Error when querying for vulnerabilities in Wazuh 4.7.x
52 views
Skip to first unread message
Fernando Gont
Jun 27, 2024, 3:24:21 AM6/27/24
to Wazuh | Mailing List
Hello,
I downgraded from v4.8.0-1 to Wazuh 4.7.5-1. I seems I got virtually everything back to work... except for vulnerability detector. -- not sure if the vuln database got screwed in the upgrade/downgrade process, or whether the upgrade/downgrade process somehow uninstalled some plugin that was needed. This is the error that I get:
I downgraded from v4.8.0-1 to Wazuh 4.7.5-1. I seems I got virtually everything back to work... except for vulnerability detector. -- not sure if the vuln database got screwed in the upgrade/downgrade process, or whether the upgrade/downgrade process somehow uninstalled some plugin that was needed. This is the error that I get:
---- cut here ----
RequestError: Error fetching itemsWazuh API error: ERR_BAD_REQUEST - Error in wazuhdb request: Cannot execute SQL query
RequestError: Wazuh API error: ERR_BAD_REQUEST - Error in wazuhdb request: Cannot execute SQL query at settle (https://myserver.com/47502/bundles/plugin/wazuh/wazuh.plugin.js:8:20234) at XMLHttpRequest.onloadend (https://myserver.com/47502/bundles/plugin/wazuh/wazuh.plugin.js:8:25708)
---- cut here ----
RequestError: Wazuh API error: ERR_BAD_REQUEST - Error in wazuhdb request: Cannot execute SQL query at settle (https://myserver.com/47502/bundles/plugin/wazuh/wazuh.plugin.js:8:20234) at XMLHttpRequest.onloadend (https://myserver.com/47502/bundles/plugin/wazuh/wazuh.plugin.js:8:25708)
---- cut here ----
Any clues regarding how to address this issue?
P.S.: I'm attaching a screenshot how this comes up in the GUI.
Thanks!
Fernando
Lucas Esteban Pedrosa
Jul 1, 2024, 10:23:25 AM7/1/24
to Wazuh | Mailing List
Hello, Fernando
One possibility may be that your configuration at /var/ossec/etc/ossec.conf might still have the <vulnerability-detection> and <indexer> blocks instead of the legacy <vulnerability-detector> one. If you want to check on this, here's what the configuration should look like in 4.8:
and what it'd be like on 4.7.5:
Depending on how you performed the downgrade, there's also the chance as you mention, that something is missing. Here's a quick listing of some vulnerability related files I can find in my 4.7.4 environment:
[root@nice-aio ossec]# find / -name "vuln*"
/sys/devices/system/cpu/vulnerabilities
/var/ossec/framework/wazuh/vulnerability.py
/var/ossec/framework/python/lib/python3.9/site-packages/api-4.7.4-py3.9.egg/api/controllers/__pycache__/vulnerability_controller.cpython-39.pyc
/var/ossec/framework/python/lib/python3.9/site-packages/api-4.7.4-py3.9.egg/api/controllers/vulnerability_controller.py
/var/ossec/framework/python/lib/python3.9/site-packages/wazuh-4.7.4-py3.9.egg/wazuh/__pycache__/vulnerability.cpython-39.pyc
/var/ossec/framework/python/lib/python3.9/site-packages/wazuh-4.7.4-py3.9.egg/wazuh/core/__pycache__/vulnerability.cpython-39.pyc
/var/ossec/framework/python/lib/python3.9/site-packages/wazuh-4.7.4-py3.9.egg/wazuh/core/vulnerability.py
/var/ossec/framework/python/lib/python3.9/site-packages/wazuh-4.7.4-py3.9.egg/wazuh/vulnerability.py
/var/ossec/queue/vulnerabilities
/usr/share/wazuh-dashboard/plugins/wazuh/server/lib/generate-alerts/sample-data/vulnerabilities.js
/usr/share/wazuh-dashboard/plugins/wazuh/server/lib/reporting/vulnerability-request.js
/sys/devices/system/cpu/vulnerabilities
/var/ossec/framework/wazuh/vulnerability.py
/var/ossec/framework/python/lib/python3.9/site-packages/api-4.7.4-py3.9.egg/api/controllers/__pycache__/vulnerability_controller.cpython-39.pyc
/var/ossec/framework/python/lib/python3.9/site-packages/api-4.7.4-py3.9.egg/api/controllers/vulnerability_controller.py
/var/ossec/framework/python/lib/python3.9/site-packages/wazuh-4.7.4-py3.9.egg/wazuh/__pycache__/vulnerability.cpython-39.pyc
/var/ossec/framework/python/lib/python3.9/site-packages/wazuh-4.7.4-py3.9.egg/wazuh/core/__pycache__/vulnerability.cpython-39.pyc
/var/ossec/framework/python/lib/python3.9/site-packages/wazuh-4.7.4-py3.9.egg/wazuh/core/vulnerability.py
/var/ossec/framework/python/lib/python3.9/site-packages/wazuh-4.7.4-py3.9.egg/wazuh/vulnerability.py
/var/ossec/queue/vulnerabilities
/usr/share/wazuh-dashboard/plugins/wazuh/server/lib/generate-alerts/sample-data/vulnerabilities.js
/usr/share/wazuh-dashboard/plugins/wazuh/server/lib/reporting/vulnerability-request.js
You can use that to compare with yours to try to identify what's missing. How did you initially upgrade and how did you do the downgrade? A general solution could be to first backup your configuration, any custom rules, decoders and logs and completely uninstall the manager, then reinstall it, but if you can identify what's missing, let me know.
Regards,
Lucas
Lucas
Reply all
Reply to author
Forward
0 new messages