vulnerabilities not reporting in wazuh agents

35 views
Skip to first unread message

Veera

unread,
May 5, 2026, 4:06:57 AM (5 days ago) May 5
to Wazuh | Mailing List

Hi,

I am raising this query after reviewing several existing discussions related to vulnerabilities not being reported.

We are currently operating a Wazuh cluster with thousands of agents. However, a set of these agents is not reporting vulnerability data.

could you advise on the recommended starting points for troubleshooting this issue from the agent side?

For context, our environment was initially deployed with version 4.9.2 and subsequently upgraded in sequence through the following versions:
4.12.0 → 4.13.1 → 4.14.0 → 4.14.1 → 4.14.2 → 4.14.4.1.
The current running version is WAZUH_VERSION: 4.14.4-1.

Though the packages details are reported below  

Menu (☰)
 → Security Operations
     → IT Hygiene
         → Software

However, no entries are observed under the vulnerabilities section (Critical/High/Medium/Low).

Additionally, executing the following command on the master node managing the agent:

grep "vulnerability-detector" /var/ossec/logs/ossec.log | grep "Agent <YOUR_AGENT_ID>"

returns no output, including when reviewing logs under /var/ossec/logs/wazuh/2026/Apr/*.

In this scenario, what would be the recommended next step for troubleshooting?

Stuti Gupta

unread,
May 5, 2026, 5:08:02 AM (5 days ago) May 5
to Wazuh | Mailing List
Hi Veera

The syscollector module is enabled by default on all agents in the ossec.conf file. Please make sure to follow this https://documentation.wazuh.com/current/upgrade-guide/upgrading-central-components.html#configuring-vulnerability-detection

To diagnose the issue, share possible error or warning messages on the affected agents:
grep -iE 'sync|error|warn' /var/ossec/logs/ossec.log
Also, share the os details of the affected agent

Please check the ossec.log from the manager grep -iE 'sync|error|warn' /var/ossec/logs/ossec.log
In the logs, if there is an error: "indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities-wazuh', retrying until the connection is successful."
This could happen if the configuration is not correct. Make sure you have followed all the steps.

In case you have these errors
2025/10/20 08:56:30 indexer-connector: ERROR: Could not connect to server, status code: -1.
2025/10/20 08:56:30 indexer-connector: WARNING: Failed to sync agent

This error indicates that the indexer connector that is responsible for the IT hygiene indices is sometimes not able to update, as it cannot connect and sync.
Also, can you please confirm the wazuh-indexer status is active?
If it is, then check.

Query the indexer’s health with Indexer
Indexer management > Dev Tools
 GET _cluster/health.

The cluster status must be:
Wazuh v4.8.0–v4.9.0: green
Wazuh v4.9.1 and later: green or yellow

If everything is working and fine. Then, please enable debug logs, set wazuh_modules.debug=2 in /var/ossec/etc/local_internal_options.conf, then restart the wazuh-manager using the command systemctl restart wazuh-manager

Then check and share the logs related to the vulnerability. You can use the following command:
cat /var/ossec/logs/ossec.log | grep vuln

Also, verify the certificates are valid using the following command and share the output
curl -u <user>:<pass> --cacert <path.pem> --cert <path-client.pem> --key <path-client-key.pem> -X GET "https://<IP>:9200/_cluster/health"

The paths to the certs are defined in the ossec.conf file, under the <indexer> section. 

Veera

unread,
May 6, 2026, 12:29:50 AM (4 days ago) May 6
to Wazuh | Mailing List
Also, verify the certificates are valid using the following command and share the output
curl -u <user>:<pass> --cacert <path.pem> --cert <path-client.pem> --key <path-client-key.pem> -X GET "https://<IP>:9200/_cluster/health"

The paths to the certs are defined in the ossec.conf file, under the <indexer> section. 


What is the username and password to be used?  
Is that command to be executed from the agent or from the master server?

Md. Nazmur Sakib

unread,
May 7, 2026, 3:15:06 AM (3 days ago) May 7
to Wazuh | Mailing List

The username or password will be your indexer user password.

You can use the user admin and the admin user password that you use for login to the dashboard.


Ex:

curl -u admin:Your_admin_Pass --cacert /etc/filebeat/certs/root-ca.pem --cert <path-client.pem> --key <path-client-key.pem> -X GET "https://<indexer_address>:9200/_cluster/health"


The paths to the certs and the indexer address you can find in the ossec.conf file, under the <indexer> section.

You need to run this message from the Wazuh manager server Command line interface. If you have multiple Wazuh managers, run this in all the Wazuh manager nodes.

This way, we can verify if you have configured the <indexer> configuration correctly.

Also, share the ossec.log from the Wazuh manager’s server related to vulnerability and indexer connector. For this run, this command.

cat /var/ossec/logs/ossec.log | grep -iE "vulnerability|indexer-connector|error|warn"


This will help us understand your issue better and help you accordingly.
Reply all
Reply to author
Forward
0 new messages