Vulnerabilities module does not working for every agents
172 views
Skip to first unread message
Henrique Avelino
Oct 3, 2024, 8:07:58 AM10/3/24
to Wazuh | Mailing List
Hi everyone,
I have a big problems with vulnerabilities module.
Before to update from 4.7 to 4.9, the vulnerabilities module was working for all agents (+/- 1000).
Now in Wazuh 4.9, the vulnerabilities module is working only for 55 agents out of the 1000 existing agents, is there any limitation?
Thanks
Mauricio Aguilar
Oct 3, 2024, 10:30:30 AM10/3/24
to Wazuh | Mailing List
Hi Henrique, thanks for using Wazuh!
So, in the dashboard you see most of the agents as disconnected?
Let me check this with the team.
Mauricio Aguilar
Oct 3, 2024, 12:16:21 PM10/3/24
to Wazuh | Mailing List
Hi again,
I have some questions,
What OS do the agents run?
Why do you say it doesn't work? that it doesn't detect vulnerabilities in some systems is perhaps expected.
Do you have any logs?
Why do you say it doesn't work? that it doesn't detect vulnerabilities in some systems is perhaps expected.
Do you have any logs?
Can you give me OS info and packages of some representative agents?
https://documentation.wazuh.com/current/user-manual/api/reference.html#operation/api.controllers.syscollector_controller.get_os_info
https://documentation.wazuh.com/current/user-manual/api/reference.html#operation/api.controllers.syscollector_controller.get_os_info
Henrique Avelino
Oct 3, 2024, 12:28:41 PM10/3/24
to Wazuh | Mailing List
Hi Mauricio,
1 - Follows agents status = 981 onlines
2 - I have several different types of OS:
Windows server 2012, 2016, 2019, 2022
Ubuntu, Debian, Oracle Linux....
Windows server 2012, 2016, 2019, 2022
Ubuntu, Debian, Oracle Linux....
3 - When I go to Vulnerabiliy Detector > Inventory and select the agents, just 55 agents show me inventory data, the others 926 show me "No results match your search criteria".
4 - If I go to explore > discover > filter some agent and look for alerts CVE, I don't have any alerts about 926 agents after update Wazuh to 4.9
5 - What kind of logs I need to look for?
Thanks.
Mauricio Aguilar
Oct 4, 2024, 10:25:54 AM10/4/24
to Wazuh | Mailing List
Hi,
The scanner unlike the 4.7 version is event driven.
So when upgrading to 4.9, probably most of the syscollector dbs were already synchronized, and it will not trigger a scan.
Zero Two
Oct 4, 2024, 10:40:52 AM10/4/24
to Wazuh | Mailing List
Mauricio,
Is there a way to clear the syscollector dbs to force a resync?
Mauricio Aguilar
Oct 4, 2024, 2:23:54 PM10/4/24
to Wazuh | Mailing List
Mm... let me check.
The agents that do work are all Windows?
The agents that do work are all Windows?
Mauricio Aguilar
Oct 4, 2024, 2:38:04 PM10/4/24
to Wazuh | Mailing List
What you could do is:
Disable vulnerability detector,
Restart the manager
That will clean the inventory and the indexer with the info of those few agents that “worked”.
Re-enable vulnerability dectector
Restart the manager
Then the scanner will have a behavior similar to the legacy one and will query the agent databases.
Disable vulnerability detector,
Restart the manager
That will clean the inventory and the indexer with the info of those few agents that “worked”.
Re-enable vulnerability dectector
Restart the manager
Then the scanner will have a behavior similar to the legacy one and will query the agent databases.
Henrique Avelino
Oct 16, 2024, 9:42:38 AM10/16/24
to Wazuh | Mailing List
Hi Mauricio,
I disabled and enabled the module, but I had this warning:
2024/10/16 10:01:21 wazuh-modulesd:vulnerability-scanner: INFO: Stopping vulnerability_scanner module.
2024/10/16 10:01:58 wazuh-modulesd:vulnerability-scanner: INFO: Starting vulnerability_scanner module.
2024/10/16 10:01:59 wazuh-modulesd:vulnerability-scanner: INFO: Vulnerability scanner module is disabled.
2024/10/16 10:06:04 wazuh-modulesd:vulnerability-scanner: INFO: Stopping vulnerability_scanner module.
2024/10/16 10:06:20 wazuh-modulesd:vulnerability-scanner: INFO: Starting vulnerability_scanner module.
2024/10/16 10:08:23 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities-wazuh', retrying until the connection is successful.
2024/10/16 10:08:23 wazuh-modulesd:vulnerability-scanner: INFO: Policy changed. Re-scanning all agents.
2024/10/16 10:08:25 wazuh-modulesd:vulnerability-scanner: INFO: Vulnerability scanner module started.
2024/10/16 10:01:21 wazuh-modulesd:vulnerability-scanner: INFO: Stopping vulnerability_scanner module.
2024/10/16 10:01:58 wazuh-modulesd:vulnerability-scanner: INFO: Starting vulnerability_scanner module.
2024/10/16 10:01:59 wazuh-modulesd:vulnerability-scanner: INFO: Vulnerability scanner module is disabled.
2024/10/16 10:06:04 wazuh-modulesd:vulnerability-scanner: INFO: Stopping vulnerability_scanner module.
2024/10/16 10:06:20 wazuh-modulesd:vulnerability-scanner: INFO: Starting vulnerability_scanner module.
2024/10/16 10:08:23 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities-wazuh', retrying until the connection is successful.
2024/10/16 10:08:23 wazuh-modulesd:vulnerability-scanner: INFO: Policy changed. Re-scanning all agents.
2024/10/16 10:08:25 wazuh-modulesd:vulnerability-scanner: INFO: Vulnerability scanner module started.
What could this warning be?
Thanks.
Henrique Avelino
Oct 16, 2024, 11:23:24 AM10/16/24
to Wazuh | Mailing List
I have more information about enabled debug.
2024/10/16 10:08:23 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities-wazuh', retrying until the connection is successful.
I can see a lot of error like:
2024/10/16 10:08:23 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities-wazuh', retrying until the connection is successful.
2024/10/16 11:42:13 indexer-connector: WARNING: Failed to sync agent '1532' with the indexer.
2024/10/16 11:42:13 indexer-connector: WARNING: Failed to sync agent '2031' with the indexer.
2024/10/16 11:42:13 indexer-connector: WARNING: Failed to sync agent '1876' with the indexer.
2024/10/16 11:42:13 indexer-connector: WARNING: Failed to sync agent '1060' with the indexer.
2024/10/16 11:42:13 indexer-connector: WARNING: Failed to sync agent '1675' with the indexer.
2024/10/16 11:42:13 indexer-connector: WARNING: Failed to sync agent '1919' with the indexer.
2024/10/16 11:42:13 indexer-connector: WARNING: Failed to sync agent '1834' with the indexer.
2024/10/16 11:42:13 indexer-connector: WARNING: Failed to sync agent '1972' with the indexer.
2024/10/16 11:42:13 indexer-connector: WARNING: Failed to sync agent '1213' with the indexer.
2024/10/16 11:42:13 indexer-connector: WARNING: Failed to sync agent '1628' with the indexer.
2024/10/16 11:42:13 indexer-connector: WARNING: Failed to sync agent '1525' with the indexer.
2024/10/16 11:42:13 indexer-connector: WARNING: Failed to sync agent '1715' with the indexer.
2024/10/16 11:42:13 indexer-connector: WARNING: Failed to sync agent '985' with the indexer.
2024/10/16 11:42:13 indexer-connector: WARNING: Failed to sync agent '2031' with the indexer.
2024/10/16 11:42:13 indexer-connector: WARNING: Failed to sync agent '1876' with the indexer.
2024/10/16 11:42:13 indexer-connector: WARNING: Failed to sync agent '1060' with the indexer.
2024/10/16 11:42:13 indexer-connector: WARNING: Failed to sync agent '1675' with the indexer.
2024/10/16 11:42:13 indexer-connector: WARNING: Failed to sync agent '1919' with the indexer.
2024/10/16 11:42:13 indexer-connector: WARNING: Failed to sync agent '1834' with the indexer.
2024/10/16 11:42:13 indexer-connector: WARNING: Failed to sync agent '1972' with the indexer.
2024/10/16 11:42:13 indexer-connector: WARNING: Failed to sync agent '1213' with the indexer.
2024/10/16 11:42:13 indexer-connector: WARNING: Failed to sync agent '1628' with the indexer.
2024/10/16 11:42:13 indexer-connector: WARNING: Failed to sync agent '1525' with the indexer.
2024/10/16 11:42:13 indexer-connector: WARNING: Failed to sync agent '1715' with the indexer.
2024/10/16 11:42:13 indexer-connector: WARNING: Failed to sync agent '985' with the indexer.
When I run GET /_cluster/health, I have this results:
{
"cluster_name": "wazuh-indexer-cluster",
"status": "yellow",
"timed_out": false,
"number_of_nodes": 2,
"number_of_data_nodes": 2,
"discovered_master": true,
"discovered_cluster_manager": true,
"active_primary_shards": 962,
"active_shards": 970,
"relocating_shards": 0,
"initializing_shards": 2,
"unassigned_shards": 867,
"delayed_unassigned_shards": 0,
"number_of_pending_tasks": 0,
"number_of_in_flight_fetch": 0,
"task_max_waiting_in_queue_millis": 0,
"active_shards_percent_as_number": 52.746057640021746
}
{
"cluster_name": "wazuh-indexer-cluster",
"status": "yellow",
"timed_out": false,
"number_of_nodes": 2,
"number_of_data_nodes": 2,
"discovered_master": true,
"discovered_cluster_manager": true,
"active_primary_shards": 962,
"active_shards": 970,
"relocating_shards": 0,
"initializing_shards": 2,
"unassigned_shards": 867,
"delayed_unassigned_shards": 0,
"number_of_pending_tasks": 0,
"number_of_in_flight_fetch": 0,
"task_max_waiting_in_queue_millis": 0,
"active_shards_percent_as_number": 52.746057640021746
}
If I run GET /_cluster/allocation/explain:
{
"index": ".opendistro-reports-instances",
"shard": 0,
"primary": false,
"current_state": "unassigned",
"unassigned_info": {
"reason": "REPLICA_ADDED",
"at": "2024-10-16T15:11:24.553Z",
"last_allocation_status": "no_attempt"
},
{
"index": ".opendistro-reports-instances",
"shard": 0,
"primary": false,
"current_state": "unassigned",
"unassigned_info": {
"reason": "REPLICA_ADDED",
"at": "2024-10-16T15:11:24.553Z",
"last_allocation_status": "no_attempt"
},
How Can I fixed it?
Envoiroment is
2 Indexer server in cluster
2 Wazuh manager in cluster
1 Wazuh dashboard.
2 Indexer server in cluster
2 Wazuh manager in cluster
1 Wazuh dashboard.
Thanks.
Reply all
Reply to author
Forward
0 new messages