Upgrade 4.8.0 - Vulnerability detection seems to be disabled or has a problem
227 views
Skip to first unread message
Geral Longra
Jun 26, 2024, 9:32:19 AM6/26/24
to Wazuh | Mailing List
After updating to the new version I got the following error 'Vulnerability detection seems to be disabled or has a problem'
Steps taken:
1 - Changing indexer in ossec.conf file;
2 - Changing the certs file name;
Stuti Gupta
Jun 27, 2024, 1:28:35 AM6/27/24
to Wazuh | Mailing List
Hi Geral Longra
Please verify that you Save the Wazuh indexer username and password into the Wazuh manager keystore using the Wazuh-keystore tool:
/var/ossec/bin/wazuh-keystore -f indexer -k username -v <INDEXER_USERNAME>
/var/ossec/bin/wazuh-keystore -f indexer -k password -v <INDEXER_PASSWORD>
After that, save the configuration and restart the manager/cluster using the command: systemctl restart wazuh-manager
Also, share the output of the command: cat /var/ossec/etc/ossec.conf | grep "<indexer>" -A12
If the issue persists, please share the output of the following command:
cat /var/ossec/logs/ossec.log | grep vul
Hope to hear from you soon
Please verify that you Save the Wazuh indexer username and password into the Wazuh manager keystore using the Wazuh-keystore tool:
/var/ossec/bin/wazuh-keystore -f indexer -k username -v <INDEXER_USERNAME>
/var/ossec/bin/wazuh-keystore -f indexer -k password -v <INDEXER_PASSWORD>
After that, save the configuration and restart the manager/cluster using the command: systemctl restart wazuh-manager
Also, share the output of the command: cat /var/ossec/etc/ossec.conf | grep "<indexer>" -A12
If the issue persists, please share the output of the following command:
cat /var/ossec/logs/ossec.log | grep vul
Hope to hear from you soon
Arie
Jun 27, 2024, 4:01:08 AM6/27/24
to Wazuh | Mailing List
Try to look here for a summery of possible solutions.
Op woensdag 26 juni 2024 om 15:32:19 UTC+2 schreef Geral Longra:
syed saifulla
Jun 27, 2024, 7:33:10 AM6/27/24
to Wazuh | Mailing List
I had a Similar Issue, But after following the GitHub link the Vulnerability dashboard is something like this.
Can you suggest me here ?
Geral Longra
Jun 28, 2024, 3:55:21 AM6/28/24
to Wazuh | Mailing List
Thanks for your help
root@wazuhsrv:/home/wazuh# cat /var/ossec/etc/ossec.conf | grep "<indexer>" -A12
<indexer>
<enabled>yes</enabled>
<hosts>
<host>https://127.0.0.1:9200</host>
</hosts>
<ssl>
<certificate_authorities>
<ca>/etc/filebeat/certs/root-ca.pem</ca>
</certificate_authorities>
<certificate>/etc/filebeat/certs/wazuh-server.pem</certificate>
<key>/etc/filebeat/certs/wazuh-server-key.pem</key>
</ssl>
</indexer>
<indexer>
<enabled>yes</enabled>
<hosts>
<host>https://127.0.0.1:9200</host>
</hosts>
<ssl>
<certificate_authorities>
<ca>/etc/filebeat/certs/root-ca.pem</ca>
</certificate_authorities>
<certificate>/etc/filebeat/certs/wazuh-server.pem</certificate>
<key>/etc/filebeat/certs/wazuh-server-key.pem</key>
</ssl>
</indexer>
root@wazuhsrv:/home/wazuh# cat /var/ossec/logs/ossec.log | grep vul
2024/06/28 07:49:34 wazuh-modulesd:vulnerability-scanner: INFO: Stopping vulnerability_scanner module.
2024/06/28 07:50:06 wazuh-modulesd:vulnerability-scanner: INFO: Starting vulnerability_scanner module.
2024/06/28 07:50:08 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities-wazuhsrv', retrying until the connection is successful.
2024/06/28 07:50:10 wazuh-modulesd:vulnerability-scanner: INFO: Vulnerability scanner module started
2024/06/28 07:49:34 wazuh-modulesd:vulnerability-scanner: INFO: Stopping vulnerability_scanner module.
2024/06/28 07:50:06 wazuh-modulesd:vulnerability-scanner: INFO: Starting vulnerability_scanner module.
2024/06/28 07:50:08 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities-wazuhsrv', retrying until the connection is successful.
2024/06/28 07:50:10 wazuh-modulesd:vulnerability-scanner: INFO: Vulnerability scanner module started
Message has been deleted
Geral Longra
Jun 28, 2024, 6:43:05 AM6/28/24
to Wazuh | Mailing List
/var/ossec/etc/ossec.conf :
<vulnerability-detection>
<enabled>yes</enabled>
<index-status>yes</index-status>
<feed-update-interval>60m</feed-update-interval>
</vulnerability-detection>
<enabled>yes</enabled>
<index-status>yes</index-status>
<feed-update-interval>60m</feed-update-interval>
</vulnerability-detection>
root@wazuhsrv:/home/wazuh# filebeat test output
elasticsearch: https://100.0.0.243:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 100.0.0.243
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... OK
TLS version: TLSv1.2
dial up... OK
talk to server... OK
version: 7.10.2
elasticsearch: https://127.0.0.1:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 127.0.0.1
dial up... ERROR dial tcp 127.0.0.1:9200: connect: connection refused
elasticsearch: https://100.0.0.243:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 100.0.0.243
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... OK
TLS version: TLSv1.2
dial up... OK
talk to server... OK
version: 7.10.2
elasticsearch: https://127.0.0.1:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 127.0.0.1
dial up... ERROR dial tcp 127.0.0.1:9200: connect: connection refused
root@wazuhsrv:/home/wazuh# filebeat test config
Config OK
Config OK
A sexta-feira, 28 de junho de 2024 à(s) 11:33:46 UTC+1, Stuti Gupta escreveu:
Hi
Geral Longra
Everything seems to be fine. Are you still getting the same error on the dashboard? In that
Please restart wazuh-manager using the command:
systemctl restart wazuh-manager
After that check if you have an error related to Vulnerability in ossec.conf, and share that.
Please check if the filebeat is working fine using the command:
Filebeat test output
Hope to hear from you soon.
Stuti Gupta
Jul 1, 2024, 4:45:14 AM7/1/24
to Wazuh | Mailing List
Hi
Please make sure the ip address in output.elasticsearch.hosts setting from /etc/filebeat/filebeat.yml is same that you used to generate elasticsearch certificate. If you have a Wazuh indexer cluster, add a `<host>` entry for each one of your nodes. For example, in a two-node configuration: <host>https://100.0.0.243 :9200</host>
</hosts>
Also restart wazuh-manager after making the changes and other componenets as well.
systemctl restart <wazuh-components>
Hope to hear from you soon
Please make sure the ip address in output.elasticsearch.hosts setting from /etc/filebeat/filebeat.yml is same that you used to generate elasticsearch certificate. If you have a Wazuh indexer cluster, add a `<host>` entry for each one of your nodes. For example, in a two-node configuration: <host>https://100.0.0.243 :9200</host>
</hosts>
Also restart wazuh-manager after making the changes and other componenets as well.
systemctl restart <wazuh-components>
Hope to hear from you soon
Geral Longra
Jul 10, 2024, 11:25:04 AM7/10/24
to Wazuh | Mailing List
root@wazuhsrv:/# cat etc/filebeat/filebeat.yml
# Wazuh - Filebeat configuration file
output.elasticsearch.hosts:
- 100.0.0.243:9200
# Wazuh - Filebeat configuration file
output.elasticsearch.hosts:
- 100.0.0.243:9200
Reply all
Reply to author
Forward
0 new messages