DB Connection Issues with Vulnerability Scans

98 views
Skip to first unread message

aepfel birnen

unread,
Mar 3, 2025, 12:29:34 PM3/3/25
to Wazuh | Mailing List
Hi everybody! 

For days I try to wrap my head around the following issue (or misconfiguration):

Wazuh and all services running as aspected, despite Vulnerability Management. According to the debug logs, queries are made to the agents and response is delivered. 

2025/03/03 18:11:09 wazuh-modulesd:vulnerability-scanner[927880] osScanner.hpp:114 at operator()(): DEBUG: Scanning OS - 'windows_11_23h2' (Installed Version: 10.0.22631.4890, Security Vulnerability: CVE-2025-21414). Identified vulnerability: Version: 0. Required Version Threshold: 10.0.22631.4890. Required Version Threshold (or Equal): .

2025/03/03 18:11:09 wazuh-modulesd:vulnerability-scanner[927880] osScanner.hpp:262 at operator()(): DEBUG: No match due to default status for OS: windows_11_23h2, Version: 10.0.22631.4890 while scanning for Vulnerability: CVE-2025-21414

2025/03/03 18:11:09 wazuh-modulesd:vulnerability-scanner[927880] osScanner.hpp:114 at operator()(): DEBUG: Scanning OS - 'windows_11_23h2' (Installed Version: 10.0.22631.4890, Security Vulnerability: CVE-2025-21417). Identified vulnerability: Version: 0. Required Version Threshold: 10.0.22621.4751. Required Version Threshold (or Equal): .

2025/03/03 18:11:09 wazuh-modulesd:vulnerability-scanner[927880] osScanner.hpp:114 at operator()(): DEBUG: Scanning OS - 'windows_11_23h2' (Installed Version: 10.0.22631.4890, Security Vulnerability: CVE-2025-21417). Identified vulnerability: Version: 0. Required Version Threshold: 10.0.22631.4751. Required Version Threshold (or Equal): .

2025/03/03 18:11:09 wazuh-modulesd:vulnerability-scanner[927880] osScanner.hpp:262 at operator()(): DEBUG: No match due to default status for OS: windows_11_23h2, Version: 10.0.22631.4890 while scanning for Vulnerability: CVE-2025-21417

2025/03/03 18:11:09 wazuh-modulesd:vulnerability-scanner[927880] osScanner.hpp:114 at operator()(): DEBUG: Scanning OS - 'windows_11_23h2' (Installed Version: 10.0.22631.4890, Security Vulnerability: CVE-2025-21418). Identified vulnerability: Version: 0. Required Version Threshold: 10.0.22631.4890. Required Version Threshold (or Equal): .

2025/03/03 18:11:09 wazuh-modulesd:vulnerability-scanner[927880] osScanner.hpp:262 at operator()(): DEBUG: No match due to default status for OS: windows_11_23h2, Version: 10.0.22631.4890 while scanning for Vulnerability: CVE-2025-21418

2025/03/03 18:11:09 wazuh-modulesd:vulnerability-scanner[927880] osScanner.hpp:114 at operator()(): DEBUG: Scanning OS - 'windows_11_23h2' (Installed Version: 10.0.22631.4890, Security Vulnerability: CVE-2025-21419). Identified vulnerability: Version: 0. Required Version Threshold: 10.0.22631.4890. Required Version Threshold (or Equal): .

2025/03/03 18:11:09 wazuh-modulesd:vulnerability-scanner[927880] osScanner.hpp:262 at operator()(): DEBUG: No match due to default status for OS: windows_11_23h2, Version: 10.0.22631.4890 while scanning for Vulnerability: CVE-2025-21419

2025/03/03 18:11:09 wazuh-modulesd:vulnerability-scanner[927880] osScanner.hpp:114 at operator()(): DEBUG: Scanning OS - 'windows_11_23h2' (Installed Version: 10.0.22631.4890, Security Vulnerability: CVE-2025-21420). Identified vulnerability: Version: 0. Required Version Threshold: . Required Version Threshold (or Equal): 10.0.22631.4890.

2025/03/03 18:11:09 wazuh-modulesd:vulnerability-scanner[927880] osScanner.hpp:198 at operator()(): DEBUG: Match found, the OS 'windows_11_23h2', is vulnerable to 'CVE-2025-21420'. Current version: '10.0.22631.4890' (less than '' or equal to '10.0.22631.4890'). - Agent 'LTB41' (ID: '323', Version: 'v4.10.1').

2025/03/03 18:11:09 wazuh-modulesd:vulnerability-scanner[927880] osScanner.hpp:354 at handleRequest(): DEBUG: Remediation for OS 'windows_11_23h2' on Agent '323' has been found. CVE: 'CVE-2025-21420', Remediation: 'KB5051989'.

2025/03/03 18:11:09 wazuh-modulesd:vulnerability-scanner[927880] osScanner.hpp:354 at handleRequest(): DEBUG: Remediation for OS 'windows_11_23h2' on Agent '323' has been found. CVE: 'CVE-2025-21377', Remediation: 'KB5051989'.

2025/03/03 18:11:09 wazuh-modulesd:vulnerability-scanner[927880] osScanner.hpp:386 at handleRequest(): DEBUG: Vulnerability scan for OS 'windows_11_23h2' on Agent '323' has completed.

2025/03/03 18:11:09 wazuh-modulesd:vulnerability-scanner[927880] eventDetailsBuilder.hpp:105 at handleRequest(): DEBUG: Building event details for component type: 2

Than the first error occurs:

2025/03/03 18:23:10 wazuh-modulesd:vulnerability-scanner[927880] eventDetailsBuilder.hpp:105 at handleRequest(): DEBUG: Building event details for component type: 2

2025/03/03 18:23:10 wazuh-modulesd:vulnerability-scanner[927880] scanAgentList.hpp:247 at handleRequest(): DEBUG: Error executing query to fetch agent data for agents. Reason: DB query not synced.

2025/03/03 18:23:10 wazuh-modulesd:vulnerability-scanner[927880] scanOrchestrator.hpp:143 at operator()(): DEBUG: AgentReScanListException. Reason: Error executing rescan for multiple agents.

2025/03/03 18:23:10 wazuh-modulesd:vulnerability-scanner[927880] scanOrchestrator.hpp:312 at run(): DEBUG: Processing 'ReScanSingleAgent' event for agent '3458'

2025/03/03 18:23:10 wazuh-modulesd:vulnerability-scanner[927880] resultIndexer.hpp:60 at handleRequest(): DEBUG: Processing and publish key: DeleteByQuery request

2025/03/03 18:23:10 wazuh-modulesd:vulnerability-scanner[927880] buildSingleAgentListContext.hpp:93 at handleRequest(): DEBUG: Agent 3458 added to the list of agents to be re-scanned

2025/03/03 18:23:10 wazuh-modulesd:vulnerability-scanner[927880] osScanner.hpp:386 at handleRequest(): DEBUG: Vulnerability scan for OS 'windows_11_23h2' on Agent '3458' has completed.

2025/03/03 18:23:10 wazuh-modulesd:vulnerability-scanner[927880] eventDetailsBuilder.hpp:105 at handleRequest(): DEBUG: Building event details for component type: 2

2025/03/03 18:23:10 wazuh-modulesd:vulnerability-scanner[927880] scanAgentList.hpp:247 at handleRequest(): DEBUG: Error executing query to fetch agent data for agents. Reason: DB query not synced.

2025/03/03 18:23:10 wazuh-modulesd:vulnerability-scanner[927880] scanOrchestrator.hpp:143 at operator()(): DEBUG: AgentReScanListException. Reason: Error executing rescan for multiple agents.

2025/03/03 18:23:10 indexer-connector[927880] indexerConnector.cpp:592 at operator()(): DEBUG: Added document for deletion by query with id: 199.

2025/03/03 18:23:10 indexer-connector[927880] indexerConnector.cpp:592 at operator()(): DEBUG: Added document for deletion by query with id: 259.

2025/03/03 18:23:10 indexer-connector[927880] indexerConnector.cpp:592 at operator()(): DEBUG: Added document for deletion by query with id: 316.

2025/03/03 18:23:10 indexer-connector[927880] indexerConnector.cpp:592 at operator()(): DEBUG: Added document for deletion by query with id: 323.

2025/03/03 18:23:10 indexer-connector[927880] indexerConnector.cpp:592 at operator()(): DEBUG: Added document for deletion by query with id: 3458.

2025/03/03 18:23:10 indexer-connector[927880] indexerConnector.cpp:630 at operator()(): DEBUG: Response: {"took":2,"timed_out":false,"total":0,"deleted":0,"batches":0,"version_conflicts":0,"noops":0,"retries":{"bulk":0,"search":0},"throttled_millis":0,"requests_per_second":-1.0,"throttled_until_millis":0,"failures":[]}

In none-debug mode, it had various errors as well which I couldn't assign to a cause.

The most relevant error might be: 

2025/03/03 18:26:10 wazuh-modulesd:vulnerability-scanner[927880] scanAgentList.hpp:247 at handleRequest(): DEBUG: Error executing query to fetch agent data for agents. Reason: DB query not synced.

Help highly appreciated

Thanks,
Ben

Francis Timilehin Jeremiah

unread,
Mar 3, 2025, 1:17:40 PM3/3/25
to Wazuh | Mailing List
Hello, what is your setup/cluster like? It seems the syscollector/vulnerability databases are not synchronized. It could be that the agent databases on the master and worker node are not the same. Restart all the Wazuh server services first and check the logs again.

aepfel birnen

unread,
Mar 5, 2025, 5:57:00 AM3/5/25
to Wazuh | Mailing List
Hi Francis,

Thank you for your hint. Setup was made with a single server. So worker and master, and everything else, coexist on the same VPS.

I've restarted the whole machine many times, as well as single services related to wazuh. Similar logs reappeared.
What is actually ment by "syscollector/vulnerability databases are not synchronized"? Does it mean they are not up to date and not pulled from CVE source, or does it mean syscollector uses a diffent agent list/database than other wazuh components? 

If the latter is true: How can I flush, if recommendable, syscollector/vulnerability databases or manually trigger a resync?

Cheers;
Ben

Nidhin

unread,
Mar 17, 2025, 2:34:29 PM3/17/25
to Wazuh | Mailing List
Hello,

Am facing the same issue, has there been any break through on this. If this issue was resolved, may you kindly post the details please. 

I have tried to remove the event dir under /var/ossec/vd and also restarted all the services from wazuh-server. I do have the similar setup with indexer and server running on same machine. Got dashboard running on another server.

I have added two agents, and both them give me the same error as reported here. Appreciate any kind of responses please to help me progress from this error. 

Francis Timilehin Jeremiah

unread,
Apr 9, 2025, 8:59:09 AM4/9/25
to Wazuh | Mailing List
Hello, My apologies for my late response. 

Disable the VD module, delete the agent databases, re-enable the VD module, and restart the wazuh manager. 
Reply all
Reply to author
Forward
0 new messages