System inventory could be disabled or has a problem
61 views
Skip to first unread message
Lukas Fritzsche
Sep 24, 2025, 2:31:09 AM (5 days ago) Sep 24
to Wazuh | Mailing List
Hello there,
so apparently I forgot to disable auto-updates on my wazuh-machines and now have 4.13.
Well, I was on vacation for 4 weeks and am now back to seeing "
System inventory could be disabled or has a problem" whenever viewing the inventory of an agent.
I use three seperate servers (one for dashboard, one for indexer, one for manager/server)
I have already checked:
- Certs on wazuh-server are all good (valid till 2034).
- Cluster health: YELLOW (already have deleted older indexes and moved the retention policy from 90d to 60d)
- configuration of ossec.conf (everything in order there)
Using the following command:
curl -u admin:PASSWORD --cacert /etc/filebeat/certs/root-ca.pem --cert /etc/filebeat/certs/wazuh-server.pem --key /etc/filebeat/certs/wazuh-server-key.pem -X GET "https://INDEXER_IP/_cluster/health?pretty"
i got:
{
"cluster_name" : "wazuh-indexer-cluster",
"status" : "yellow",
"timed_out" : false,
"number_of_nodes" : 1,
"number_of_data_nodes" : 1,
"discovered_master" : true,
"discovered_cluster_manager" : true,
"active_primary_shards" : 321,
"active_shards" : 321,
"relocating_shards" : 0,
"initializing_shards" : 0,
"unassigned_shards" : 32,
"delayed_unassigned_shards" : 0,
"number_of_pending_tasks" : 0,
"number_of_in_flight_fetch" : 0,
"task_max_waiting_in_queue_millis" : 0,
"active_shards_percent_as_number" : 90.93484419263456
}
"cluster_name" : "wazuh-indexer-cluster",
"status" : "yellow",
"timed_out" : false,
"number_of_nodes" : 1,
"number_of_data_nodes" : 1,
"discovered_master" : true,
"discovered_cluster_manager" : true,
"active_primary_shards" : 321,
"active_shards" : 321,
"relocating_shards" : 0,
"initializing_shards" : 0,
"unassigned_shards" : 32,
"delayed_unassigned_shards" : 0,
"number_of_pending_tasks" : 0,
"number_of_in_flight_fetch" : 0,
"task_max_waiting_in_queue_millis" : 0,
"active_shards_percent_as_number" : 90.93484419263456
}
Viewing the ossec.log using this command:
cat /var/ossec/logs/ossec.log | grep -iE "inventory|indexer|syscollector"
i got:
2025/09/24 00:02:55 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2025/09/24 00:03:06 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2025/09/24 01:03:07 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2025/09/24 01:03:18 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2025/09/24 02:03:18 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2025/09/24 02:03:30 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2025/09/24 03:03:31 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2025/09/24 03:03:43 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2025/09/24 04:03:44 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2025/09/24 04:03:56 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2025/09/24 05:03:57 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2025/09/24 05:04:07 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2025/09/24 05:29:28 wazuh-modulesd:syscollector: INFO: Stop received for Syscollector.
2025/09/24 05:29:28 wazuh-modulesd:syscollector: INFO: Module finished.
2025/09/24 05:29:32 indexer-connector: WARNING: Failed to sync agent '002' with the indexer.
[...] basically every agent listed here
2025/09/24 05:29:32 indexer-connector: WARNING: Failed to sync agent '040' with the indexer.
2025/09/24 05:29:32 wazuh-modulesd:inventory-harvester: INFO: Stopping inventory_harvester module.
2025/09/24 07:30:03 wazuh-modulesd:inventory-harvester: INFO: Loaded Inventory harvester module.
2025/09/24 07:30:13 wazuh-modulesd:inventory-harvester: INFO: Loaded Inventory harvester module.
2025/09/24 07:30:13 wazuh-modulesd:inventory-harvester: INFO: Starting inventory_harvester module.
2025/09/24 07:30:14 wazuh-modulesd:syscollector: INFO: Module started.
2025/09/24 07:30:14 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2025/09/24 07:30:14 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2025/09/24 07:30:14 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-inventor-packages-wazuh-server', retrying until the connection is successful.
2025/09/24 07:30:15 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-inventor-system-wazuh-server', retrying until the connection is successful.
2025/09/24 07:30:20 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-inventor-processes-wazuh-server', retrying until the connection is successful.
2025/09/24 07:30:21 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-inventor-ports-wazuh-server', retrying until the connection is successful.
2025/09/24 07:30:22 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-inventor-hotfixes-wazuh-server', retrying until the connection is successful.
2025/09/24 07:30:22 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-inventor-hardware-wazuh-server', retrying until the connection is successful.
2025/09/24 07:30:23 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-inventor-protocols-wazuh-server', retrying until the connection is successful.
2025/09/24 07:30:24 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-inventor-interfaces-wazuh-server', retrying until the connection is successful.
2025/09/24 07:30:24 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-inventor-networks-wazuh-server', retrying until the connection is successful.
2025/09/24 07:30:24 logger-helper: INFO: InventoryHarvesterFacade module started.
2025/09/24 07:31:30 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities-wazuh-server', retrying until the connection is successful.
2025/09/24 00:03:06 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2025/09/24 01:03:07 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2025/09/24 01:03:18 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2025/09/24 02:03:18 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2025/09/24 02:03:30 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2025/09/24 03:03:31 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2025/09/24 03:03:43 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2025/09/24 04:03:44 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2025/09/24 04:03:56 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2025/09/24 05:03:57 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2025/09/24 05:04:07 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2025/09/24 05:29:28 wazuh-modulesd:syscollector: INFO: Stop received for Syscollector.
2025/09/24 05:29:28 wazuh-modulesd:syscollector: INFO: Module finished.
2025/09/24 05:29:32 indexer-connector: WARNING: Failed to sync agent '002' with the indexer.
[...] basically every agent listed here
2025/09/24 05:29:32 indexer-connector: WARNING: Failed to sync agent '040' with the indexer.
2025/09/24 05:29:32 wazuh-modulesd:inventory-harvester: INFO: Stopping inventory_harvester module.
2025/09/24 07:30:03 wazuh-modulesd:inventory-harvester: INFO: Loaded Inventory harvester module.
2025/09/24 07:30:13 wazuh-modulesd:inventory-harvester: INFO: Loaded Inventory harvester module.
2025/09/24 07:30:13 wazuh-modulesd:inventory-harvester: INFO: Starting inventory_harvester module.
2025/09/24 07:30:14 wazuh-modulesd:syscollector: INFO: Module started.
2025/09/24 07:30:14 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2025/09/24 07:30:14 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2025/09/24 07:30:14 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-inventor-packages-wazuh-server', retrying until the connection is successful.
2025/09/24 07:30:15 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-inventor-system-wazuh-server', retrying until the connection is successful.
2025/09/24 07:30:20 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-inventor-processes-wazuh-server', retrying until the connection is successful.
2025/09/24 07:30:21 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-inventor-ports-wazuh-server', retrying until the connection is successful.
2025/09/24 07:30:22 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-inventor-hotfixes-wazuh-server', retrying until the connection is successful.
2025/09/24 07:30:22 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-inventor-hardware-wazuh-server', retrying until the connection is successful.
2025/09/24 07:30:23 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-inventor-protocols-wazuh-server', retrying until the connection is successful.
2025/09/24 07:30:24 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-inventor-interfaces-wazuh-server', retrying until the connection is successful.
2025/09/24 07:30:24 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-inventor-networks-wazuh-server', retrying until the connection is successful.
2025/09/24 07:30:24 logger-helper: INFO: InventoryHarvesterFacade module started.
2025/09/24 07:31:30 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities-wazuh-server', retrying until the connection is successful.
So here i am now, back from vacation with zero clue what's wrong. I know nobody of my colleagues worked with wazuh in the meantime.
I have also seen on Reddit I'm not the only one with this issue after upgrading to 4.13 but this (https://github.com/wazuh/wazuh/issues/32044#issuecomment-3312554521) also has not helped me.
I appreciate any help!
Javier Sanchez Gil
Sep 24, 2025, 3:06:35 AM (5 days ago) Sep 24
to Wazuh | Mailing List
Hi Lukas Fritzsche,
It looks like the inventory itself is working (agents are collecting data), but the issue is that the manager cannot initialize the inventory indices in the indexer. This often happens when there’s a mismatch in the <indexer> block configuration inside ossec.conf, usually related to the certificate paths.
I’d suggest double-checking that the certificate paths under <indexer> match the ones Filebeat is using on your indexer node. You can use the example here as a reference: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/indexer.html#configuration-example
Also, you can run the following command to verify which cert files are present and confirm your paths:
ll /etc/filebeat/certs/
That should help confirm whether the <indexer> block is pointing to the correct certificates.
It looks like the inventory itself is working (agents are collecting data), but the issue is that the manager cannot initialize the inventory indices in the indexer. This often happens when there’s a mismatch in the <indexer> block configuration inside ossec.conf, usually related to the certificate paths.
I’d suggest double-checking that the certificate paths under <indexer> match the ones Filebeat is using on your indexer node. You can use the example here as a reference: https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/indexer.html#configuration-example
Also, you can run the following command to verify which cert files are present and confirm your paths:
ll /etc/filebeat/certs/
That should help confirm whether the <indexer> block is pointing to the correct certificates.
Lukas Fritzsche
Sep 24, 2025, 3:46:46 AM (5 days ago) Sep 24
to Wazuh | Mailing List
Sorry, apparently I only answered to you and not this thread, so here I go again:
Hi Javier Sanchez Gil,
thanks for your answer, I have checked:
<indexer> block in ossec.conf:
<indexer>
<enabled>yes</enabled>
<hosts>
<host>INDEXER_IP</host>
</hosts>
<ssl>
<certificate_authorities>
<ca>/etc/filebeat/certs/root-ca.pem</ca>
</certificate_authorities>
<certificate>/etc/filebeat/certs/wazuh-server.pem</certificate>
<key>/etc/filebeat/certs/wazuh-server-key.pem</key>
</ssl>
</indexer>
<enabled>yes</enabled>
<hosts>
<host>INDEXER_IP</host>
</hosts>
<ssl>
<certificate_authorities>
<ca>/etc/filebeat/certs/root-ca.pem</ca>
</certificate_authorities>
<certificate>/etc/filebeat/certs/wazuh-server.pem</certificate>
<key>/etc/filebeat/certs/wazuh-server-key.pem</key>
</ssl>
</indexer>
using the command ll /etc/filebeat/certs/ :
total 20
dr-x------ 2 root root 4096 Sep 24 07:55 ./
drwxr-xr-x 4 root root 4096 Mai 8 11:36 ../
-r-------- 1 root root 1204 Nov 21 2024 root-ca.pem
-r-------- 1 root root 1704 Nov 21 2024 wazuh-server-key.pem
-r-------- 1 root root 1285 Nov 21 2024 wazuh-server.pem
dr-x------ 2 root root 4096 Sep 24 07:55 ./
drwxr-xr-x 4 root root 4096 Mai 8 11:36 ../
-r-------- 1 root root 1204 Nov 21 2024 root-ca.pem
-r-------- 1 root root 1704 Nov 21 2024 wazuh-server-key.pem
-r-------- 1 root root 1285 Nov 21 2024 wazuh-server.pem
So I am assuming everythings in order, right?
Again, this is very weird, no changes were made except the update to Wazuh 4.13 and now the inventory "does not work" properly.
Javier Sanchez Gil
Sep 25, 2025, 3:34:41 AM (4 days ago) Sep 25
to Wazuh | Mailing List
Hi Lukas,
Just to confirm, after checking the certificate paths, is it still not working correctly?
If so, could you double-check whether your <indexer> block has the host defined like this:
<host>https://x.x.x.x:9200</host>
If it’s missing the https:// prefix and only appears as <host>x.x.x.x:9200</host>, that can cause connection errors with the Wazuh indexer.
It would also be helpful if you could run:
cat /var/ossec/logs/ossec.log | grep -iE "error|warn|crit|fatal"
to see if there are any additional details in the logs explaining why the IndexerConnector initialization is failing.
Reply all
Reply to author
Forward
0 new messages