Wazuh Vulnerability not show "Solved"

[Henrique Avelino]

Hi everyone,

The vulnerability scan works good, It scans and presents the available vulnerabilities, I fixed all, The wazuh identifies that there is no more vulnerability available, but it does not show me the "status:solved",  just "status:Active"

How Can I fixed it? I need it to be marked as solved.

[Federico Damian Lo Iacono]

Hi Henrique, thanks for using Wazuh!

If you go to your agents' `Security events` section and search for Rule ID `23502`, do any alerts relating to patching the vulnerabilities show up? It's possible that the alerts were not generated, even if the vulnerabilities were fixed.

Regards.

[Henrique Avelino]

Hi Federico,

Thanks for answering.

I didn't find any alerts with ID 23502, is that the problem? I have 200+ agents and I didn't see any alerts for that ID.

How can I fix it? 

[Federico Damian Lo Iacono]

Hi Henrique,

That could be it. ID 23502 is fired when a vulnerability is solved. The other possibility that occurs to me is that a full scan of the agents has not been performed since patching the vulnerable packages. Did you perhaps follow this guide or this proof of concept when setting up vulnerability detection?

A sample of the manager's `/var/ossec/etc/ossec.conf` file (with sensitive data obscured) and `/var/ossec/etc/shared/default/agent.conf` could help with diagnosing what is going on. Could you please provide these?

Thanks!

[Henrique Avelino]

Hi Federico,

You solved my problem.

I start recording the logs from level 6 (<log_alert_level>6</log_alert_level>) and the ID 23502 is level 3. 
I made a custom rule override to level 7 and now it started  logging some "Solved" logs. I'll follow throughout the day and I'll update you.

Thanks a lot.

[Federico Damian Lo Iacono]

It's my pleasure Henrique.

[Hugo Santos]

I've the same issue.

So to order to overcome it ,  i need to lower the log alert level to id 23502 value (3).
Or on rule 23502 raise to meet my ossec.conf alert log level, right ?