Frequently Asked Questions (FAQs)
This section provides solutions to common issues encountered during the configuration, installation, and operation of the Vulnerability Detection module.
Communication issues between the Wazuh server and the Wazuh indexer
Troubleshooting steps
Step 1: Check credentials and configuration
Ensure the wazuh-keystore is updated with correct admin username and password. For details, see the wazuh-keystore documentation.
Verify the indexer connector configuration at
/var/ossec/etc/ossec.conf
. Ensure:The
<host>
section contains the correct Wazuh indexer URL. The host FQDN/IP address must match the certificate details.The
<ssl>
section specifies the correct paths for the certificate, key, and CA files.
Example configuration:
<indexer>
<enabled>yes</enabled>
<hosts>
<host>https://0.0.0.0:9200</host>
</hosts>
<ssl>
<certificate_authorities>
<ca>/etc/filebeat/certs/root-ca.pem</ca>
</certificate_authorities>
<certificate>/etc/filebeat/certs/filebeat.pem</certificate>
<key>/etc/filebeat/certs/filebeat-key.pem</key>
</ssl>
</indexer>
Step 2: Verify the connection
You can verify the connection to the Wazuh indexer using the curl
command from the Wazuh server.
# curl --cacert <ROOT_CA> --cert <CERTIFICATE_PEM> --key <CERTIFICATE_KEY> -u <USER>:<PASS> -XGET https://<INDEXER_IP_ADDRESS>:9200/_cluster/health
Where:
<ROOT_CA>
,<CERTIFICATE_PEM>
,<CERTIFICATE_KEY>
: Certificate paths.<USER>
and<PASS>
: Admin credentials.<INDEXER_IP_ADDRESS>
: IP address of the Wazuh indexer.
If this command fails, the vulnerability detector module won't be able to connect to the indexer.
To check if the issue is related to certificates, bypass certificate verification using the -k
option:
# curl -k -u <USER>:<PASS> -XGET https://<INDEXER_IP_ADDRESS>:9200/_cluster/health
A successful connection returns a result similar to the following:
{
"cluster_name": "opensearch",
"status": "green",
"timed_out": false,
"number_of_nodes": 1,
"number_of_data_nodes": 1,
"discovered_master": true,
"discovered_cluster_manager": true,
"active_primary_shards": 9,
"active_shards": 9,
"relocating_shards": 0,
"initializing_shards": 0,
"unassigned_shards": 0,
"delayed_unassigned_shards": 0,
"number_of_pending_tasks": 0,
"number_of_in_flight_fetch": 0,
"task_max_waiting_in_queue_millis": 0,
"active_shards_percent_as_number": 100.0
}