vulnerability-detector in Wazuh Cluster
127 views
Skip to first unread message
Sergey S
Jul 31, 2023, 10:45:21 AM7/31/23
to Wazuh mailing list
Hello everybody.
We have Wazuh cluster with 5 workers and 1 master version. All is 4.4.3. We don't use load balancer, just balancing via DNS.
I noticed the following behaviour of vulnerability-detector scans:
1. wazuh-manager starts vulnerability-detector scan for all agent connected to this worker
2. Then, For example, some agents disconnect from this worker and connects to another worker (for some reason)
3. wazuh-manager (from step 1) still calculates vulnerabilities for these disconnected agents,
4. Also wazuh-manager compare setting min_full_scan_interval only based on their own scans, not any wazuh-worker scan.
5. wazuh-manager generates alerts about founded vulnerabilities and send it to indexer
6. BUT information about vulnerabilities doesn't go in this case to Wazuh API.
7. So we have picture: no latest vulnerabilities and no latest scan info on agent in Wazuh application but, scans and vulnerabilities actually were.
As I understand from documentation, founded vulnerabilities aren't in data that Master node sync with other worker. So every worker has its own data about vulnerabilities (inlcuding last time full scan <min_full_scan_interval>, step 4)
Does anyone faced something like that?
Is it expected behaviour?
Thanks in advance
We have Wazuh cluster with 5 workers and 1 master version. All is 4.4.3. We don't use load balancer, just balancing via DNS.
I noticed the following behaviour of vulnerability-detector scans:
1. wazuh-manager starts vulnerability-detector scan for all agent connected to this worker
2. Then, For example, some agents disconnect from this worker and connects to another worker (for some reason)
3. wazuh-manager (from step 1) still calculates vulnerabilities for these disconnected agents,
4. Also wazuh-manager compare setting min_full_scan_interval only based on their own scans, not any wazuh-worker scan.
5. wazuh-manager generates alerts about founded vulnerabilities and send it to indexer
6. BUT information about vulnerabilities doesn't go in this case to Wazuh API.
7. So we have picture: no latest vulnerabilities and no latest scan info on agent in Wazuh application but, scans and vulnerabilities actually were.
As I understand from documentation, founded vulnerabilities aren't in data that Master node sync with other worker. So every worker has its own data about vulnerabilities (inlcuding last time full scan <min_full_scan_interval>, step 4)
Does anyone faced something like that?
Is it expected behaviour?
Thanks in advance
Sergey S
Jul 31, 2023, 11:05:07 AM7/31/23
to Wazuh mailing list
Here is example.
2023/07/31 00:11:24 wazuh-modulesd:vulnerability-detector: INFO: (5471): Finished vulnerability assessment for agent '3521'
Information about vulnerabilities sent to indexer (Founded_vuln,png)
But no information about scans and vulnerabilities in Wazuh Application (Scans stats.png)
понедельник, 31 июля 2023 г. в 16:45:21 UTC+2, Sergey S:
Openime Oniagbi
Jul 31, 2023, 11:27:24 AM7/31/23
to Wazuh mailing list
Hi Sergey,
I am taking a look at this and will provide a response soon.
I am taking a look at this and will provide a response soon.
Openime Oniagbi
Aug 1, 2023, 4:30:28 AM8/1/23
to Wazuh mailing list
Hi Sergey,
The issue you are having with the VD alerts not being displayed starts with the disconnection that occurs with the agents. We need to investigate why they disconnect and connect to another worker. Can you confirm what the OS of these agents are, and send me the ossec.log from one of the agents that exhibits the behavior you described? Please ensure to remove all confidential information from the ossec.log.
Sergey S
Aug 1, 2023, 5:19:58 AM8/1/23
to Wazuh mailing list
Hi Openime,
Firstly thank you for you reply.
We have big infrastructure, so it is normal thing for us: some agents disconnected, some connects. It is typical behavior for us (and I guess for all Cluster users).
So is it possible to correct vulnerability-detector somehow for his case?
Or it is expected behavior in big Wazuh Cluster environment?
вторник, 1 августа 2023 г. в 10:30:28 UTC+2, Openime Oniagbi:
Openime Oniagbi
Aug 2, 2023, 10:25:37 AM8/2/23
to Wazuh mailing list
The steps you have described are normal for an agent that disconnects in the middle of a scan. However, it will be better to avoid those disconnections entirely, in the first place.
Furthermore, the results of disconnected agents should only be delayed, depending on several factors, and not non-existent. So event if the agents disconnect, you should still get VD results for that agent after a while.
I hope this helps.
Furthermore, the results of disconnected agents should only be delayed, depending on several factors, and not non-existent. So event if the agents disconnect, you should still get VD results for that agent after a while.
I hope this helps.
Sergey S
Aug 3, 2023, 4:21:54 AM8/3/23
to Wazuh mailing list
Thank you for the information and you help
среда, 2 августа 2023 г. в 16:25:37 UTC+2, Openime Oniagbi:
Reply all
Reply to author
Forward
0 new messages