Known issues
This section lists known issues that might occur when using the Vulnerability Detection module. It includes the affected versions, fixes, and remediation steps for situations where an upgrade is not feasible.
Dangling entries in the vulnerabilities dashboard
Remediation plan
Apply a full reset of the module’s data, but only after addressing common configuration and environmental issues.
Step 1: Address common issues
Inactive agent or connection problems:
Verify the agent is active and reporting. Check agent logs for errors and warnings about the connection with the manager.
Ensure the agent’s inventory doesn’t list uninstalled packages. If it does, there might be a problem with Syscollector.
Server-Indexer communication problems:
Check manager logs for errors like
No available server
orFailed to sync agent 'X' with the indexer
.Query the indexer’s health with
GET _cluster/health
. The cluster status must be:Wazuh v4.8.0–v4.9.0:
green
Wazuh v4.9.1 and later:
green
oryellow
Pending inventory updates:
Wait for the next Syscollector scan after removing agents or upgrading packages.
Step 2: Reset the module's data
If the above steps don’t resolve the issue, follow these steps for every Wazuh manager node:
Stop the Wazuh manager.
# systemctl stop wazuh-manager
Disable the Vulnerability Detector module:
<vulnerability-detection> <enabled>no</enabled> <!-- Other configurations --> </vulnerability-detection>
Delete state databases. They store data such as agent vulnerabilities and queued events.
# rm -rf /var/ossec/queue/vd/inventory/ # rm -rf /var/ossec/queue/vd/delayed/ # rm -rf /var/ossec/queue/vd/event/ # rm -rf /var/ossec/queue/indexer/
Clean the vulnerabilities index.
DELETE wazuh-states-vulnerabilities-*
Ensure the index is clean.
GET wazuh-states-vulnerabilities-*/_count
{ "count": 0, "_shards": { "total": 0, "successful": 0, "skipped": 0, "failed": 0 } }
Start the Wazuh manager. The module updates its state to disabled.
# systemctl start wazuh-manager
Enable the Vulnerability Detector module.
<vulnerability-detection> <enabled>yes</enabled> <!-- Other configurations --> </vulnerability-detection>
Restart the manager to initiate a re-scan.
# systemctl restart wazuh-manager