Wazuh 4.11.0 Vulnerability Detection doesn't work #28602
-
|
Hi, However, I realized that Vulnerabilty Detection is not working. I have the option enabled on both servers in ossec.conf, but no data from the agents can be seen on dashboard, inventory and events - there is info "No results match your search criteria". yes yes 60mEverything else works without any trouble. Before this production installation, I had a test Wazuh 4.10 server. and old 5 agents hooked up to new production cluster without any trouble. Where to look for a solution of the problem? Thank you in advance |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 5 replies
-
|
So you have two different indexers, is your environment a CCS? https://wazuh.com/blog/managing-multiple-wazuh-clusters-with-cross-cluster-search/ From the logs you can see the vulnerability scanner is working? let's try this
That is to force a re-scan. In the logs you should see whether or not the scanner is working. If that's ok, check if the indices are created. i.e. green open wazuh-states-vulnerabilities-jammy -Xlj027-RFqd-yyfR3Y5sg 1 0 20347 5 11.8mb 11.8mbSearch in your ossec.log for wazuh-states-vulnerabilities (avoid jammy cause that is dynamic) |
Beta Was this translation helpful? Give feedback.
-
|
Hi, Thank you very much for your reply. I have only one cluster with two nodes (each has one indexer). Cluster health checked on both indexer nodes: {"cluster_name":"wazuh-indexer-cluster","status":"green","timed_out":false,"number_of_nodes":2,"number_of_data_nodes":2,"discovered_master":true,"discovered_cluster_manager":true,"active_primary_shards":25,"active_shards":48,"relocating_shards":0,"initializing_shards":0,"unassigned_shards":0,"delayed_unassigned_shards":0,"number_of_pending_tasks":0,"number_of_in_flight_fetch":0,"task_max_waiting_in_queue_millis":0,"active_shards_percent_as_number":100.0} Index wazuh-states-vulnerabilities-wazuh_cluster deleted and database cleared - problem still exists... |
Beta Was this translation helpful? Give feedback.
-
|
Is the second indexer connected to the dashboard? I think the approach is very similar to the CCS |
Beta Was this translation helpful? Give feedback.
-
|
This is my configuration: server: dashboard: Both indexers are working properly, how I can check if second one is connected to dashboard? |
Beta Was this translation helpful? Give feedback.
-
|
I'll suggest to take a look at the entire guide here https://documentation.wazuh.com/current/installation-guide/index.html But specifically for configuring the indexer and the dashboard, you can take a look here https://documentation.wazuh.com/current/installation-guide/wazuh-dashboard/step-by-step.html#configuring-the-wazuh-dashboard
|
Beta Was this translation helpful? Give feedback.
-
|
Hi, Thank you for your help. |
Beta Was this translation helpful? Give feedback.
-
|
That's great, thanks for sharing your solution. |
Beta Was this translation helpful? Give feedback.
Hi,
I managed to solve the problem.
The cause of the error is a cluster script installation error (all done according to Wazuh documentation) in the ossec.conf file on the worker. In the indexer branch on worker, the certificates were pointing to files from master, not from worker. After replacing the invalid references to the non-existent wazuh1.pem and wazuh1-key.pem files with wazuh2.pem and wazuh2-key.pem files, respectively, and restarting the wazuh-manager service, the worker connected to the wazuh-states-vulnerabilities-wazuh_cluster indexer.
Thank you for your help.