vulnerabilities not reported for selected agents
18 views
Skip to first unread message
Veera
Mar 24, 2026, 8:44:29 AM (21 hours ago) Mar 24
to Wazuh | Mailing List
Hi,
I am posting this query after reviewing similar discussions about vulnerabilities not being reported.
We have a Wazuh cluster with thousands of agents, and a few of them are not reporting vulnerabilities.
I have the following questions:
Does vulnerability reporting depend on the OS rpm.db database?
Does vulnerability reporting depend on the repositories being available, active, or reachable on the agent?
Is there any specific port used by Wazuh for vulnerability assessment?
Could you please clarify the above points and also suggest where we should begin troubleshooting from the agent side?
For context, our environment initially started with v4.9.2 and was later upgraded sequentially through 4.12.0 → 4.13.1 → 4.14.0 → 4.14.1 → 4.14.2 → 4.14.4.1.
The current running version is WAZUH_VERSION: 4.14.4-1.
The agents experiencing this issue were onboarded when the cluster was running v4.14.2.
I am posting this query after reviewing similar discussions about vulnerabilities not being reported.
We have a Wazuh cluster with thousands of agents, and a few of them are not reporting vulnerabilities.
I have the following questions:
Does vulnerability reporting depend on the OS rpm.db database?
Does vulnerability reporting depend on the repositories being available, active, or reachable on the agent?
Is there any specific port used by Wazuh for vulnerability assessment?
Could you please clarify the above points and also suggest where we should begin troubleshooting from the agent side?
For context, our environment initially started with v4.9.2 and was later upgraded sequentially through 4.12.0 → 4.13.1 → 4.14.0 → 4.14.1 → 4.14.2 → 4.14.4.1.
The current running version is WAZUH_VERSION: 4.14.4-1.
The agents experiencing this issue were onboarded when the cluster was running v4.14.2.
musbau....@wazuh.com
Mar 24, 2026, 9:44:24 AM (20 hours ago) Mar 24
to Wazuh | Mailing List
Hi,
To answer your questions
1. Does vulnerability reporting depend on the OS rpm.db database?
Yes, but indirectly. Wazuh’s Syscollector module is responsible for gathering the inventory. For RPM-based systems (like RHEL, CentOS), Syscollector queries the local package manager database which is rpm.db or the newer ndb in newer OS versions to build the list of installed software. If rpm.db is corrupted: Syscollector will fail to gather the package list. If Syscollector is disabled: The manager will have no data to compare against the CVE feeds.
2. Does vulnerability reporting depend on the repositories being available on the agent?
No. Wazuh does not use the agent's local package manager like yum or apt to check for vulnerabilities. Instead, Agent side: Syscollector simply gathers a list of what is installed. On the Manager side: The Vulnerability Detection module compares that list against the Wazuh Cyber Threat Intelligence (CTI) feeds. The agent does not need to be able to reach external software repositories or have them "active" to report what is currently installed.
3. Is there any specific port used by Wazuh for vulnerability assessment?
No special port is required. All vulnerability data is sent through the standard agent-to-manager communication channel:
Port 1514 (TCP/UDP): Used for all agent-manager data exchange (including Syscollector inventory data).
Port 1515 (TCP): Used for enrollment.
Port 55000 (TCP): Used for the Wazuh API (Dashboard to Manager).
Port 9200 (TCP): Used by the Manager to send alerts to the Indexer.
If the agent is showing as "Active" in your dashboard, the network path for vulnerability reporting is already open.
To aid troubleshooting this, You need to confirm the synchronization between the agent's Syscollector and the manager's Vulnerability Detector.
Step 1: Verify Syscollector is Running
On the problematic agent, check if it is actually gathering package data. Check logs: Search for wazuh-modulesd:syscollector in /var/ossec/logs/ossec.log (Linux) or C:\Program Files (x86)\ossec-agent\ossec.log (Windows). Look for: INFO: Evaluation finished. If you don't see this, ensure the following is in the agent's ossec.conf:
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<packages>yes</packages>
<scan_on_start>yes</scan_on_start>
</wodle>
Also, Check for Indexer Connector Errors on the manager, In version 4.14.x, a common issue is the Indexer Connector failing to sync inventory data to the indexer, even if the scan runs. Check the Manager's ossec.log: grep "indexer-connector" /var/ossec/logs/ossec.log If you see ERROR: Could not connect to server, status code: -1 or WARNING: Failed to sync agent, it means the manager cannot write the vulnerability data to the indexer the you need to ensure the <indexer> block in the manager's ossec.conf points to the correct Indexer IP and that credentials are set in the wazuh-keystore.
Trigger a Manual Re-scan
Sometimes the vulnerability database for a specific agent gets "stuck" after an upgrade.On the Manager, stop the manager service. Delete the agent's local database entry. Be careful with this in large environments
/var/ossec/queue/db/<agent_id>.db then restart the Manager. Restart the Agent to force a fresh Syscollector sync.
Wazuh moved to a unified CTI feed. If your manager is behind a proxy or has restricted internet access, it may not be downloading the latest CVE feeds. Check manager logs for: vulnerability-detector: INFO: Refreshing vulnerability database. If this fails, the manager will have "Zero" vulnerabilities to report because its local CVE database is empty.
Regards,
To answer your questions
1. Does vulnerability reporting depend on the OS rpm.db database?
Yes, but indirectly. Wazuh’s Syscollector module is responsible for gathering the inventory. For RPM-based systems (like RHEL, CentOS), Syscollector queries the local package manager database which is rpm.db or the newer ndb in newer OS versions to build the list of installed software. If rpm.db is corrupted: Syscollector will fail to gather the package list. If Syscollector is disabled: The manager will have no data to compare against the CVE feeds.
2. Does vulnerability reporting depend on the repositories being available on the agent?
No. Wazuh does not use the agent's local package manager like yum or apt to check for vulnerabilities. Instead, Agent side: Syscollector simply gathers a list of what is installed. On the Manager side: The Vulnerability Detection module compares that list against the Wazuh Cyber Threat Intelligence (CTI) feeds. The agent does not need to be able to reach external software repositories or have them "active" to report what is currently installed.
3. Is there any specific port used by Wazuh for vulnerability assessment?
No special port is required. All vulnerability data is sent through the standard agent-to-manager communication channel:
Port 1514 (TCP/UDP): Used for all agent-manager data exchange (including Syscollector inventory data).
Port 1515 (TCP): Used for enrollment.
Port 55000 (TCP): Used for the Wazuh API (Dashboard to Manager).
Port 9200 (TCP): Used by the Manager to send alerts to the Indexer.
If the agent is showing as "Active" in your dashboard, the network path for vulnerability reporting is already open.
To aid troubleshooting this, You need to confirm the synchronization between the agent's Syscollector and the manager's Vulnerability Detector.
Step 1: Verify Syscollector is Running
On the problematic agent, check if it is actually gathering package data. Check logs: Search for wazuh-modulesd:syscollector in /var/ossec/logs/ossec.log (Linux) or C:\Program Files (x86)\ossec-agent\ossec.log (Windows). Look for: INFO: Evaluation finished. If you don't see this, ensure the following is in the agent's ossec.conf:
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<packages>yes</packages>
<scan_on_start>yes</scan_on_start>
</wodle>
Also, Check for Indexer Connector Errors on the manager, In version 4.14.x, a common issue is the Indexer Connector failing to sync inventory data to the indexer, even if the scan runs. Check the Manager's ossec.log: grep "indexer-connector" /var/ossec/logs/ossec.log If you see ERROR: Could not connect to server, status code: -1 or WARNING: Failed to sync agent, it means the manager cannot write the vulnerability data to the indexer the you need to ensure the <indexer> block in the manager's ossec.conf points to the correct Indexer IP and that credentials are set in the wazuh-keystore.
Trigger a Manual Re-scan
Sometimes the vulnerability database for a specific agent gets "stuck" after an upgrade.On the Manager, stop the manager service. Delete the agent's local database entry. Be careful with this in large environments
/var/ossec/queue/db/<agent_id>.db then restart the Manager. Restart the Agent to force a fresh Syscollector sync.
Wazuh moved to a unified CTI feed. If your manager is behind a proxy or has restricted internet access, it may not be downloading the latest CVE feeds. Check manager logs for: vulnerability-detector: INFO: Refreshing vulnerability database. If this fails, the manager will have "Zero" vulnerabilities to report because its local CVE database is empty.
Regards,
Reply all
Reply to author
Forward
0 new messages