   <enabled>yes</enabled>

   <index-status>yes</index-status>

   <feed-update-interval>60m</feed-update-interval>

</vulnerability-detection>

(Screenshot of saved Ossec.conf)

Additionally, I have confirmed my cert names and paths care matching for the filebeat yaml to the ossec file.

As for the index IP, I'm on a single node / server (no clusters) and have the indexer IP address set to 127.0.0.1:9200 (as seen in above screenshot). Is that loop back IP adequate or do I need to define the ACTUAL IP address of indexer (10.0.1.X)? If the loopback IP is sufficient, there is still something preventing me from successfully scanning for and populating Microsoft vulnerabilities.

Thank you!

[Md. Nazmur Sakib]

I don't think the issue is with the vulnerability feed for Microsoft. I still need some additional information to find the root cause of the issue. Are you able to see your vulnerability from other endpoints on the Wazuh manager?


There can be many reasons why the vulnerability from this Windows agent is not updating.

You can further download an old version of the package and validate if it was detected by the Wazuh vulnerability scan.

https://www.videolan.org/vlc/releases/2.0.0.html

You can install this older version of VLC and restart the agent and the manager to start the syscollector scan and vulnerability scan immediately.
Now wait for the next scan to complete and let me know if vulnerabilities are detected. 

If you do not get any vulnerabilities in the scan, check if Syscollector is working

You can obtain this information using the API as follows (for example, from the WUI you can use the following tool to run the queries: Server Management -> Dev Tools ->:

Hotfixes: GET /syscollector/{agent_id}/hotfixes

Packages: GET /syscollector/{agent_id}/packages

Please share the output of this command from your Wazuh manager.

sudo cat /var/ossec/logs/ossec.log | grep -i -E "vulnerability|error|warn|indexer-connector"

Let me know the update on the issue.

[Md. Nazmur Sakib]

Hi Chris, please use reply all to communicate. So that other users can take assistance from it who are facing the same issue. You can replace sensitive information with dummy values or send it in private (we prefer not to send sensitive data), as needed.

For what you have shared so far, it seems to me the vulnerability detector is working properly. It is updating the feed and scanning the agent’s vulnerable packages and patches.


From my observation, it looks like you have updated patches, so no vulnerability related to Windows was detected.

If you still feel like it is not working properly, you can share the patch/package version that should be detected as vulnerable and the CVE ID of that vulnerability.

Let me know if you need any further assistance on this.

[Chris Ark]

No problem.

Thank you for reviewing my issue. My Qualys scans populates Microsoft based vulnerabilities for these assets (ex: MS00-047). 

So do you think I should spin up a VM, lets say with Windows 7, on it and see what it populates?

Thank you,

Chris

--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/3a227719-1fd2-4f13-a92f-fbfeae31bc09n%40googlegroups.com.

[Md. Nazmur Sakib]

I can assure you that the MSU feed is used during the Windows vulnerability analysis process and is currently available as part of the vulnerability feed.

You can try with Windows 7. Even if you have a Windows 10 or 11 with an older patch version, which are vulnerable according to msu feed, Wazuh will detect them in the vulnerability scan.

There can be some false negative detection, if you find any patch that should be detected as vulnerable as per CVEs on MSU feed, but Wazuh is not able to detect it. Share it with us, and we will test it from our end and make necessary changes to sanitize our feed.


Let me know if you need any further information.

[Md. Nazmur Sakib]

You can check the MSU feed from the official website of Microsoft
https://msrc.microsoft.com/update-guide/vulnerability

You can check the Wazuh feed from this website

https://cti.wazuh.com/vulnerabilities/cves

[Chris Ark]

Thank you again for your help. Really appreciate it

To view this discussion visit https://groups.google.com/d/msgid/wazuh/6e729024-cf05-4752-969b-d378c459b551n%40googlegroups.com.

[infosec]

Heyy, need a small help, how did you integrated the qualys vm to the wazuh, is it qualys in on prem or SaaS based and one more thing, how forward qualys scan and audit logs from qualys on SaaS to siem

To view this discussion visit https://groups.google.com/d/msgid/wazuh/CANDNLCTvD22zy1WGf%2Br9b74gEeStSO3xk5cHU5YMTMQddK8jvw%40mail.gmail.com.