Indexer disabled but indexer-connector still logging failures
22 views
Skip to first unread message
Danny
Nov 4, 2025, 2:58:47 PM (yesterday) Nov 4
to Wazuh | Mailing List
Since we are using Splunk as the backend SIEM, I have the Indexer disabled:
/var/ossec/etc/ossec.conf
<indexer>
<enabled>no</enabled>
</indexer>
<enabled>no</enabled>
</indexer>
<vulnerability-detection>
<enabled>yes</enabled>
<index-status>no</index-status>
</vulnerability-detection>
<enabled>yes</enabled>
<index-status>no</index-status>
</vulnerability-detection>
However in /var/ossec/logs/ossec.log I keep seeing:
2025/11/04 19:20:29 indexer-connector: WARNING: Failed to sync agent '123' with the indexer.
I checked the docs for all the other enabled modules, and none of them have an indexer requirement/config setting. What am I missing?
Md. Nazmur Sakib
12:55 AM (14 hours ago) 12:55 AM
to Wazuh | Mailing List
Hi Danny,
The vulnerability detection module and syscollector module depend on the indexer for creating the state indices, unlike the alerts, where Wazuh sends the alert log to Filebeat to process for the indexer.
You can check these documents to learn more about how they work.
How it works - Vulnerability detection
How it works - System inventory
Even if the indexer connector is configured to be disabled in the configuration, it seems that the system inventory forces the indexer connector to run. This is a log when the <indexer> was disabled in the ossec.conf, but the indexer IP and certs were configured properly.
That is why you are getting this WARNING for the indexer connector.
For now, if you are not using wazuh indexer and you do not need indices for system inventory and vulnerability you can ignore these warnings.
I will also discuss this with the dev team about this behavior of the indexer connector module.
Let me know if you need any further information.
Reply all
Reply to author
Forward
0 new messages