Vulnerability Detection not detect All Agent
10 views
Skip to first unread message
Robby Hunters
Jan 15, 2026, 6:48:43 AM (3 days ago) Jan 15
to Wazuh | Mailing List
Hi Wazuh Team,
I would like to ask regarding the Vulnerability Detection feature in our Wazuh deployment.
Currently, Vulnerability Detection does not seem to be checking all agents.
From what I can see on the dashboard:
Only Linux agents are being detected, and even then not all Linux agents appear in the vulnerability inventory.
Windows agents do not appear to be detected at all.
There are no obvious errors shown on the dashboard related to vulnerability detection.
Can you help me to trace this issue ?
my ossec.conf in wazuh manager :
<vulnerability-detection>
<enabled>yes</enabled>
<index-status>yes</index-status>
<feed-update-interval>60m</feed-update-interval>
</vulnerability-detection>
<enabled>yes</enabled>
<index-status>yes</index-status>
<feed-update-interval>60m</feed-update-interval>
</vulnerability-detection>
fyi, i have centralized agent configuration and create 3 group, linux windows testing
Thankyou,
Regard,
Robby
Lucio Donda
Jan 15, 2026, 7:24:43 AM (3 days ago) Jan 15
to Wazuh | Mailing List
Hi robby!
Can you tell me which wazuh version are you running?
Here you can found a guide for 4.14: -> https://documentation.wazuh.com/current/proof-of-concept-guide/poc-vulnerability-detection.html#wazuh-server
The configuration looks as you showed and do double check the indexer config. Besides that there's a check by isntalling vim knowing to have some vulnerabilties.
AS you can see each OS has it's specific source for vulnerabilities:
https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/how-it-works.html#compatibility-matrix
Which oses besides winows do not appear in the dashboard?
Another item you should check is syscollector, it should be enabled on that agent -> https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/configuring-scans.html#configuration
```
<!-- System inventory -->
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="no">yes</ports>
<processes>yes</processes>
<users>yes</users>
<groups>yes</groups>
<services>yes</services>
<browser_extensions>yes</browser_extensions>
<!-- Database synchronization settings -->
<synchronization>
<max_eps>10</max_eps>
</synchronization>
</wodle>
```
That's the tool used for scanning the agent and with that result matching agains common vulnerabilities. In the above link there's a guide for checking that.
If nothing of what I've shared you should look inside the logs of the agent's that are not present and also in the manger logs, if possible with debug=2 in internal options:
info -> https://documentation.wazuh.com/current/user-manual/reference/internal-options.html#internal-configuration
Linux agents -> agent.debug=2
WIndows agents windows.debug=2
Do remember to click on reply to all for answer. TIA!
Can you tell me which wazuh version are you running?
Here you can found a guide for 4.14: -> https://documentation.wazuh.com/current/proof-of-concept-guide/poc-vulnerability-detection.html#wazuh-server
The configuration looks as you showed and do double check the indexer config. Besides that there's a check by isntalling vim knowing to have some vulnerabilties.
AS you can see each OS has it's specific source for vulnerabilities:
https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/how-it-works.html#compatibility-matrix
Which oses besides winows do not appear in the dashboard?
Another item you should check is syscollector, it should be enabled on that agent -> https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/configuring-scans.html#configuration
```
<!-- System inventory -->
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="no">yes</ports>
<processes>yes</processes>
<users>yes</users>
<groups>yes</groups>
<services>yes</services>
<browser_extensions>yes</browser_extensions>
<!-- Database synchronization settings -->
<synchronization>
<max_eps>10</max_eps>
</synchronization>
</wodle>
```
That's the tool used for scanning the agent and with that result matching agains common vulnerabilities. In the above link there's a guide for checking that.
If nothing of what I've shared you should look inside the logs of the agent's that are not present and also in the manger logs, if possible with debug=2 in internal options:
info -> https://documentation.wazuh.com/current/user-manual/reference/internal-options.html#internal-configuration
Linux agents -> agent.debug=2
WIndows agents windows.debug=2
Do remember to click on reply to all for answer. TIA!
Lucio Donda
Jan 16, 2026, 9:04:28 AM (2 days ago) Jan 16
to Wazuh | Mailing List
Hi Robby Hunters.
Additional info:
* logs can be queried inside manager and agents with:
cat /var/ossec/logs/ossec.log | grep -i -E "error|warn"
* Full troubleshooting can also be found here -> https://documentation.wazuh.com/current/user-manual/wazuh-dashboard/troubleshooting.html
Let me know if you where able to solve the isue.
TIA!
Additional info:
* logs can be queried inside manager and agents with:
cat /var/ossec/logs/ossec.log | grep -i -E "error|warn"
* Full troubleshooting can also be found here -> https://documentation.wazuh.com/current/user-manual/wazuh-dashboard/troubleshooting.html
Let me know if you where able to solve the isue.
TIA!
Reply all
Reply to author
Forward
0 new messages