Frequently Asked Questions (FAQs)

This section provides solutions to common issues encountered during the configuration, installation, and operation of the Vulnerability Detection module.

Communication issues between the Wazuh server and the Wazuh indexer

Issue description

Problem

No vulnerabilities reported in the Wazuh dashboard, or the wazuh-states-vulnerabilities-* index has not been created. The manager logs might show messages like IndexerConnector initialization failed for index 'X', retrying until the connection is successful.

Cause

A misconfiguration in one of the following components:

  • Vulnerability detector

  • Indexer connector

  • wazuh-keystore

Troubleshooting steps

Step 1: Check credentials and configuration

  1. Ensure the wazuh-keystore is updated with correct admin username and password. For details, see the wazuh-keystore documentation.

  2. Verify the indexer connector configuration at /var/ossec/etc/ossec.conf. Ensure:

    • The <host> section contains the correct Wazuh indexer URL. The host FQDN/IP address must match the certificate details.

    • The <ssl> section specifies the correct paths for the certificate, key, and CA files.

Example configuration:

<indexer>
  <enabled>yes</enabled>
  <hosts>
    <host>https://0.0.0.0:9200</host>
  </hosts>
  <ssl>
    <certificate_authorities>
      <ca>/etc/filebeat/certs/root-ca.pem</ca>
    </certificate_authorities>
    <certificate>/etc/filebeat/certs/filebeat.pem</certificate>
    <key>/etc/filebeat/certs/filebeat-key.pem</key>
  </ssl>
</indexer>

Step 2: Verify the connection

You can verify the connection to the Wazuh indexer using the curl command from the Wazuh server.

# curl --cacert <ROOT_CA> --cert <CERTIFICATE_PEM> --key <CERTIFICATE_KEY> -u <USER>:<PASS> -XGET https://<INDEXER_IP_ADDRESS>:9200/_cluster/health

Where:

  • <ROOT_CA>, <CERTIFICATE_PEM>, <CERTIFICATE_KEY>: Certificate paths.

  • <USER> and <PASS>: Admin credentials.

  • <INDEXER_IP_ADDRESS>: IP address of the Wazuh indexer.

If this command fails, the vulnerability detector module won't be able to connect to the indexer.

To check if the issue is related to certificates, bypass certificate verification using the -k option:

# curl -k -u <USER>:<PASS> -XGET https://<INDEXER_IP_ADDRESS>:9200/_cluster/health

A successful connection returns a result similar to the following:

{
    "cluster_name": "opensearch",
    "status": "green",
    "timed_out": false,
    "number_of_nodes": 1,
    "number_of_data_nodes": 1,
    "discovered_master": true,
    "discovered_cluster_manager": true,
    "active_primary_shards": 9,
    "active_shards": 9,
    "relocating_shards": 0,
    "initializing_shards": 0,
    "unassigned_shards": 0,
    "delayed_unassigned_shards": 0,
    "number_of_pending_tasks": 0,
    "number_of_in_flight_fetch": 0,
    "task_max_waiting_in_queue_millis": 0,
    "active_shards_percent_as_number": 100.0
}