Wazuh Vulnerability Detection module is not working
Hasantha Gimhana
Md. Nazmur Sakib
Hello Hasantha,
The vulnerability configuration you have done for 4.14.4 is not correct.
From 4.8 and above, we use Wazuh CTI for feed update. So you do not need to mention each feed individually in the vulnerability configuration.
So, remove the current vulnerability configuration you have.
<vulnerability-detector>
<enabled>yes</enabled>
<interval>5m</interval>
<min_full_scan_interval>6h</min_full_scan_interval>
<run_on_start>yes</run_on_start>
<!-- Ubuntu OS vulnerabilities -->
<provider name="canonical">
<enabled>yes</enabled>
<os>trusty</os>
<os>xenial</os>
<os>bionic</os>
<os>focal</os>
<os>jammy</os>
<update_interval>1h</update_interval>
</provider>
—-------------
<update_interval>1h</update_interval>
</provider>
</vulnerability-detector>
And add
<vulnerability-detection>
<enabled>yes</enabled>
<index-status>yes</index-status>
<feed-update-interval>60m</feed-update-interval>
</vulnerability-detection>
Next, make sure you have the indexer connector configuration correctly configured.
<indexer>
<enabled>yes</enabled>
<hosts>
<host>https://0.0.0.0:9200</host>
</hosts>
<ssl>
<certificate_authorities>
<ca>/etc/filebeat/certs/root-ca.pem</ca>
</certificate_authorities>
<certificate>/etc/filebeat/certs/filebeat.pem</certificate>
<key>/etc/filebeat/certs/filebeat-key.pem</key>
</ssl>
</indexer>
You can follow this Configuration document for the configuration detail.
Restart the manager to apply the changes.
Save the Wazuh indexer username(admin) and password into the Wazuh manager keystore using the Wazuh-keystore tool:
echo '<WAZUH_INDEXER_USERNAME>' | /var/ossec/bin/wazuh-keystore -f indexer -k username
echo '<WAZUH_INDEXER_PASSWORD>' | /var/ossec/bin/wazuh-keystore -f indexer -k password
Let me know if this solves your issue.