Configuration

The Vulnerability Detection module is enabled by default on the Wazuh manager and works with the Syscollector module to detect vulnerable packages and software on a monitored endpoint.

The block below is the default vulnerability detection settings in the Wazuh manager configuration file at /var/ossec/etc/ossec.conf.

<vulnerability-detection>
   <enabled>yes</enabled>
   <index-status>yes</index-status>
   <feed-update-interval>60m</feed-update-interval>
</vulnerability-detection>

Where:

<enabled> specifies whether the Vulnerability Detection module is enabled or not. The default value is yes. The allowed values are yes and no.
<index-status> enables the indexing of vulnerability inventory data. The default value is yes. The allowed values are yes and no.
<feed-update-interval> specifies the time interval for periodic feed updates. The default value is 60m (one hour), the minimum allowed. The allowed value is a positive number that contains a suffix character indicating a time unit, such as s (seconds), m (minutes), h (hours), and d (days).

Note

To enable vulnerability detection on the Wazuh manager, modify the internal_options.conf file at /var/ossec/etc/internal_options.conf. Set the parameter vulnerability-detection.disable_scan_manager from 1 to 0. This change allows the Vulnerability Detection module to include the Wazuh manager host in its scans. After updating the configuration, restart the Wazuh manager to ensure the changes take effect.

The Syscollector module sends system inventory data from the monitored endpoint to the Wazuh manager for analysis that identifies vulnerable packages and software. The following configuration block shows the default settings for the Syscollector module on a Wazuh agent.

<!-- System inventory -->
<wodle name="syscollector">
  <disabled>no</disabled>
  <interval>1h</interval>
  <scan_on_start>yes</scan_on_start>
  <hardware>yes</hardware>
  <os>yes</os>
  <network>yes</network>
  <packages>yes</packages>
  <hotfixes>yes</hotfixes>
  <ports all="no">yes</ports>
  <processes>yes</processes>

  <!-- Database synchronization settings -->
  <synchronization>
    <max_eps>10</max_eps>
  </synchronization>
</wodle>

You can find the Syscollector configuration in the Wazuh agent configuration file at:

/var/ossec/etc/ossec.conf for Linux endpoints.
C:\Program Files (x86)\ossec-agent\ossec.conf for Windows endpoints.
/Library/Ossec/ossec.conf for macOS endpoints.

Refer to the Syscollector configuration for more information.

Offline vulnerability detection

If the Wazuh server does not have direct internet access, it is still possible to keep the Common Vulnerabilities and Exposures (CVE) database up to date. This can be achieved by downloading a snapshot of the threat intelligence repository and making it available within the local network or environment.

Threat intelligence snapshot

Wazuh regularly publishes a snapshot of its threat intelligence repository to the Cyber Threat Intelligence (CTI) API. This snapshot includes all CVE documents in a compressed format suitable for offline use.

Retrieving Wazuh threat intelligence snapshot

To retrieve the download link and the timestamp of the latest snapshot, run the following command:

$ curl -s -X GET https://cti.wazuh.com/api/v1/catalog/contexts/vd_1.0.0/consumers/vd_4.8.0 | jq -r '.data | "\(.last_snapshot_link)\n\(.last_snapshot_at)"'

This command queries the CTI API and returns a direct URL to the most recent threat intelligence snapshot file with the date and time it was published.

https://cti.wazuh.com/store/contexts/vd_1.0.0/consumers/vd_4.8.0/1990927_1748864308.zip
2025-06-02T11:38:28.279172Z

Where 2025-06-02T11:38:28.279172Z is the time of the last update.

Offline vulnerability detection configuration

Follow the steps below to configure the Vulnerability detection module for offline mode.

Download the threat intelligence repository using the URL from querying the CTI API.
```
$ curl https://cti.wazuh.com/store/contexts/vd_1.0.0/consumers/vd_4.8.0/1990927_1748864308.zip -o cves.zip
```
Note

Refer to the previous section for instructions on retrieving the latest URL for the threat intelligence snapshot

Run the command below to update the permissions and ownership of the file cves.zip:

# chmod 750 /FILE_PATH_TO_OFFLINE_REPOSITORY/cves.zip
# chown root:wazuh /FILE_PATH_TO_OFFLINE_REPOSITORY/cves.zip

Edit the Wazuh server /var/ossec/etc/ossec.conf file. Add the offline repository file path in the vulnerability detection block. This configures the Wazuh server to locate it.
```
<vulnerability-detection>
   <enabled>yes</enabled>
   <index-status>yes</index-status>
   <feed-update-interval>60m</feed-update-interval>
   <offline-url><FILE_PATH_TO_OFFLINE_REPOSITORY></offline-url>
</vulnerability-detection>
```
Where:
- <FILE_PATH_TO_OFFLINE_REPOSITORY> is the file path to the threat intelligence repository downloaded in the previous step.

Restart the Wazuh manager to apply the configuration.

# systemctl restart wazuh-manager

# service wazuh-manager restart