Wazuh agent not scanning for vulnerabilities.

[Kevin Reyes]

Hello Wazuh Community.

I am having an issue with a Windows Server 2016 instance that does not show any vulnerability scans under the Vulnerabilities section.

The agent is active and working (running v4.3.0), but it seems like it does not perform the periodic vulnerability scan. While checking the logs under Management -> Logs and using the wazuh-modulesd:vulnerability-detector filter, it seems like Wazuh can't obtain/request the software of the agent after 5 attempts. How would I go and troubleshoot this issue, is there a way to fix this, do I have to reinstall the Wazuh agent? 

Thanks in advance.

[Miguel Angel Cazajous]

Hi Kevin,

As Marcel mentioned in the slack channel it seems to be a synchronization issue between manager and agent databases for syscollector packages. Did you see in your logs something like "Failed to get agent's sync status data" if you set wazuh DB debug to 1?

What is the output after the error you see in the vulnerability detector of the following command?

sqlite3 /var/ossec/queue/db/008.db '.headers on' 'select last_attempt, last_completion from sync_info where component = "syscollector-packages"'

Change the agent id if it is not the 8.

Regards!

[Kevin Reyes]

Hello Miguel and thank you for your response.

How can I set the Wazuh DB debug to 1? I wasn't able to find that option on the ossec.conf file of the manager. 

I tried to run the sqlite3 command on my wazuh manager instance, but it gives the following error:

sqlite3: Error: too many options: "select last_attempt, last_completion from sync_info where component = "syscollector-packages""

[Miguel Angel Cazajous]

I should have explained better where to set that option.

In your /var/ossec/etc/internal_options.conf

look for the line wazuh_db.debug and set it equal to 1 and restart your manager.

You could also set that option in /var/ossec/etc/local_internal_options.conf (which is recommended to not lose your configuration on upgrades)

And respect to the query I would like to know if those two attributes are equal or not.

I'm not sure what could be causing that error you shared. You could try without the '.headers on' option and check that the query is surrounded by single quotes and the component string with double-quotes.

[Kevin Reyes]

Hello Miguel, I don't really know what happened but it seems like the sync events worked again, so the sys_programs table inside the agent's db located in /var/ossec/queue/db/ had information containing the programs installed, so I checked again and the vulnerability scan was successful. Only thing I did yesterday was to restart both the agent on the instance and the manager. So the issue is now solved. Thank you very much for your patience and support.

[Miguel Angel Cazajous]

Glad to know that Kevin, don't hesitate to come back if you need that. Have a great day!