Vulnerability Detection List not updating
exe
Pablo Moliz Arias
To investigate this issue, the following information is required. You can obtain it as described below:
-
Wazuh versions (Manager, Indexer, Dashboard) and Docker image tags
-
Check the Docker image tags or run wazuh-manager -v inside the manager container.
-
-
Vulnerability Detection status
-
Review the <vulnerability-detection> section in ossec.conf on the Wazuh Manager to confirm it is enabled.
-
-
Syscollector status
-
Verify that <wodle name="syscollector"> is enabled in the agent configuration.
-
-
Relevant logs
-
Check Wazuh Manager logs for vulnerability-related messages, for example in /var/ossec/logs/ossec.log or by running docker logs wazuh-manager.
-
-
Inventory update
-
Confirm that agents reported updated package inventory after the server updates.
-
If you share me more this details, I can try to help you to identify why the vulnerability count did not change.
Below are links to the official Wazuh documentation that explain these components in detail:
- Wazuh Docker deployment
- Upgrading Wazuh on Docker
- Vulnerability Detection overview
- How Vulnerability Detection works
- Vulnerability Detection configuration
exe
NAMES IMAGE STATUS
watchtower nickfedor/watchtower:latest Up 2 days (healthy)
portainer_agent portainer/agent:lts Up 2 days
single-node-wazuh.manager-1 wazuh/wazuh-manager:4.13.0 Up 2 days
single-node-wazuh.dashboard-1 wazuh/wazuh-dashboard:4.13.0 Up 2 days
single-node-wazuh.indexer-1 wazuh/wazuh-indexer:4.13.0 Up 7 hours
2.)
<vulnerability-detection>
<enabled>yes</enabled>
<index-status>yes</index-status>
<feed-update-interval>60m</feed-update-interval>
</vulnerability-detection>
3.)
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="yes">yes</ports>
<processes>yes</processes>
4.) I couldn't find any vulnerability-related logs
5.) Still no update sadly
Pablo Moliz Arias
The problem is that he Indexer restarted 7 hours ago, but the Manager did not. When the Indexer goes down, the Manager (specifically the filebeat service inside it) often stops sending data or gets stuck waiting for the connection to come back. Even if the Indexer comes back up, the Manager's shipping pipeline might be "stalled."
Step 1:
We need to re-establish the connection chain. Since you are on Docker, please run these commands on your host machine:
Restart the Manager to reconnect to the Indexer:
docker restart single-node-wazuh.manager-1Wait 2 minutes, then check the Filebeat logs inside the manager to ensure it is talking to the indexer:
docker exec single-node-wazuh.manager-1 cat /var/log/filebeat/filebeat | grep -i "error" | tail -n 10
Step 2
If the restart didn't solve it after a few minutes, your Vulnerability Database inside the container might be stale.
Let's force Wazuh to delete its internal database and re-download the vulnerability definitions from scratch.
Run these commands on your Docker Host:
Enter the Manager container as root:
docker exec -u 0 -it single-node-wazuh.manager-1 bashStop the Wazuh service (inside the container):
/var/ossec/bin/wazuh-control stopCheck if the database file exists:
ls -l /var/ossec/queue/vulnerabilities/cve.db
rm -f /var/ossec/queue/vulnerabilities/cve.db
- The Manager will realize the DB is missing.
It will start downloading the OVAL/NVD feeds.
Once downloaded, it will re-scan your inventory.
A common confusion is where you look in the Dashboard.