Wazuh 4.12 doesn't generate Vulnerability Events

16 views
Skip to first unread message

MaP

unread,
Nov 10, 2025, 7:42:46 AM (yesterday) Nov 10
to Wazuh | Mailing List

Hello everyone,

Our Wazuh cluster doesn't seem to be generating any vulnerability events. This is the case regardless of which server in the cluster is running.
The vulnerability dashboard displays vulnerabilities and the inventory list is also fully populated, but no events are being generated.


What I've done so far:

  • Checked osse.conf (and seems to be ok and is the same for all cluster-members):

          <vulnerability-detection>
           <enabled>yes</enabled>
           <index-status>yes</index-status>
            <feed-update-interval>2h</feed-update-interval>
            <offline-url>https://path_to_our_updatefilepath.zip</offline-url>
          </vulnerability-detection>

  • Check the ossec.log for errors related to vulnerability detection (data from 
             ................               
             wazuh-modulesd:vulnerability-scanner: INFO: Initiating update feed process.
            wazuh-modulesd:vulnerability-scanner: INFO: Triggered a re-scan after content update.
             wazuh-modulesd:vulnerability-scanner: INFO: Feed update process completed.
           ..........
           
           This log is always triggered when we receive a new update to the CVE database.

  • Next, we checked whether the vulnerability information in the  archives.json was arriving on the manager, which is done . Something liekt that is logged:
          "full_log": "{\"vulnerability\": \"assigner\":\"microsoft\",\"classification\":\"CVSS\",\"cve\":\"CVE-2..................



What is not generated is an alert with a level. Unfortunately, I have no further ideas on how to proceed to fix the error.

 Best regards

MaP

Gabriel Emanuel Valenzuela

unread,
Nov 10, 2025, 8:46:03 AM (24 hours ago) Nov 10
to Wazuh | Mailing List

The Vulnerability Detection (VD) module generates alerts when new vulnerabilities are found or existing ones are resolved due to package installation, removal, or upgrade. However, not every detected change leads to an alert, generation depends on the context of detection.

1. Operating System Alerts

  • Alerts are not triggered during the initial scan.

  • When an agent syncs with the manager for the first time, it simply reports the current OS version and patch level — no “new event” is detected.

  • Alerts only appear in subsequent scans, when the OS version or patch state changes.

2. Package Alerts

  • Generated only when a package installation or removal adds or removes a vulnerability from the inventory.

  • The change must occur while the agent is running, and it must be captured during a scheduled Syscollector scan. (Deltas messages)

  • If the change happens while the agent is stopped or is only detected after a restart, no alert will be generated.

3. Additional Factors

  • Cluster environments:
    When an agent connects to a different manager node, the inventory syncs but no alerts are generated during that initial synchronization.

  • Content updates:
    When new CVE definitions or vulnerability mappings are downloaded, all agents are re-scanned to refresh their inventory. This re-scan does not generate alerts, even if changes are found.

Related with your log, your content update will not trigger an alert
Reply all
Reply to author
Forward
0 new messages