Detection problem with my new agent

497 views
Skip to first unread message

Soulyo

unread,
Jul 15, 2024, 6:30:31 AM7/15/24
to Wazuh | Mailing List
Hello,

I've just put the wazuh agent on a new workstation, except that when I go to the dashboard and look at Vulnerability Detections, it returns "No results match your search criteria".
whereas everything else, if you could help me activate it?

Thank you very much
Nathan

Nicolas Agustin Guevara Pihen

unread,
Jul 15, 2024, 6:59:09 AM7/15/24
to Wazuh | Mailing List
Hello  Nathan,
To correctly enable the Vulnerability Detection on your new agent, verify the following steps: 
  • On the agent's ossec.conf, look at the syscollector wodle and verify that is enabled and packages is set to yes. It should look something like: 

     <wodle name="syscollector">
        <disabled>no</disabled>
        <interval>1h</interval>
        <scan_on_start>yes</scan_on_start>
        <hardware>yes</hardware>
        <os>yes</os>
        <network>yes</network>
        <packages>yes</packages>
        <ports all="no">yes</ports>
        <processes>yes</processes>

        <!-- Database synchronization settings -->
        <synchronization>
          <max_eps>10</max_eps>
        </synchronization>
      </wodle>

  • After configuring the previous step, you can look at the agent in the dashboard, click on Inventory data and confirm that the Packages section contains information about the installed packages on the agent. Here is an example: 

    v3DvZwbbJo.png
  • If after following those steps you are still not able to see the vulnerabilities do the following:
    • If you are using Wazuh 4.8.0, verify if your system OS is on the list of supported systems.
    • If you are using Wazuh 4.7 or lower, verify that the provider for your OS is enabled (reference). If your OS is not on the list of providers, you can configure Wazuh to scan it following this documentation.
    • It is possible that the scan takes some time to be completed, and also to start. You can trigger a scan by restarting the manager if possible. 
    • If you are still not able to see the vulnerabilities, kindly share with me the output of grep -i 'vuln' /var/ossec/logs/ossec.log in the manager to troubleshoot the issue.
I hope you find this information helpful!
Regards,

Soulyo

unread,
Jul 15, 2024, 8:20:13 AM7/15/24
to Wazuh | Mailing List
I put in the same settings as you (screen), but it still doesn't work.

Logs:
[wazuh-user@wazuh-server ~]$ grep -i 'vuln' /var/ossec/logs/ossec.log
2024/07/12 12:48:04 wazuh-modulesd:vulnerability-scanner: INFO: Starting vulnerability_scanner module.
2024/07/12 12:48:06 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities-wazuh-server', retrying until the connection is successful.
2024/07/12 12:48:06 wazuh-modulesd:vulnerability-scanner: INFO: Starting database file decompression.
2024/07/12 12:49:08 indexer-connector: INFO: IndexerConnector initialized successfully for index: wazuh-states-vulnerabilities-wazuh-server.
2024/07/12 12:49:35 wazuh-modulesd:vulnerability-scanner: INFO: Database decompression finished.
2024/07/12 12:49:36 wazuh-modulesd:vulnerability-scanner: INFO: Vulnerability scanner module started
2024/07/12 12:53:51 wazuh-modulesd:vulnerability-scanner: INFO: Initiating update feed process
2024/07/15 11:56:51 wazuh-modulesd:vulnerability-scanner: INFO: Starting vulnerability_scanner module.
2024/07/15 11:56:52 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities-wazuh-server', retrying until the connection is successful.
2024/07/15 11:56:53 wazuh-modulesd:vulnerability-scanner: INFO: Vulnerability scanner module started
2024/07/15 09:57:33 wazuh-modulesd:vulnerability-scanner: INFO: Initiating update feed process
2024/07/15 09:57:33 wazuh-modulesd:vulnerability-scanner: ERROR: Error updating feed: [json.exception.out_of_range.401] array index 1 is out of range, trying to re-download the feed.
2024/07/15 09:58:39 wazuh-modulesd:vulnerability-scanner: INFO: Initiating update feed process
2024/07/15 10:14:42 wazuh-modulesd:vulnerability-scanner: INFO: Starting vulnerability_scanner module.
2024/07/15 10:14:43 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities-wazuh-server', retrying until the connection is successful.
2024/07/15 10:14:43 wazuh-modulesd:vulnerability-scanner: ERROR: Error opening the database: Vendor map can not be found in DB., trying to re-download the feed.
2024/07/15 10:14:44 wazuh-modulesd:vulnerability-scanner: INFO: Vulnerability scanner module started
2024/07/15 10:14:52 wazuh-modulesd:vulnerability-scanner: ERROR: VulnerabilityScannerFacade::initEventDispatcher: Empty OS data from Wazuh-DB (agent 001).
2024/07/15 10:15:14 indexer-connector: INFO: IndexerConnector initialized successfully for index: wazuh-states-vulnerabilities-wazuh-server.
2024/07/15 10:15:37 wazuh-modulesd:vulnerability-scanner: INFO: Initiating update feed process
2024/07/15 11:16:21 wazuh-modulesd:vulnerability-scanner: ERROR: Error updating feed: Invalid line. file: queue/vd_updater/tmp/contents/vd_1.0.0_vd_4.8.0_756338_1720112313.json, trying to re-download the feed.
2024/07/15 11:16:21 wazuh-modulesd:vulnerability-scanner: INFO: Initiating update feed process
2024/07/15 11:16:21 wazuh-modulesd:vulnerability-scanner: ERROR: Error updating feed: Unable to find resource., trying to re-download the feed.
2024/07/15 11:16:42 wazuh-modulesd:vulnerability-scanner: INFO: Initiating update feed process
2024/07/15 12:06:45 wazuh-modulesd:vulnerability-scanner: INFO: Starting vulnerability_scanner module.
2024/07/15 12:06:46 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities-wazuh-server', retrying until the connection is successful.
2024/07/15 12:06:47 wazuh-modulesd:vulnerability-scanner: ERROR: Error opening the database: Error getting CNA Mapping content from rocksdb., trying to re-download the feed.
2024/07/15 12:06:48 wazuh-modulesd:vulnerability-scanner: INFO: Vulnerability scanner module started
2024/07/15 12:07:40 wazuh-modulesd:vulnerability-scanner: INFO: Initiating update feed process
2024/07/15 12:07:48 indexer-connector: INFO: IndexerConnector initialized successfully for index: wazuh-states-vulnerabilities-wazuh-server.
2024/07/15 12:10:32 wazuh-modulesd:vulnerability-scanner: INFO: Stopping vulnerability_scanner module.
2024/07/15 12:10:32 wazuh-modulesd:vulnerability-scanner: INFO: Feed update interrupted: Module stopped.
2024/07/15 12:10:32 wazuh-modulesd:vulnerability-scanner: INFO: Initiating update feed process
2024/07/15 12:10:32 wazuh-modulesd:vulnerability-scanner: INFO: Feed update interrupted: Module stopped.
2024/07/15 12:11:23 wazuh-modulesd:vulnerability-scanner: INFO: Starting vulnerability_scanner module.
2024/07/15 12:11:24 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities-wazuh-server', retrying until the connection is successful.
2024/07/15 12:11:25 wazuh-modulesd:vulnerability-scanner: ERROR: Error opening the database: Vendor map can not be found in DB., trying to re-download the feed.
2024/07/15 12:11:25 wazuh-modulesd:vulnerability-scanner: INFO: Vulnerability scanner module started
2024/07/15 12:12:17 wazuh-modulesd:vulnerability-scanner: INFO: Initiating update feed process
2024/07/15 12:12:26 indexer-connector: INFO: IndexerConnector initialized successfully for index: wazuh-states-vulnerabilities-wazuh-server.
You have new mail in /var/spool/mail/wazuh-user
[wazuh-user@wazuh-server ~]$

thanks!

Nicolas Agustin Guevara Pihen

unread,
Jul 22, 2024, 6:19:32 AM7/22/24
to Wazuh | Mailing List
Hi Nathan, apologies for the late response. 
Thank you for providing the logs. It looks like there may be some problem with the vulnerabilities feed update. I will review the logs with the team and come back with an answer.
In the meantime, could you kindly share with me the OS and version of the new agent that is not showing the vulnerabilities? 

Regards,
Reply all
Reply to author
Forward
0 new messages