Having trouble creating visualizations for SCA

[Anthony]

Good afternoon,

I'm looking to report on our SCA in a dashboard - ideally, I'd like to show each agent and their CIS benchmark score. Our Wazuh instance does have SCA enabled, and by opening the Configuration Assessment on the Home -> Overview screen, I can select any agent in our instance and see the dashboard with the detailed breakdown of items passed, failed, and the score. In server config, our SCA policy is set to scan every 12 hours (43200 seconds).

However, I'm having trouble finding anything in the Discover section to create a visualization from. rule.groups: sca  has no matches, and when I dive into rule.groups, we don't have anything listed for sca. Is there something that I'm missing?

Thank you,

Anthony

[Dennis Ariel Gamboa Veliz]

Hi Anthony,

Thanks for reaching out.

To better assist you and try to reproduce the issue on our side, could you please provide the following details?

1. What version of Wazuh are you currently using?

2. Is your environment a single-node deployment or a cluster setup?

3. Could you share the relevant ossec.log entries from both the manager and the agents, particularly those related to SCA activity?

4. Are you using the default SCA policies provided by Wazuh, or have you applied any custom policies?

Additionally, based on your description and the official Wazuh SCA configuration guide, here are a couple of suggestions:

• Ensure that your sca policy files are correctly deployed under /var/ossec/ruleset/sca/ for agents or custom paths if defined.

• You can verify the SCA module activity on the agent by enabling debug mode (wazuh_modules.debug=2) internal-options and checking whether the results are correctly reported to the manager.

Other documentation that can help you: Security Configuration Assessment (SCA)

Once we have more information, we can further investigate the issue and help you build the visualizations you need.

Best regards,
Dennis Gamboa