Vulnerabilities index for agents' information
34 views
Skip to first unread message
Isaac S.
Apr 29, 2026, 3:14:45 PM (4 days ago) Apr 29
to Wazuh | Mailing List
Hello Wazuh Team
I have been checking the wazuh agents information and i discovered that there are two indexes agents' vulnerabilities information.
- wazuh-alerts-*
- wazuh-states-vulnerabilites-*
Some agents have vulns information in both indexes, or only in one of them. There is a way for extracting vulns summary for agents with API ?
Or, it's possible to re-scan the agents for having all the information in the wazuh-alerts-* index ?
Thanks
Isaac
Message has been deleted
Olamilekan Abdullateef Ajani
Apr 29, 2026, 4:45:13 PM (4 days ago) Apr 29
to Wazuh | Mailing List
Hello Isaac,
Ref:
https://documentation.wazuh.com/current/user-manual/indexer-api/use-case.html#query-vulnerability-data
To break this down, wazuh-states-vulnerabilities-* is the primary index used to store the current vulnerability state of monitored assets, including severity, status, affected software, and vulnerability reference data. This is what the Vulnerability Detection Dashboard and Inventory tabs use.
While wazuh-alerts-* is the general alerts index. The Vulnerability Detection module generates alerts here only when new vulnerabilities are detected or existing ones are resolved due to package updates, removals, or system upgrades.
I believe this explains the discrepancy you see: not all vulnerabilities in wazuh-states-vulnerabilities-* will have a corresponding alert in wazuh-alerts-*, because:
Alerts are not generated during the initial inventory scan. Alerts are only triggered in subsequent scans if a change in OS version or patch state is detected.
Ref:
https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/how-it-works.html#packages-alerts
Alerts related to package changes are triggered only when a vulnerability is added or removed from the inventory due to installing or removing a package, and only if the event was captured during a scheduled Syscollector scan
Ref:
https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/how-it-works.html#alert-generation
Extracting Vulnerability Summaries via API:
You can query vulnerabilities directly from the Wazuh Indexer. The wazuh-states-vulnerabilities-* index is the right one to use, and since the vulnerabilities are indexed, you use the OpenSearch/Elasticsearch API to make queries.
Example: Get all vulns for a specific agent:
POST /wazuh-states-vulnerabilities-*/_search
{
"query": {
"match": {
"agent.id": "007"
}
}
}
I believe this explains the discrepancy you see: not all vulnerabilities in wazuh-states-vulnerabilities-* will have a corresponding alert in wazuh-alerts-*, because:
Alerts are not generated during the initial inventory scan. Alerts are only triggered in subsequent scans if a change in OS version or patch state is detected.
Ref:
https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/how-it-works.html#packages-alerts
Alerts related to package changes are triggered only when a vulnerability is added or removed from the inventory due to installing or removing a package, and only if the event was captured during a scheduled Syscollector scan
Ref:
https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/how-it-works.html#alert-generation
Extracting Vulnerability Summaries via API:
You can query vulnerabilities directly from the Wazuh Indexer. The wazuh-states-vulnerabilities-* index is the right one to use, and since the vulnerabilities are indexed, you use the OpenSearch/Elasticsearch API to make queries.
Example: Get all vulns for a specific agent:
POST /wazuh-states-vulnerabilities-*/_search
{
"query": {
"match": {
"agent.id": "007"
}
}
}
You can trigger a refresh indirectly by restarting the agent
Ref:
https://documentation.wazuh.com/current/user-manual/indexer-api/use-case.html#query-vulnerability-data
Isaac S.
Apr 30, 2026, 2:35:23 PM (3 days ago) Apr 30
to Wazuh | Mailing List
Hello Olamilekan
I have checked the documentation that you sent and it's clear .
there are some agents with zero vulnerabilities, it could be a comunicatioin problem from wazuh-manager (filebeat) with wazuh-indexer ?
Isaac
Olamilekan Abdullateef Ajani
Apr 30, 2026, 5:08:26 PM (3 days ago) Apr 30
to Wazuh | Mailing List
Hello Isaac,
Yes, zero vulnerabilities on certain agents can stem from several causes and not necessarily a Filebeat/Indexer communication problem, because that would mean no vulnerability events at all on all agents.
Few troubleshooting steps
Verify Syscollector is Running on the Agent
The Vulnerability Detection module depends entirely on Syscollector sending package inventory to the manager. If Syscollector is disabled or failing, the agent will show zero vulnerabilities.
On the affected agent, run:
cat /var/ossec/logs/ossec.log | grep -iE "syscollector"
You should see lines like:
wazuh-modulesd:syscollector: INFO: Starting evaluation.
wazuh-modulesd:syscollector: INFO: Evaluation finished.
If these are absent, Syscollector may be disabled. Check the agent's ossec.conf:
<wodle name="syscollector">
<disabled>no</disabled>
<packages>yes</packages>
...
</wodle>
Ref:
https://documentation.wazuh.com/current/user-manual/capabilities/system-inventory/configuration.html
Check Agent's Local Package Database
If Syscollector is running but the indexer still shows zero vulnerabilities, verify that the agent's local SQLite database actually contains package data:
sqlite3 /var/ossec/queue/db/000.db "select count(*) from sys_programs;"
(replace 000 with the agent ID, e.g., 007.db)
If the count is 0, the agent is not collecting package inventory, confirm <packages>yes</packages> is set in Syscollector config.
Force a re-sync.
To trigger a fresh inventory sync from the agent:
On the agent: systemctl restart wazuh-agent
This restarts Syscollector and forces an immediate scan (if <scan_on_start>yes</scan_on_start> is configured, which is the default).
It could also mean OS not fully supported / detected properly if Wazuh can’t properly identify OS version.
Check compartibility matrix here: https://documentation.wazuh.com/current/user-manual/capabilities/system-inventory/compatibility-matrix.html
Lastly, It may just mean no vulnerable packages, this is less common but also possible.
Please let me know the result of the test above
Yes, zero vulnerabilities on certain agents can stem from several causes and not necessarily a Filebeat/Indexer communication problem, because that would mean no vulnerability events at all on all agents.
Few troubleshooting steps
Verify Syscollector is Running on the Agent
The Vulnerability Detection module depends entirely on Syscollector sending package inventory to the manager. If Syscollector is disabled or failing, the agent will show zero vulnerabilities.
On the affected agent, run:
cat /var/ossec/logs/ossec.log | grep -iE "syscollector"
You should see lines like:
wazuh-modulesd:syscollector: INFO: Starting evaluation.
wazuh-modulesd:syscollector: INFO: Evaluation finished.
If these are absent, Syscollector may be disabled. Check the agent's ossec.conf:
<wodle name="syscollector">
<disabled>no</disabled>
<packages>yes</packages>
...
</wodle>
Ref:
https://documentation.wazuh.com/current/user-manual/capabilities/system-inventory/configuration.html
Check Agent's Local Package Database
If Syscollector is running but the indexer still shows zero vulnerabilities, verify that the agent's local SQLite database actually contains package data:
sqlite3 /var/ossec/queue/db/000.db "select count(*) from sys_programs;"
(replace 000 with the agent ID, e.g., 007.db)
If the count is 0, the agent is not collecting package inventory, confirm <packages>yes</packages> is set in Syscollector config.
Force a re-sync.
To trigger a fresh inventory sync from the agent:
On the agent: systemctl restart wazuh-agent
This restarts Syscollector and forces an immediate scan (if <scan_on_start>yes</scan_on_start> is configured, which is the default).
It could also mean OS not fully supported / detected properly if Wazuh can’t properly identify OS version.
Check compartibility matrix here: https://documentation.wazuh.com/current/user-manual/capabilities/system-inventory/compatibility-matrix.html
Lastly, It may just mean no vulnerable packages, this is less common but also possible.
Please let me know the result of the test above
Regards
Reply all
Reply to author
Forward
0 new messages