Hello Wazuh Team,
We are currently evaluating the Vulnerability Detection module in our Wazuh environment and have observed a discrepancy between our organization's software inventory and the applications listed in the Wazuh inventory.
Several applications that are actively used within our environment do not appear in the Wazuh inventory, and consequently, no vulnerability information is displayed for those applications. We would like to understand the possible reasons for this behavior.
Could you please clarify:
We would appreciate any guidance or recommended troubleshooting steps.
Thank you for your support.
Best Regards,
Jaswantha Ragesh
Hi Jaswantha,
Sorry for making the answer too long. I tried to make it as organized as I can, but at the same time I wanted to include all the details.
Syscollector reads the operating system's own software registries: On Linux, data is extracted from dpkg (Debian/Ubuntu), rpm (RHEL/CentOS), and pacman (Arch). The app must be registered in a source Syscollector actually reads: on Windows, a registry Uninstall key (with a non-empty DisplayName), a Store/AppX entry, or a pip/npm path; on Linux, the dpkg/rpm/snap database or standard pip/npm dirs.
Portable apps, xcopy/manually-deployed binaries, and custom installers that don't register in those locations are invisible to Syscollector and won't appear in the inventory and therefore get no vulnerability data. On Linux, the same applies to anything installed outside the package manager (compiled from source, tarballs, dropped into /opt
You can go to the Security operations >IT Hygiene Dashboard. Select an agent from the top right and check which packages syscollector is collecting.
Yes, the Vulnerability Detection only works for applications present in the Wazuh inventory; there are no additional requirements for vulnerability matching. The syscollector collects the packages from your endpoints, and the vulnerability detector module scans against the CTI feed to determine if a package is vulnerable or not.
Windows Syscollector collects installed software from these sources in SysInfo::getPackages() (src/data_provider/src/sysInfoWin.cpp, ~line 945):
HKLM Uninstall keys, 64-bit and 32-bit views — HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall read with KEY_WOW64_64KEY and KEY_WOW64_32KEY
Per-user Uninstall keys — the same ...\CurrentVersion\Uninstall path under each HKEY_USERS\<SID> hive
Store / AppX apps — SOFTWARE\Classes\Local Settings\...\AppModel\Repository\Packages per user
PyPI (Python) modules — Lib\site-packages under Python install paths found in SOFTWARE\Python\PythonCore\*\InstallPath
NPM (Node) modules — under Node install paths from SOFTWARE\Node.js and npm dirs (getNodeDirectories, sysInfoWin.cpp:920-943).
Windows hotfixes/updates — separate from packages, read in SysInfo::getHotfixes() from the hotfix/QFE registry keys
You can run commands like this in PowerShell as an administrator to check which software package information SysCollector collects from the Windows endpoint.
Source 1 — HKLM 64-bit Uninstall keys
Get-ChildItem "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" -EA SilentlyContinue |
ForEach-Object { (Get-ItemProperty $_.PSPath -EA SilentlyContinue).DisplayName } | Where-Object { $_ }
Source 2 — HKLM 32-bit Uninstall keys
Get-ChildItem "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall" -EA SilentlyContinue |
ForEach-Object { (Get-ItemProperty $_.PSPath -EA SilentlyContinue).DisplayName } | Where-Object { $_ }
Source 3 — Per-user Uninstall
Get-ChildItem "Registry::HKEY_USERS" -EA SilentlyContinue | ForEach-Object {
$k = "Registry::HKEY_USERS\$($_.PSChildName)\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall"
if (Test-Path $k) { Get-ChildItem $k -EA SilentlyContinue | ForEach-Object { (Get-ItemProperty $_.PSPath -EA SilentlyContinue).DisplayName } }
} | Where-Object { $_ }
Source 4 — Store / AppX apps
Get-AppxPackage -AllUsers |
Where-Object { -not $_.IsFramework -and -not $_.IsResourcePackage -and $_.InstallLocation -like "C:\Program Files\WindowsApps\*" } |
ForEach-Object { try { $d = (Get-AppxPackageManifest $_).Package.Properties.DisplayName } catch { $d = $null }; if ($d -and $d -notlike "ms-resource:*") { $d } } |
Where-Object { $_ } | Sort-Object -Unique
Source 5 — PyPI packages
python -m pip list
Ref: https://github.com/wazuh/wazuh/blob/main/src/data_provider/src/sysInfoWin.cpp
For Linux endpoints. I will use an RPM (RHEL, CentOS, Fedora, Rocky, Alma, openSUSE, Amazon Linux) based OS as an example.
It will get there packages information
1. rpm — the primary source
rpm -qa --qf '%{NAME} %{VERSION}-%{RELEASE} %{ARCH}\n'
2. snap (only if /var/lib/snapd exists — common on some RPM distros, not all)
snap list
3. dpkg (normally inert on RPM systems — only fires if /var/lib/dpkg/ exists)
test -d /var/lib/dpkg && dpkg-query -W -f='${Package} ${Version}\n' || echo "no dpkg database present"
5. PyPI modules (scanned from the standard *-packages dirs; note RPM distros use lib64 and platform-python paths)
find /usr/lib/python*/site-packages /usr/lib64/python*/site-packages \
/usr/local/lib/python*/site-packages \
/home/*/.local/lib/python*/site-packages /root/.local/lib/python*/site-packages \
-maxdepth 1 \( -name '*.dist-info' -o -name '*.egg-info' \) 2>/dev/null | sort -u
6. Simpler equivalent if pip is present:
pip list 2>/dev/null; pip3 list 2>/dev/null
7. NPM modules (global npm dirs)
npm ls -g --depth=0 2>/dev/null
Ref:
https://github.com/wazuh/wazuh/blob/main/src/data_provider/src/sharedDefs.h
https://github.com/wazuh/wazuh/blob/main/src/data_provider/src/packages/packageLinuxDataRetriever.h
https://github.com/wazuh/wazuh/blob/main/src/data_provider/src/sysInfoLinux.cpp
Let me know which packages you are missing in the Wazuh inventory(IT Hygiene) so that I can also do some checks from my end and let you know exactly what is happening.