Vulnerability detector on Wazuh 4.8.0
1,582 views
Skip to first unread message
Unai
Jun 14, 2024, 4:33:47 AM6/14/24
to Wazuh | Mailing List
Hi everyone,
2024/06/14 10:16:21 wazuh-modulesd: WARNING: The 'hotfixes' option is only available on Windows systems. Ignoring it.
2024/06/14 10:16:21 wazuh-modulesd: WARNING: The 'vulnerability-detector' configuration is deprecated, please update your settings to use the new 'vulnerability-detection' instead (default values will be used based on your previous configurations). See https://documentation.wazuh.com
How can i update it? I haven't found anything in the docs.
After upgrading to Wazuh 4.8.0 my vulnerability detector is not working. After seeing logs i saw this:
2024/06/14 10:16:21 wazuh-modulesd: WARNING: The 'hotfixes' option is only available on Windows systems. Ignoring it.
2024/06/14 10:16:21 wazuh-modulesd: WARNING: The 'vulnerability-detector' configuration is deprecated, please update your settings to use the new 'vulnerability-detection' instead (default values will be used based on your previous configurations). See https://documentation.wazuh.com
How can i update it? I haven't found anything in the docs.
Thanks!!
Unai
Jun 14, 2024, 4:54:12 AM6/14/24
to Wazuh | Mailing List
I also get this error.
2024/06/14 10:46:21 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities-*', retrying until the connection is successful.
Thanks.
Stuti Gupta
Jun 14, 2024, 6:30:52 AM6/14/24
to Wazuh | Mailing List
Hi
Unai
Please make sure to update <vulnerability-detection> and <indexer> block in /var/ossec/etc/ossec.conf in version 4.8.0. You can find the Vulnerability Detection settings in the Wazuh server configuration file at `/var/ossec/etc/ossec.conf`.
<vulnerability-detection>
<enabled>yes</enabled>
<index-status>yes</index-status>
<feed-update-interval>60m</feed-update-interval>
</vulnerability-detection>
<indexer>
<enabled>yes</enabled>
<hosts>
<host>https://0.0.0.0:9200</host>
</hosts>
<ssl>
<certificate_authorities>
<ca>/etc/filebeat/certs/root-ca.pem</ca>
</certificate_authorities>
<certificate>/etc/filebeat/certs/filebeat.pem</certificate>
<key>/etc/filebeat/certs/filebeat-key.pem</key>
</ssl>
</indexer>
Replace `0.0.0.0` with the indexer IP in the Filebeat config file, For example:
output.elasticsearch.hosts:
- 127.0.0.1:9200
Wazuh indexer node's IP address or hostname. If you have a Wazuh indexer cluster, add a `<host>` entry for each one of your nodes. For example, in a two-node configuration:
<hosts>
<host>https://10.0.0.1:9200</host>
<host>https://10.0.0.2:9200</host>
</hosts>
Check the certificate name:
ll /etc/filebeat/certs
Verify the Filebeat certificate name and path are correct and update the `<indexer>` block in `/var/ossec/etc/ossec.conf` accordingly.
Save the Wazuh indexer username and password into the Wazuh manager keystore using the Wazuh-keystore tool:
/var/ossec/bin/wazuh-keystore -f indexer -k username -v <INDEXER_USERNAME>
/var/ossec/bin/wazuh-keystore -f indexer -k password -v <INDEXER_PASSWORD>
After that, save the configuration and restart the manager/cluster using the command:
systemctl restart wazuh-manager
Refer: https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/configuring-scans.html
https://documentation.wazuh.com/current/upgrade-guide/troubleshooting.html
Please make sure to update <vulnerability-detection> and <indexer> block in /var/ossec/etc/ossec.conf in version 4.8.0. You can find the Vulnerability Detection settings in the Wazuh server configuration file at `/var/ossec/etc/ossec.conf`.
<vulnerability-detection>
<enabled>yes</enabled>
<index-status>yes</index-status>
<feed-update-interval>60m</feed-update-interval>
</vulnerability-detection>
<indexer>
<enabled>yes</enabled>
<hosts>
<host>https://0.0.0.0:9200</host>
</hosts>
<ssl>
<certificate_authorities>
<ca>/etc/filebeat/certs/root-ca.pem</ca>
</certificate_authorities>
<certificate>/etc/filebeat/certs/filebeat.pem</certificate>
<key>/etc/filebeat/certs/filebeat-key.pem</key>
</ssl>
</indexer>
Replace `0.0.0.0` with the indexer IP in the Filebeat config file, For example:
output.elasticsearch.hosts:
- 127.0.0.1:9200
Wazuh indexer node's IP address or hostname. If you have a Wazuh indexer cluster, add a `<host>` entry for each one of your nodes. For example, in a two-node configuration:
<hosts>
<host>https://10.0.0.1:9200</host>
<host>https://10.0.0.2:9200</host>
</hosts>
Check the certificate name:
ll /etc/filebeat/certs
Verify the Filebeat certificate name and path are correct and update the `<indexer>` block in `/var/ossec/etc/ossec.conf` accordingly.
Save the Wazuh indexer username and password into the Wazuh manager keystore using the Wazuh-keystore tool:
/var/ossec/bin/wazuh-keystore -f indexer -k username -v <INDEXER_USERNAME>
/var/ossec/bin/wazuh-keystore -f indexer -k password -v <INDEXER_PASSWORD>
After that, save the configuration and restart the manager/cluster using the command:
systemctl restart wazuh-manager
Refer: https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/configuring-scans.html
https://documentation.wazuh.com/current/upgrade-guide/troubleshooting.html
Jethro Mic
Jun 14, 2024, 8:16:46 AM6/14/24
to Wazuh | Mailing List
Hello,
Certificates have a new name :
<certificate>/etc/filebeat/certs/wazuh-server.pem</certificate>
<key>/etc/filebeat/certs/wazuh-server-key.pem</key>
<key>/etc/filebeat/certs/wazuh-server-key.pem</key>
BR
Stuti Gupta
Jun 20, 2024, 4:55:47 AM6/20/24
to Wazuh | Mailing List
Hi
Jethro Mic
Please open a new thread for your issue so we can track it better and it will help other community members also
Best regards
Please open a new thread for your issue so we can track it better and it will help other community members also
Best regards
Reply all
Reply to author
Forward
0 new messages