Configuration

The Vulnerability Detection module is enabled by default on the Wazuh manager and works with the Syscollector module to detect vulnerable packages and software on a monitored endpoint.

The block below is the default vulnerability detection settings in the Wazuh manager configuration file at /var/ossec/etc/ossec.conf.

<vulnerability-detection>
   <enabled>yes</enabled>
   <index-status>yes</index-status>
   <feed-update-interval>60m</feed-update-interval>
</vulnerability-detection>

Where:

  • <enabled> specifies whether the Vulnerability Detection module is enabled or not. The default value is yes. The allowed values are yes and no.

  • <index-status> enables the indexing of vulnerability inventory data. The default value is yes. The allowed values are yes and no.

  • <feed-update-interval> specifies the time interval for periodic feed updates. The default value is 60m (one hour), the minimum allowed. The allowed value is a positive number that contains a suffix character indicating a time unit, such as s (seconds), m (minutes), h (hours), and d (days).

The detected vulnerabilities are forwarded to the Wazuh indexer for querying, visualization, and deeper analysis using the indexer connector setting. The indexer connector setting is enabled by default in the /var/ossec/etc/ossec.conf file of the Wazuh manager.

The indexer connector may be missing if the Wazuh manager is using an old configuration file or if vulnerability detection was disabled during installation. In such cases, follow the steps below to add the indexer connector setting.

  1. Add the indexer connector configuration block below to the /var/ossec/etc/ossec.conf file on the Wazuh manager:

    <indexer>
      <enabled>yes</enabled>
      <hosts>
        <host>https://0.0.0.0:9200</host>
      </hosts>
      <ssl>
        <certificate_authorities>
          <ca>/etc/filebeat/certs/root-ca.pem</ca>
        </certificate_authorities>
        <certificate>/etc/filebeat/certs/filebeat.pem</certificate>
        <key>/etc/filebeat/certs/filebeat-key.pem</key>
      </ssl>
    </indexer>
    

    Ensure:

    • The <hosts> section contains the IP address or hostname of your Wazuh indexer node. You can find this value in the Filebeat configuration file at /etc/filebeat/filebeat.yml.

    • The <ca>, <certificate>, and <key> names match the files located in /etc/filebeat/certs/.

  2. If you are running a Wazuh indexer cluster infrastructure, add a <host> entry for each one of your Wazuh indexer nodes. For example, in a two-node configuration:

    <hosts>
      <host>https://10.0.0.1:9200</host>
      <host>https://10.0.0.2:9200</host>
    </hosts>
    

    The Wazuh server will prioritize reporting to the first Wazuh indexer node in the list and switch to the next available node if the first one becomes unavailable.

  3. Save the Wazuh indexer username and password into the Wazuh manager keystore using the Wazuh-keystore tool:

    # echo '<WAZUH_INDEXER_USERNAME>' | /var/ossec/bin/wazuh-keystore -f indexer -k username
    # echo '<WAZUH_INDEXER_PASSWORD>' | /var/ossec/bin/wazuh-keystore -f indexer -k password
    

    If you have forgotten your Wazuh indexer password, refer to the password management guide to reset it.

  4. Run the command below to verify the connection to the Wazuh indexer using the curl command from the Wazuh server. Enter the Wazuh indexer password when prompted:

    # curl --cacert <ROOT_CA> --cert <CERTIFICATE_PEM> --key <CERTIFICATE_KEY> -u <WAZUH_INDEXER_USER> -XGET https://<INDEXER_IP_ADDRESS>:9200/_cluster/health
    

    Where:

    • <ROOT_CA>, <CERTIFICATE_PEM>, <CERTIFICATE_KEY>: Certificate paths.

    • <WAZUH_INDEXER_USER>: Admin username of the Wazuh indexer.

    • <INDEXER_IP_ADDRESS>: IP address of the Wazuh indexer.

    If this command fails, the vulnerability detector module won't be able to connect to the Wazuh indexer.

    To check if the issue is related to certificates, bypass certificate verification using the -k option. Enter the Wazuh indexer password when prompted:

    # curl -k -u <WAZUH_INDEXER_USERNAME> -XGET https://<INDEXER_IP_ADDRESS>:9200/_cluster/health
    

    A successful connection returns a result similar to the following:

    {
        "cluster_name": "opensearch",
        "status": "green",
        "timed_out": false,
        "number_of_nodes": 1,
        "number_of_data_nodes": 1,
        "discovered_master": true,
        "discovered_cluster_manager": true,
        "active_primary_shards": 9,
        "active_shards": 9,
        "relocating_shards": 0,
        "initializing_shards": 0,
        "unassigned_shards": 0,
        "delayed_unassigned_shards": 0,
        "number_of_pending_tasks": 0,
        "number_of_in_flight_fetch": 0,
        "task_max_waiting_in_queue_millis": 0,
        "active_shards_percent_as_number": 100.0
    }
    
  5. Restart the Wazuh manager to apply the configuration:

    # sudo systemctl restart wazuh-manager
    

Note

To enable vulnerability detection on the Wazuh manager, modify the internal_options.conf file at /var/ossec/etc/internal_options.conf. Set the parameter vulnerability-detection.disable_scan_manager from 1 to 0. This change allows the Vulnerability Detection module to include the Wazuh manager host in its scans. After updating the configuration, restart the Wazuh manager to ensure the changes take effect.

The Syscollector module sends system inventory data from the monitored endpoint to the Wazuh manager for analysis that identifies vulnerable packages and software. The following configuration block shows the default settings for the Syscollector module on a Wazuh agent.

<!-- System inventory -->
<wodle name="syscollector">
  <disabled>no</disabled>
  <interval>1h</interval>
  <scan_on_start>yes</scan_on_start>
  <hardware>yes</hardware>
  <os>yes</os>
  <network>yes</network>
  <packages>yes</packages>
  <hotfixes>yes</hotfixes>
  <ports all="yes">yes</ports>
  <processes>yes</processes>

  <!-- Database synchronization settings -->
  <synchronization>
    <max_eps>10</max_eps>
  </synchronization>
</wodle>

You can find the Syscollector configuration in the Wazuh agent configuration file at:

  • /var/ossec/etc/ossec.conf for Linux endpoints.

  • C:\Program Files (x86)\ossec-agent\ossec.conf for Windows endpoints.

  • /Library/Ossec/ossec.conf for macOS endpoints.

Refer to the Syscollector configuration for more information.

Offline vulnerability detection

If the Wazuh server does not have direct internet access, it is still possible to keep the Common Vulnerabilities and Exposures (CVE) database up to date. This can be achieved by downloading a snapshot of the threat intelligence repository and making it available within the local network or environment.

Threat intelligence snapshot

Wazuh regularly publishes a snapshot of its threat intelligence repository to the Cyber Threat Intelligence (CTI) API. This snapshot includes all CVE documents in a compressed format suitable for offline use.

Retrieving Wazuh threat intelligence snapshot

To retrieve the download link and the timestamp of the latest snapshot, run the following command:

$ curl -s -X GET https://cti.wazuh.com/api/v1/catalog/contexts/vd_1.0.0/consumers/vd_4.8.0 | jq -r '.data | "\(.last_snapshot_link)\n\(.last_snapshot_at)"'

This command queries the CTI API and returns a direct URL to the most recent threat intelligence snapshot file with the date and time it was published.

https://cti.wazuh.com/store/contexts/vd_1.0.0/consumers/vd_4.8.0/1990927_1748864308.zip
2025-06-02T11:38:28.279172Z

Where 2025-06-02T11:38:28.279172Z is the time of the last update.

Offline vulnerability detection configuration

Follow the steps below to configure the Vulnerability detection module for offline mode.

  1. Download the threat intelligence repository using the URL from querying the CTI API.

    $ curl https://cti.wazuh.com/store/contexts/vd_1.0.0/consumers/vd_4.8.0/1990927_1748864308.zip -o cves.zip
    

    Note

    Refer to the previous section for instructions on retrieving the latest URL for the threat intelligence snapshot

  2. Run the command below to update the permissions and ownership of the file cves.zip:

    # chmod 750 /FILE_PATH_TO_OFFLINE_REPOSITORY/cves.zip
    # chown root:wazuh /FILE_PATH_TO_OFFLINE_REPOSITORY/cves.zip
    
  3. Edit the Wazuh server /var/ossec/etc/ossec.conf file. Add the offline repository file path in the vulnerability detection block. This configures the Wazuh server to locate it.

    <vulnerability-detection>
       <enabled>yes</enabled>
       <index-status>yes</index-status>
       <feed-update-interval>60m</feed-update-interval>
       <offline-url><FILE_PATH_TO_OFFLINE_REPOSITORY></offline-url>
    </vulnerability-detection>
    

    Where:

    • <FILE_PATH_TO_OFFLINE_REPOSITORY> is the file path to the threat intelligence repository downloaded in the previous step.

  4. Restart the Wazuh manager to apply the configuration.

    # systemctl restart wazuh-manager