vulnerability-detection is not populating alerts.json
122 views
Skip to first unread message
Wugu Tech
Sep 20, 2024, 8:33:20 AM9/20/24
to Wazuh | Mailing List
Wazuh = 4.9.0 (OVA)
/var/ossec/bin/wazuh-agentd -V = 4.9.0
i just did fresh install and add alma 9.3 agent,
i use splunk UF to forward /var/ossec/logs/alerts/alerts.json
in Wazuh-web/vulnerability-detection/agent-name, it shows hundreds of count, i did test dnf update, now everything is gone, but no alerts.json is populated,
i do not see in alerts.json contain alert around vulnerability-detection, but others are fine and indexed/searchable as usual,
before 4.9.0 test, i did deploy Wazuh = 4.8.1 (OVA), same condition, i have not done anything at .conf or custom file level,
i got this 1 event as example out of 28 only (windows 11), but in Wazuh-web/vulnerability-detection/agent-name it shows hundreds instead:
/var/ossec/bin/wazuh-agentd -V = 4.9.0
i just did fresh install and add alma 9.3 agent,
i use splunk UF to forward /var/ossec/logs/alerts/alerts.json
in Wazuh-web/vulnerability-detection/agent-name, it shows hundreds of count, i did test dnf update, now everything is gone, but no alerts.json is populated,
i do not see in alerts.json contain alert around vulnerability-detection, but others are fine and indexed/searchable as usual,
before 4.9.0 test, i did deploy Wazuh = 4.8.1 (OVA), same condition, i have not done anything at .conf or custom file level,
i got this 1 event as example out of 28 only (windows 11), but in Wazuh-web/vulnerability-detection/agent-name it shows hundreds instead:
{"timestamp":"2024-09-15T03:55:10.308+0000","rule":{"level":10,"description":"CVE-2007-3282 affects Microsoft Office Home and Student 2021 - en-us","id":"23505","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"COMPUTERNAME","ip":"192.168.194.86"},"manager":{"name":"wazuh-server"},"id":"1726372510.901496","decoder":{"name":"json"},"data":{"vulnerability":{"assigner":"mitre","cve":"CVE-2007-3282","cvss":{"cvss2":{"base_score":"7.800000","vector":{"access_complexity":"LOW","authentication":"NONE","availability":"COMPLETE","confidentiality_impact":"NONE","integrity_impact":"NONE"}}},"enumeration":"CVE","package":{"architecture":"x86_64","condition":"Package default status","name":"Microsoft Office Home and Student 2021 - en-us","source":" ","version":"16.0.17928.20156"},"published":"2007-06-19T22:30:00Z","rationale":"Buffer overflow in the Microsoft Office MSODataSourceControl ActiveX object allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long argument to the DeleteRecordSourceIfUnused method.","reference":"http://osvdb.org/38471, http://www.securitytracker.com/id?1018251, https://exchange.xforce.ibmcloud.com/vulnerabilities/34849, https://www.exploit-db.com/exploits/4067","severity":"High","status":"Active","title":"CVE-2007-3282 affects Microsoft Office Home and Student 2021 - en-us","type":"Packages","updated":"2017-10-11T01:32:44Z"}},"location":"vulnerability-detector"}
Do I miss something ?
Im sorry its not much info, but thats all should be enough and super clear 🙏🙏🙏
Im sorry its not much info, but thats all should be enough and super clear 🙏🙏🙏
Jorest Brice Tankoua Njassep
Sep 23, 2024, 12:00:21 PM9/23/24
to Wazuh | Mailing List
Hello,
By default the vulnerability detection module runs every 60m, its possible to edit this with https://documentation.wazuh.com/current/proof-of-concept-guide/poc-vulnerability-detection.html#configuration . Also alerts in ` /var/ossec/logs/alerts/alerts.json ` are populated by the `syscollector` wodle found in ` /var/ossec/etc/ossec.conf` under wazuh manager. You can follow this guide to ensure it is properly configured based on your needs https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/wodle-syscollector.html#syscollector-interval
Sorry for the delay
Best regards.
By default the vulnerability detection module runs every 60m, its possible to edit this with https://documentation.wazuh.com/current/proof-of-concept-guide/poc-vulnerability-detection.html#configuration . Also alerts in ` /var/ossec/logs/alerts/alerts.json ` are populated by the `syscollector` wodle found in ` /var/ossec/etc/ossec.conf` under wazuh manager. You can follow this guide to ensure it is properly configured based on your needs https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/wodle-syscollector.html#syscollector-interval
Sorry for the delay
brice
Sebastian Falcone
Sep 23, 2024, 3:38:19 PM9/23/24
to Wazuh | Mailing List
Hi Wugu, Jorest response is not 100% accurate
In 4.8.0 the vulnerability detector module was refactored and some functionalities changed from its predecessor. You now have two tabs in the vulnerability detector dashboard, Inventory (active vulnerabilities) and events (alerts)
In 4.8.0 the vulnerability detector module was refactored and some functionalities changed from its predecessor. You now have two tabs in the vulnerability detector dashboard, Inventory (active vulnerabilities) and events (alerts)
- The Inventory section contains all active vulnerabilities, once you solve a vulnerability, and a scan happens (this is triggered by syscollector), the entrie for that vulnerability will disappear
- The Events section refers to events that happen after the first scan. The first scan happens once you initialize the module for the first time and serves as a baseline, this DOESN'T generate alerts, thats why you are not seeing alerts despite having active vulnerabilities.
- Events that can trigger alerts are:
- Solved vulnerabilities -> Due to a package / OS upgrade or package deletion
- New active vulnerabilitie -> Due to a package / OS upgrade or package installation
- Events that can trigger alerts are:
Reply all
Reply to author
Forward
0 new messages