Vulnerability Scanning Not Working V4.4.1
51 views
Skip to first unread message
Patrick McLean
May 7, 2023, 9:45:19 PM5/7/23
to Wazuh mailing list
I had vulnerability data come up for one agent (my laptop) but has not updated since (numbers the same for days now) and all other agents are showing 0. It is impossible that those other agents have 0 vulnerabilities.
I am seeing no errors in ossec.log, I am seeing that partial scans are completing in 0 seconds, but nothing is being reported.
I have looked at every github, google group, reddit message regarding this issue and cannot find a solution. I am about ready to just scrap Wazuh and move on, this is extremely frustrating.
Anyone that can help me?
Abdullah Al Rafi Fahim
May 7, 2023, 10:29:46 PM5/7/23
to Wazuh mailing list
Hello Patrick,
Thank you for sharing your query here!
To troubleshoot your issue, we need to understand if the vulnerability-detector module has been configured properly or not.
- To make the vulnerability-detector work, we need to ensure that the syscollector module in the agents as the vulnerability-detector will work on the inventory data collected by syscollector.
- We need to verify the vulnerability-detector module is enabled along with the relevant provider sections in the wazuh manager's ossec.conf file. In case of multi-node cluster, this configuration needs to be done in all the wazuh manager nodes.
Patrick McLean
May 8, 2023, 10:38:51 AM5/8/23
to Wazuh mailing list
My vuln-detector:
<vulnerability-detector>
<enabled>yes</enabled>
<interval>5m</interval>
<min_full_scan_interval>1h</min_full_scan_interval>
<run_on_start>yes</run_on_start>
<enabled>yes</enabled>
<interval>5m</interval>
<min_full_scan_interval>1h</min_full_scan_interval>
<run_on_start>yes</run_on_start>
<!-- Windows OS vulnerabilities -->
<provider name="msu">
<enabled>yes</enabled>
<update_interval>1h</update_interval>
</provider>
<provider name="msu">
<enabled>yes</enabled>
<update_interval>1h</update_interval>
</provider>
Shared Agent.conf file:
<agent_config>
<!-- Shared agent configuration here -->
<!-- https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/running-vu-scan.html -->
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<hotfixes>yes</hotfixes>
<ports all="no">yes</ports>
<processes>yes</processes>
</wodle>
</agent_config>
<!-- Shared agent configuration here -->
<!-- https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/running-vu-scan.html -->
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<hotfixes>yes</hotfixes>
<ports all="no">yes</ports>
<processes>yes</processes>
</wodle>
</agent_config>
Reply all
Reply to author
Forward
0 new messages