IT Hygiene & Vulnerability Detection showing error

[ARUN S]

Hi,

I have cleanly installed the wazuh latest version and did the configurations as mentioned in the step by step installation but IT Hygiene & Vulnerability Detection is showing error such as :

System inventory could be disabled or has a problem

No matching indices were found for [wazuh-states-inventory-*] index pattern.

If the system inventory is enabled, then this could be caused by an error in: server side, server-indexer connection, indexer side, index creation, index data, index pattern name misconfiguration or user permissions related to read the inventory indices.

Vulnerability detection seems to be disabled or has a problem

Please check the cluster status. Also, you can check the vulnerability detection documentation.

Note: System inventory & Vulnerability detection both are in enabled state in ossec.conf.

[Stuti Gupta]

Both Wazuh Vulnerability Detector and the new IT Hygiene Dashboard (System Inventory) in version 4.13.0 rely on the Indexer connector to forward inventory data to the Wazuh indexer. https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/indexer.html

Since you mentioned that you have newly installed Wazuh, make sure that the agent is properly added. https://documentation.wazuh.com/current/installation-guide/wazuh-agent/index.html The agent’s syscollector module will collect system inventory data from that specific machine and send it to the Wazuh manager for both vulnerability detection and IT hygiene—provided the agent is installed on the endpoint.

Please ensure that the configuration is set up as shown below (add any missing entries if they are not present) in wazuh-manger 

<vulnerability-detection>
   <enabled>yes</enabled>
   <index-status>yes</index-status>
   <feed-update-interval>60m</feed-update-interval>
</vulnerability-detection>

<indexer>
   <enabled>yes</enabled>
   <hosts>
      <host>https://0.0.0.0:9200</host>
   </hosts>
   <ssl>
      <certificate_authorities>
         <ca>/etc/filebeat/certs/root-ca.pem</ca>
      </certificate_authorities>
      <certificate>/etc/filebeat/certs/filebeat.pem</certificate>
      <key>/etc/filebeat/certs/filebeat-key.pem</key>
   </ssl>
</indexer>
Replace 0.0.0.0 with the IP address or hostname of your Wazuh indexer node. You can find this value in the Filebeat configuration file at /etc/filebeat/filebeat.yml.
output.elasticsearch.hosts:
 - 127.0.0.1:9200

Ensure that the <certificate> and <key> names match the files located in /etc/filebeat/certs/. Check the cert's name using the command:
ll /etc/filebeat/certs

Save the Wazuh indexer username and password into the Wazuh manager keystore using the Wazuh-keystore tool:
/var/ossec/bin/wazuh-keystore -f indexer -k username -v <INDEXER_USERNAME>
/var/ossec/bin/wazuh-keystore -f indexer -k password -v <INDEXER_PASSWORD>

By default, the username is admin, and the password is the same as you use to log in to the wazuh interface

Then make sure to restart the wazuh-manager: systemctl restart wazuh-manager

This should resolve the issue. In case you still face the issue, please share the:
/var/ossec/etc/ossec.conf
/var/ossec/etc/ossec.log | grep -i -E "warn|error"

Refer to :
https://documentation.wazuh.com/current/upgrade-guide/troubleshooting.html#the-vulnerability-detector-configuration-is-deprecated
https://documentation.wazuh.com/current/upgrade-guide/upgrading-central-components.html#configuring-vulnerability-detection