Query Regarding Missing Applications in Wazuh Inventory and Vulnerability Detection

52 views
Skip to first unread message

Jaswantha Ragesh

unread,
Jul 9, 2026, 7:00:00 AM (10 days ago) Jul 9
to Wazuh | Mailing List

Hello Wazuh Team,

We are currently evaluating the Vulnerability Detection module in our Wazuh environment and have observed a discrepancy between our organization's software inventory and the applications listed in the Wazuh inventory.

Several applications that are actively used within our environment do not appear in the Wazuh inventory, and consequently, no vulnerability information is displayed for those applications. We would like to understand the possible reasons for this behavior.

Could you please clarify:

  1. What are the conditions required for an application to be included in the Wazuh software inventory?
  2. Are there any limitations regarding software installed through custom installers, portable applications, or manually deployed applications?
  3. How can we verify why a specific application is not being collected by Syscollector?
  4. Are there any logs or troubleshooting steps available to determine why an application is missing from the inventory?
  5. Does Vulnerability Detection only work for applications present in the Wazuh inventory, and are there any additional requirements for vulnerability matching?

We would appreciate any guidance or recommended troubleshooting steps.

Thank you for your support.

Best Regards,
Jaswantha Ragesh

Md. Nazmur Sakib

unread,
Jul 10, 2026, 3:43:33 AM (9 days ago) Jul 10
to Wazuh | Mailing List

Hi Jaswantha,

Sorry for making the answer too long. I tried to make it as organized as I can, but at the same time I wanted to include all the details.


Syscollector reads the operating system's own software registries: On Linux, data is extracted from dpkg (Debian/Ubuntu), rpm (RHEL/CentOS), and pacman (Arch). The app must be registered in a source Syscollector actually reads: on Windows, a registry Uninstall key (with a non-empty DisplayName), a Store/AppX entry, or a pip/npm path; on Linux, the dpkg/rpm/snap database or standard pip/npm dirs.

Portable apps, xcopy/manually-deployed binaries, and custom installers that don't register in those locations are invisible to Syscollector and won't appear in the inventory and therefore get no vulnerability data. On Linux, the same applies to anything installed outside the package manager (compiled from source, tarballs, dropped into /opt


You can go to the Security operations >IT Hygiene Dashboard. Select an agent from the top right and check which packages syscollector is collecting.
2026-07-10 13 42 49.png


Yes, the Vulnerability Detection only works for applications present in the Wazuh inventory; there are no additional requirements for vulnerability matching. The syscollector collects the packages from your endpoints, and the vulnerability detector module scans against the CTI feed to determine if a package is vulnerable or not.



Windows Syscollector collects installed software from these sources in SysInfo::getPackages() (src/data_provider/src/sysInfoWin.cpp, ~line 945):

  1. HKLM Uninstall keys, 64-bit and 32-bit viewsHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall read with KEY_WOW64_64KEY and KEY_WOW64_32KEY 

  2. Per-user Uninstall keys — the same ...\CurrentVersion\Uninstall path under each HKEY_USERS\<SID> hive

  3. Store / AppX appsSOFTWARE\Classes\Local Settings\...\AppModel\Repository\Packages per user 

  4. PyPI (Python) modulesLib\site-packages under Python install paths found in SOFTWARE\Python\PythonCore\*\InstallPath

  5. NPM (Node) modules — under Node install paths from SOFTWARE\Node.js and npm dirs (getNodeDirectories, sysInfoWin.cpp:920-943).

  6. Windows hotfixes/updates — separate from packages, read in SysInfo::getHotfixes() from the hotfix/QFE registry keys

You can run commands like this in PowerShell as an administrator to check which software package information SysCollector collects from the Windows endpoint.

Source 1 — HKLM 64-bit Uninstall keys 

Get-ChildItem "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" -EA SilentlyContinue |

  ForEach-Object { (Get-ItemProperty $_.PSPath -EA SilentlyContinue).DisplayName } | Where-Object { $_ }

Source 2 — HKLM 32-bit Uninstall keys 

Get-ChildItem "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall" -EA SilentlyContinue |

  ForEach-Object { (Get-ItemProperty $_.PSPath -EA SilentlyContinue).DisplayName } | Where-Object { $_ }

Source 3 — Per-user Uninstall 

Get-ChildItem "Registry::HKEY_USERS" -EA SilentlyContinue | ForEach-Object {

    $k = "Registry::HKEY_USERS\$($_.PSChildName)\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"

    if (Test-Path $k) { Get-ChildItem $k -EA SilentlyContinue | ForEach-Object { (Get-ItemProperty $_.PSPath -EA SilentlyContinue).DisplayName } }

} | Where-Object { $_ }

Source 4 — Store / AppX apps 

Get-AppxPackage -AllUsers |

  Where-Object { -not $_.IsFramework -and -not $_.IsResourcePackage -and $_.InstallLocation -like "C:\Program Files\WindowsApps\*" } |

  ForEach-Object { try { $d = (Get-AppxPackageManifest $_).Package.Properties.DisplayName } catch { $d = $null }; if ($d -and $d -notlike "ms-resource:*") { $d } } |

  Where-Object { $_ } | Sort-Object -Unique

Source 5 — PyPI packages

python -m pip list


Ref: https://github.com/wazuh/wazuh/blob/main/src/data_provider/src/sysInfoWin.cpp





For Linux endpoints. I will use an RPM (RHEL, CentOS, Fedora, Rocky, Alma, openSUSE, Amazon Linux) based OS as an example.

It will get there packages information


1. rpm — the primary source 

rpm -qa --qf '%{NAME} %{VERSION}-%{RELEASE} %{ARCH}\n'

2. snap (only if /var/lib/snapd exists — common on some RPM distros, not all)

snap list

3. dpkg (normally inert on RPM systems — only fires if /var/lib/dpkg/ exists)

test -d /var/lib/dpkg && dpkg-query -W -f='${Package} ${Version}\n' || echo "no dpkg database present"

5. PyPI modules (scanned from the standard *-packages dirs; note RPM distros use lib64 and platform-python paths)

find /usr/lib/python*/site-packages /usr/lib64/python*/site-packages \

     /usr/local/lib/python*/site-packages \

     /home/*/.local/lib/python*/site-packages /root/.local/lib/python*/site-packages \

     -maxdepth 1 \( -name '*.dist-info' -o -name '*.egg-info' \) 2>/dev/null | sort -u

6. Simpler equivalent if pip is present:

pip list 2>/dev/null; pip3 list 2>/dev/null


7. NPM modules (global npm dirs)

npm ls -g --depth=0 2>/dev/null


Ref:

https://github.com/wazuh/wazuh/blob/main/src/data_provider/src/sharedDefs.h
https://github.com/wazuh/wazuh/blob/main/src/data_provider/src/packages/packageLinuxDataRetriever.h
https://github.com/wazuh/wazuh/blob/main/src/data_provider/src/sysInfoLinux.cpp



Let me know which packages you are missing in the Wazuh inventory(IT Hygiene) so that I can also do some checks from my end and let you know exactly what is happening.

Cristian Padilla López

unread,
Jul 10, 2026, 10:43:31 AM (9 days ago) Jul 10
to Wazuh | Mailing List
Hi Jaswantha,

I would like to complement the information shared by Nazmur

The Wazuh Vulnerability Detection module identifies vulnerabilities in the operating system and applications installed on monitored endpoints. It uses the inventory collected by Syscollector and correlates package names and versions with vulnerability information from the Wazuh Cyber Threat Intelligence platform.

Regarding your questions:

What is required for an application to appear in the software inventory?
Syscollector must be enabled with package collection active. It obtains installed software information from the package or application inventory mechanisms provided by the operating system, such as Linux package managers or the Windows installed-software inventory. The application must provide identifiable information such as its name and version.

Are portable or manually installed applications supported?
Portable applications, manually copied binaries, and custom installers might not appear if they are not registered in the operating system’s software inventory. Syscollector does not scan every executable stored on the endpoint.

How can we verify whether an application is collected?
Check Menu > IT Hygiene > Software > Packages, or query the agent inventory:

GET /syscollector/<AGENT_ID>/packages?pretty=true

Also confirm that package collection is enabled:

no yes yes
Syscollector is enabled by default on endpoints where the Wazuh agent is installed.

How can we troubleshoot a missing application?
First, confirm that the operating system recognizes the application as installed. If it does but it is still missing from Wazuh, review the agent ossec.log.

For additional troubleshooting, temporarily add the following to local_internal_options.conf and restart the agent:

wazuh_modules.debug=2

Then review ossec.log for Syscollector-related messages. Disable debug logging after completing the troubleshooting.

Does Vulnerability Detection only evaluate inventoried applications?
Yes. If the application is not present in the Syscollector inventory, Vulnerability Detection cannot evaluate it.

If the package is present but no vulnerability is displayed, matching also depends on the package name, version, operating system, affected version range, and the available Wazuh CTI product mappings.


Official documentation:

https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/how-it-works.html
https://documentation.wazuh.com/current/user-manual/capabilities/system-inventory/configuration.html
https://documentation.wazuh.com/current/user-manual/capabilities/system-inventory/compatibility-matrix.html
https://documentation.wazuh.com/current/user-manual/reference/internal-options.html


Reply all
Reply to author
Forward
0 new messages