No events in the SCA Events section

194 views
Skip to first unread message

Daniel D'Angeli

unread,
Dec 15, 2021, 5:11:42 AM12/15/21
to Wazuh mailing list
Hi,

im looking for the specific events in the SCA module but when i click on the Events tab it shows no results.

Also im wondering where are written the logs for the SCA module on the Wazuh server.

Regards,
Daniel D.

Federico Pacher

unread,
Dec 15, 2021, 7:13:55 AM12/15/21
to Wazuh mailing list

Hi Daniel, 

Thank you for using Wazuh. Could you please tell me which operating system you are using in your agents?
Which version of Wazuh agent and Wazuh manager are you using?
Could you share the <sca> configuration block of the agent to see if there is some error in the configuration? 

You can find sca logs in your Wazuh agent located in /var/ossec/logs/ossec.log.

# less /var/ossec/logs/ossec.log | grep -i 'your_sca_policy_file'

In this link, you have an example of how to properly configure sca module. 
Also, you have the official documentation here. in order to know how sca works.

I wait for your answer in order to help you with more details.
Regards

Daniel D'Angeli

unread,
Dec 15, 2021, 8:37:15 AM12/15/21
to Wazuh mailing list
Hi Federico,

thanks for the quick response.

Im currently using Wazuh 4.2.1, planning to upgrade in the near future.

The current configuration for the sca wodle is the following:

  <sca>
    <enabled>yes</enabled>
    <scan_on_start>yes</scan_on_start>
    <interval>12h</interval>
    <skip_nfs>yes</skip_nfs>
  </sca>

All my agents are on Windows 10, the SCA executes normally by looking at the ossec.log but and the results are present in the Inventory tab (view attachment inventory.png) but when i click on the Events tab no results are showing (view events.png).

Regards,
Daniel D.

Daniel D'Angeli

unread,
Dec 15, 2021, 8:38:01 AM12/15/21
to Wazuh mailing list
attachments
events.png
inventory.png

Federico Pacher

unread,
Dec 16, 2021, 10:38:28 AM12/16/21
to Wazuh mailing list
Ok, Daniel, I will try to simulate your environment ASAP in order to give you a solution for your case

Regards

Federico Pacher

unread,
Dec 17, 2021, 1:45:17 PM12/17/21
to Wazuh mailing list
Hi Daniel, sorry for the delay.

Regarding your SCA dashboards in Kibana, they seem to be working as expected: Their results are correctly displayed in the inventory tab, so they show failedpassed, and non-applicable checks. Mind that the events tab displays the SCA-related alerts triggered during the last 12 hours according to your configuration. Considering that the SCA module only triggers alerts when the results in a scan change from the last one, it should be expected that the SCA events for your manager are empty.

Hope this helps!

Daniel D'Angeli

unread,
Dec 20, 2021, 5:49:30 AM12/20/21
to Wazuh mailing list
Hi Federico,

it's weird because even if i search in the Discover for :rule.groups: sca" nothing comes out. Whereas on my test environment alerts show up.

Any tips?

Regards,
Daniel D.

Reply all
Reply to author
Forward
0 new messages