WAZUH Vulnerability detector seems to be disabled after upgrade to 4.8

[Albert Waweru]

Hi there, i have followed the upgrade section to upgrade wazuh from 4.7 to the latest version 4.8. I followed the upgrade guide documentation and everything is going on fine but i cant seem to access the vulnerability detector functionality. please help.

below is the wazuh config

[Albert Waweru]

[Matias Pereyra]

Hello !

The configuration block of the scanner seems OK, but the indexer connector is in charge of reporting the vulnerabilities to the indexer and the IP isn't set in your file

<indexer> <enabled>yes</enabled> <hosts> <host>https:<IP>:9200</host> </hosts> <ssl> <certificate_authorities> <ca>/etc/filebeat/certs/root-ca.pem</ca> </certificate_authorities> <certificate>/etc/filebeat/certs/filebeat.pem</certificate> <key>/etc/filebeat/certs/filebeat-key.pem</key> </ssl> </indexer>


Please update the host tag with the right indexer node IP and restart your manager.

Regards.

[Pablo Di Genaro]

Hi Albert, you need to take a look into indexer tags in ossec.conf.

It seems there may have been a misconfiguration that occurred during the Wazuh upgrade.

To fix it, set the appropriate values for <host> with your indexer IP and validate the certificates. Because they also changed to default values.

Don't forget also to upgrade agents to 4.8.0

  <indexer>

    <enabled>yes</enabled>

    <hosts>

      <host>https:<IP>:9200</host>

    </hosts>

    <ssl>

      <certificate_authorities>

        <ca>/etc/filebeat/certs/root-ca.pem</ca>

      </certificate_authorities>

      <certificate>/etc/filebeat/certs/filebeat.pem</certificate>

      <key>/etc/filebeat/certs/filebeat-key.pem</key>

    </ssl>

  </indexer>

Good luck 🤞 

Get Outlook 

for Android

---

From: wa...@googlegroups.com <wa...@googlegroups.com> on behalf of Albert Waweru <wawerua...@gmail.com>
Sent: Wednesday, June 12, 2024 8:55:35 PM
To: Wazuh | Mailing List <wa...@googlegroups.com>
Subject: Re: WAZUH Vulnerability detector seems to be disabled after upgrade to 4.8

 

--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/c0443f5d-95ff-4f0f-ae10-2fd2fbb5b96cn%40googlegroups.com.

[Albert Waweru]

I removed the IP address for brevity but still it doesn't work

[Matias Pereyra]

Hi again.

Could you provide the ossec.log file from the Wazuh server? We might find related error or warning messages.

Another test you can do in this case is to confirm that the IP and certificates in the Wazuh server are valid to connect with the Indexer. Replace in this command the Indexer IP and the path to the certificates you have in ossec.conf

curl --cacert /etc/ssl/root-ca.pem --cert /etc/ssl/filebeat.pem --key /etc/ssl/filebeat.key -u admin:SecretPassword https://wazuh.indexer:9200

Regards.

[Albert Waweru]

That is my ossec conf and the output of the curl command

[Matias Pereyra]

In the screenshot I see that the certificates aren't found in that path, I shared just an example.
This is the command updated with the right values taken from the ossec.conf file you've shared above

curl --cacert /etc/filebeat/certs/root-ca.pem --cert /etc/filebeat/certs/filebeat.pem --key /etc/filebeat/certs/filebeat-key.pem -u admin:SecretPassword https://wazuh.indexer:9200


I see in the ossec.log file that the indexer connector is unable to properly sync some agents, so it's very likely that the Wazuh server is missing the credentials. Have you updated the keystore?

https://documentation.wazuh.com/current/installation-guide/wazuh-server/step-by-step.html#configuring-the-wazuh-indexer-connection

/var/ossec/bin/wazuh-keystore -f indexer -k username -v <INDEXER_USERNAME>
/var/ossec/bin/wazuh-keystore -f indexer -k password -v <INDEXER_PASSWORD>

[Renzo Geelhoed]

Hi,

I have the same problem, on my work instance and also my home instance.

When I do the curl command I get 

curl: (58) unable to set private key file: '/etc/filebeat/certs/filebeat.key' type PEM

Since there are my certs located and this location is in ossec.conf.

If I search for indexer errors I see this:

indexer-connector: WARNING: No username and password found in the keystore, using default values.

Kind regards,

Renzo

Op donderdag 13 juni 2024 om 15:26:54 UTC+2 schreef Matias Pereyra:

[Renzo Geelhoed]

Hi, 

I also ran as per docs:

You must save the Wazuh indexer username and password into the Wazuh manager keystore using the Wazuh-keystore tool.

# /var/ossec/bin/wazuh-keystore -f indexer -k username -v <INDEXER_USERNAME> # /var/ossec/bin/wazuh-keystore -f indexer -k password -v <INDEXER_PASSWORD>

This gave no errors but still no vulnerability detection.

Kind reagrds,

Renzo

Op donderdag 13 juni 2024 om 15:26:54 UTC+2 schreef Matias Pereyra:

[Matias Pereyra]

Hello Renzo.

The curl error is related to a wrong file path I think.
I shared an example with this file

/etc/filebeat/certs/filebeat-key.pem

Are you sure that "'/etc/filebeat/certs/filebeat.key" exists?

And about the WARNING message, something has failed with the Wazuh-keystore tool because the inserted credentials aren't being found.

What do you mean by "This gave no errors but still no vulnerability detection." ? Maybe it'd be more organized if you could open a new thread with all the information and error messages found.

[Renzo Geelhoed]

Hi Matias,

The files exists:

root@wazuh03:/etc/filebeat/certs# ls

filebeat-key.pem  filebeat.pem  root-ca.pem

For the keystore: I did this with the user wazuh, the same user as I use to log in to the dashboard. Maybe that is not how it should? Sorry about that, I'm still learning Wazuh.

Kind regards,

Renzo

You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.

To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/bGtrQ67-zPw/unsubscribe.

To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/251ab083-f51e-4d9f-8e74-06c93b9da612n%40googlegroups.com.

[Matias Pereyra]

Hi again.

Look carefully, because I see in the folder a filebeat-key.pem file, not a filebeat.key one.

"Sorry about that, I'm still learning Wazuh."

No problem! We are here to help you.

Could you try again with the user admin credentials?
The ossec.log file shows that the default values are being used, then something failed in the process of inserting them. 

Could you upload the ossec.log file?

[Albert Waweru]

Is there any update on my problem regarding vulnerability detection after upgrading? I kinda need it to run vulnerability detection

You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/bGtrQ67-zPw/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/251ab083-f51e-4d9f-8e74-06c93b9da612n%40googlegroups.com.

[Matias Pereyra]

Albert, I started answering the other user questions, but the last thing I recommended to debug the problem is to run the curl command.
This helps us to know if the certificates and credentials are right.

Then, the next step is to make sure the configuration uses the validated certificates and credentials that we validated.
- Run the test command and post the result

- Confirm the path of the certs in your configuration file

- Verify the credentials of the keystore

[Donatas Kalvaitis]

Hi, my isue related to the same problem. 9200 listening on localhost only. How and where to change in order to start listening on normal IP?

[Renzo Geelhoed]

I just restored a snapshot and ran the upgrade as per the upgrade docs. Result is almost the same but now the Office 365 integration did not get any info. I adjusted the indexer ip in the ossec.conf and that did the job for this.

I still cannot get the vulnerability to work.

It looks like something with the ssl certs, curl is not able to verify or it does not like the certs. But I cannot finds how to solve this

Kind regards,

Renzo

Op vrijdag 14 juni 2024 om 11:30:07 UTC+2 schreef Renzo Geelhoed:

[Renzo Geelhoed]

Hi, 

I het this curl error:

curl: (58) unable to set private key file: '/etc/filebeat/certs/filebeat.key' type PEM

Indeed there is no filebeat.key file. 

How can I add this?

Kind regards,

Renzo.

Sorry to Albert for hijacking his thread, I thought we have the same issue.

Op vrijdag 14 juni 2024 om 19:15:01 UTC+2 schreef Matias Pereyra:

[Donatas Kalvaitis]

Any help on my isue?

[Albert Waweru]

is there a fix for the vulnerability detector or should i use from version 4.7

[Albert Waweru]

I tried using the offline mode from this link

https://documentation.wazuh.com/4.8/user-manual/capabilities/vulnerability-detection/offline-update.html

but it doesnt work. The same case applies for using the vulnerability detector for version 4.7

Please help

[Matias Pereyra]

Hi everyone.

- Donatas Kalvaitis: please create another thread to properly help you.
- Renzo Geelhoed: please create another thread to properly help you.

Albert Waweru: please follow these steps and share the result. The offline update can be configured once we know vulnerability detector is properly working.

- What is the output of this command? curl --cacert /etc/filebeat/certs/root-ca.pem --cert /etc/filebeat/certs/filebeat.pem --key /etc/filebeat/certs/filebeat-key.pem -u admin:SecretPassword https://wazuh.indexer:9200

- Can you confirm that the certificates' path is right in ossec.conf?
- Did you set the right credentials in the keystore?

Regards.

[Albert Waweru]

The output of the command is as follows. It  Seems that there is no certificate file for filebeat. I did set the right credentials in the keystore since i didnt receive any error message.

What should i do about the missing filebeat cert.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/f215763d-5829-4afe-bcd3-2f0252ac5351n%40googlegroups.com.

[Matias Pereyra]

Hello again, we are making progress.

Considering what you're showing, it's required to update the ossec.conf file with the right certificates' paths. So:

- Change filebeat.pem by wazuh-1.pem
- Change filebeat-key.pem by wazuh-1-key.pem

Then restart the manager, and check in ossec.log that there aren't ERROR or WARNING messages
cat /var/ossec/logs/ossec.log | grep -i -E "error|warn"

Regards.

[Albert Waweru]

It worked. Thank you so much

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/673e424a-ad42-42c8-9bdc-c6f5951c9cc2n%40googlegroups.com.

[Matias Pereyra]

Great news! Thank you for the update.

[Mushahid Bhat]

How can I update ossec.conf as in my osssec.conf file IO can not find  certificates files

[Matias Pereyra]

Hello Mushahid Bhat

Please create another discussion so we can properly help you.
Include your ossec.log and ossec.conf files, and more details about the installation steps you've followed, your Wazuh version, etc.

Regards.

[Mushahid Bhat]

I posted kindly do needful 

https://groups.google.com/g/wazuh/c/M1C9ej4ch_Q/m/bmW9rNeWBwAJ

[Matias Pereyra]

Thank you.

The team will reply as soon as possible.

Regards.