Known issues

This section lists known issues that might occur when using the Vulnerability Detection module. It includes the affected versions, fixes, and remediation steps for situations where an upgrade is not feasible.

Dangling entries in the vulnerabilities dashboard

Issue description

Problem

  • Reported vulnerabilities for agents that were removed from the environment.

  • Reported vulnerabilities for uninstalled or upgraded packages.

Cause

The agent removal event isn’t processed.

  • Example: Queued scan events and a content update triggers a re-scan.

Affected versions

Wazuh 4.8.0 through 4.9.x.

Fix available

Wazuh 4.10.0 introduces a fix that ensures processing agent removal events immediately. However, upgrading doesn't remove pre-existing dangling entries, which require manual cleanup.

Remediation plan

Apply a full reset of the module’s data, but only after addressing common configuration and environmental issues.

Step 1: Address common issues

  • Inactive agent or connection problems:

    • Verify the agent is active and reporting. Check agent logs for errors and warnings about the connection with the manager.

    • Ensure the agent’s inventory doesn’t list uninstalled packages. If it does, there might be a problem with Syscollector.

  • Server-Indexer communication problems:

    • Check manager logs for errors like No available server or Failed to sync agent 'X' with the indexer.

    • Query the indexer’s health with GET _cluster/health. The cluster status must be:

      • Wazuh v4.8.0–v4.9.0: green

      • Wazuh v4.9.1 and later: green or yellow

  • Pending inventory updates:

    • Wait for the next Syscollector scan after removing agents or upgrading packages.

Step 2: Reset the module's data

If the above steps don’t resolve the issue, follow these steps for every Wazuh manager node:

  1. Stop the Wazuh manager.

    # systemctl stop wazuh-manager
    
  2. Disable the Vulnerability Detector module:

    <vulnerability-detection>
       <enabled>no</enabled>
       <!-- Other configurations -->
    </vulnerability-detection>
    
  3. Delete state databases. They store data such as agent vulnerabilities and queued events.

    # rm -rf /var/ossec/queue/vd/inventory/
    # rm -rf /var/ossec/queue/vd/delayed/
    # rm -rf /var/ossec/queue/vd/event/
    # rm -rf /var/ossec/queue/indexer/
    
  4. Clean the vulnerabilities index.

    DELETE wazuh-states-vulnerabilities-*
    
  5. Ensure the index is clean.

    GET wazuh-states-vulnerabilities-*/_count
    
    {
      "count": 0,
      "_shards": {
        "total": 0,
        "successful": 0,
        "skipped": 0,
        "failed": 0
      }
    }
    
  6. Start the Wazuh manager. The module updates its state to disabled.

    # systemctl start wazuh-manager
    
  7. Enable the Vulnerability Detector module.

    <vulnerability-detection>
       <enabled>yes</enabled>
       <!-- Other configurations -->
    </vulnerability-detection>
    
  8. Restart the manager to initiate a re-scan.

    # systemctl restart wazuh-manager