Configuration

The Vulnerability Detection module is enabled by default on the Wazuh manager and works with the Syscollector module to detect vulnerable packages and software on a monitored endpoint.

The block below is the default vulnerability detection settings in the Wazuh manager configuration file at /var/ossec/etc/ossec.conf.

<vulnerability-detection>
   <enabled>yes</enabled>
   <index-status>yes</index-status>
   <feed-update-interval>60m</feed-update-interval>
</vulnerability-detection>

Where:

• <enabled> specifies whether the Vulnerability Detection module is enabled or not. The default value is yes. The allowed values are yes and no.

• <index-status> enables the indexing of vulnerability inventory data. The default value is yes. The allowed values are yes and no.

• <feed-update-interval> specifies the time interval for periodic feed updates. The default value is 60m (one hour), the minimum allowed. The allowed value is a positive number that contains a suffix character indicating a time unit, such as s (seconds), m (minutes), h (hours), and d (days).

The detected vulnerabilities are forwarded to the Wazuh indexer for querying, visualization, and deeper analysis using the indexer connector setting. The indexer connector setting is enabled by default in the /var/ossec/etc/ossec.conf file of the Wazuh manager.

The indexer connector may be missing if the Wazuh manager is using an old configuration file or if vulnerability detection was disabled during installation. In such cases, follow the steps below to add the indexer connector setting.

1. Add the indexer connector configuration block below to the /var/ossec/etc/ossec.conf file on the Wazuh manager:

   <indexer>
     <enabled>yes</enabled>
     <hosts>
       <host>https://0.0.0.0:9200</host>
     </hosts>
     <ssl>
       <certificate_authorities>
         <ca>/etc/filebeat/certs/root-ca.pem</ca>
       </certificate_authorities>
       <certificate>/etc/filebeat/certs/filebeat.pem</certificate>
       <key>/etc/filebeat/certs/filebeat-key.pem</key>
     </ssl>
   </indexer>
   

   Ensure:

   • The <hosts> section contains the IP address or hostname of your Wazuh indexer node. You can find this value in the Filebeat configuration file at /etc/filebeat/filebeat.yml.

   • The <ca>, <certificate>, and <key> names match the files located in /etc/filebeat/certs/.

2. If you are running a Wazuh indexer cluster infrastructure, add a <host> entry for each one of your Wazuh indexer nodes. For example, in a two-node configuration:

   <hosts>
     <host>https://10.0.0.1:9200</host>
     <host>https://10.0.0.2:9200</host>
   </hosts>
   

   The Wazuh server will prioritize reporting to the first Wazuh indexer node in the list and switch to the next available node if the first one becomes unavailable.

3. Save the Wazuh indexer username and password into the Wazuh manager keystore using the Wazuh-keystore tool:

   # echo '<WAZUH_INDEXER_USERNAME>' | /var/ossec/bin/wazuh-keystore -f indexer -k username
   # echo '<WAZUH_INDEXER_PASSWORD>' | /var/ossec/bin/wazuh-keystore -f indexer -k password
   

   If you have forgotten your Wazuh indexer password, refer to the password management guide to reset it.

4. Run the command below to verify the connection to the Wazuh indexer using the curl command from the Wazuh server. Enter the Wazuh indexer password when prompted:

   # curl --cacert <ROOT_CA> --cert <CERTIFICATE_PEM> --key <CERTIFICATE_KEY> -u <WAZUH_INDEXER_USER> -XGET https://<INDEXER_IP_ADDRESS>:9200/_cluster/health
   

   Where:

   • <ROOT_CA>, <CERTIFICATE_PEM>, <CERTIFICATE_KEY>: Certificate paths.

   • <WAZUH_INDEXER_USER>: Admin username of the Wazuh indexer.

   • <INDEXER_IP_ADDRESS>: IP address of the Wazuh indexer.

   If this command fails, the vulnerability detector module won't be able to connect to the Wazuh indexer.

   To check if the issue is related to certificates, bypass certificate verification using the -k option. Enter the Wazuh indexer password when prompted:

   # curl -k -u <WAZUH_INDEXER_USERNAME> -XGET https://<INDEXER_IP_ADDRESS>:9200/_cluster/health
   

   A successful connection returns a result similar to the following:

   {
       "cluster_name": "opensearch",
       "status": "green",
       "timed_out": false,
       "number_of_nodes": 1,
       "number_of_data_nodes": 1,
       "discovered_master": true,
       "discovered_cluster_manager": true,
       "active_primary_shards": 9,
       "active_shards": 9,
       "relocating_shards": 0,
       "initializing_shards": 0,
       "unassigned_shards": 0,
       "delayed_unassigned_shards": 0,
       "number_of_pending_tasks": 0,
       "number_of_in_flight_fetch": 0,
       "task_max_waiting_in_queue_millis": 0,
       "active_shards_percent_as_number": 100.0
   }
   

5. Restart the Wazuh manager to apply the configuration:

   # sudo systemctl restart wazuh-manager
   

The Syscollector module sends system inventory data from the monitored endpoint to the Wazuh manager for analysis that identifies vulnerable packages and software. The following configuration block shows the default settings for the Syscollector module on a Wazuh agent.

<!-- System inventory -->
<wodle name="syscollector">
  <disabled>no</disabled>
  <interval>1h</interval>
  <scan_on_start>yes</scan_on_start>
  <hardware>yes</hardware>
  <os>yes</os>
  <network>yes</network>
  <packages>yes</packages>
  <hotfixes>yes</hotfixes>
  <ports all="yes">yes</ports>
  <processes>yes</processes>

  <!-- Database synchronization settings -->
  <synchronization>
    <max_eps>10</max_eps>
  </synchronization>
</wodle>

You can find the Syscollector configuration in the Wazuh agent configuration file at:

• /var/ossec/etc/ossec.conf for Linux endpoints.

• C:\Program Files (x86)\ossec-agent\ossec.conf for Windows endpoints.

• /Library/Ossec/ossec.conf for macOS endpoints.

Refer to the Syscollector configuration for more information.

$ curl -s -X GET https://cti.wazuh.com/api/v1/catalog/contexts/vd_1.0.0/consumers/vd_4.8.0 | jq -r '.data | "\(.last_snapshot_link)\n\(.last_snapshot_at)"'

https://cti.wazuh.com/store/contexts/vd_1.0.0/consumers/vd_4.8.0/1990927_1748864308.zip
2025-06-02T11:38:28.279172Z