Offline Update

If the Wazuh server isn't directly connected to the Internet, it's still possible to keep the Common Vulnerabilities and Exposures (CVEs) information updated. You can download a repository file and access it within your local environment or network.

Downloading the Wazuh vulnerabilities file

We regularly publish a snapshot of the threat intelligence repository to the Cyber Threat Vulnerability Intelligence (CTI) API. We provide this snapshot as a downloadable file containing the CVE documents. To retrieve the link to download this compressed file and output its date, run a command to query the API as follows.

$ response=$(curl -s -X GET
$ echo "$response" | jq -r '.data.last_snapshot_link'
$ echo "$response" | jq -r '.data.last_snapshot_at'

Configure offline vulnerability detection

To use the Vulnerability Detection module offline, follow these steps.

  1. Edit the Wazuh server /var/ossec/etc/ossec.conf file. Add the offline repository file path in the vulnerability detection block. This configures the Wazuh server to locate it.

  2. Restart the Wazuh manager.

    # systemctl restart wazuh-manager