Offline Vulnerablity detector error
Alan Baltic
2026/06/10 02:59:45 wazuh-modulesd:vulnerability-scanner: INFO: Initiating update feed process.
2026/06/10 02:59:49 rootcheck: INFO: Starting rootcheck scan.
2026/06/10 02:59:52 wazuh-modulesd:vulnerability-scanner: ERROR: Error updating feed: Invalid line found in file: queue/vd_updater/tmp/contents/vd_1.0.0_vd_4.8.0_3506289_1780915893.json.
2026/06/10 02:59:52 wazuh-modulesd:content-updater: WARNING: Offset processing failed. Triggered a snapshot download.
2026/06/10 02:59:52 wazuh-modulesd:content-updater: WARNING: Couldn't run full content download: Error -1 from server: Invalid CTI metadata format - Response body: Internal error in HTTPRequest module..
2026/06/10 02:59:52 wazuh-modulesd:content-updater: ERROR: Action for 'vulnerability_feed_manager' failed: Error -1 from server: Invalid CTI metadata format - Response body: Internal error in HTTPRequest module..
2026/06/10 03:00:10 wazuh-syscheckd: INFO: netstat not available. Skipping port check.
2026/06/10 03:00:15 rootcheck: INFO: Ending rootcheck scan.
2026/06/10 03:03:27 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2026/06/10 03:03:46 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2026/06/10 03:14:58 wazuh-modulesd:vulnerability-scanner: ERROR: VulnerabilityScannerFacade::initEventDispatcher: json exception [304]([json.exception.type_error.304] cannot use at() with null) - Event message:
This is on all my Wazuih environments (I have 3 of them)
Thanks
Bony V John
Bony V John
Hi,
I am resharing my response, as my previous response was deleted.
I tried to replicate the same scenario in my Wazuh environment by configuring vulnerability detection in offline mode, and it worked fine on my end without any issues.
Are you using the same downloaded CVE zip file across all three Wazuh environments?
It seems there may be an issue with the downloaded CVE zip file, or the package may be corrupted. This could be the reason why the vulnerability module is not working properly.
Could you please re-download the CVE package correctly on a server that has internet access, and then copy it to the Wazuh manager server as mentioned in the documentation? You can refer to the Wazuh offline vulnerability detection documentation for detailed configuration guidance.
If the issue still persists after re-downloading and applying the package, please share the Wazuh manager ossec.log file after enabling debug logging.
To enable debug logging on the Wazuh manager, open the local internal options file:
/var/ossec/etc/local_internal_options.confThen add the following configuration:
wazuh_modules.debug=2Save the file and restart the Wazuh manager:
systemctl restart wazuh-managerAfter that, wait a few minutes and share the following log file with us:
/var/ossec/logs/ossec.logThis will help us analyze the issue in more detail.
Also, please share the Wazuh manager ossec.conf file with us.
Thanks.
Alan Baltic
For downloading vulnerability files for offline use I wrote this script.
#!/bin/bash
destination_folder="/var/ossec/etc/offline-vulnerabilities"
#if [ ! -d "$destination_folder" ]; then mkdir -p $destination_folder; fi
[ ! -d "$destination_folder" ] && mkdir -p "$destination_folder"
destination="/var/ossec/etc/offline-vulnerabilities/offline-vulner.zip"
destination_download="/var/ossec/etc/offline-vulnerabilities/offline-vulner.zip-downloading"
response=$(curl -s -X GET https://cti.wazuh.com/api/v1/catalog/contexts/vd_1.0.0/consumers/vd_4.8.0 -x http://<PROXY>)
file=$(echo "$response" | jq -r '.data.last_snapshot_link')
curl -s -o $destination_download "$file" -x http://<PROXY>
rm -f $destination
mv $destination_download $destination
chown root:wazuh $destination
chmod 750 $destination
BR