Wazuh is widely used as an open-source XDR and SIEM platform, but one of its most valuable capabilities is vulnerability detection.
By continuously analyzing operating systems, installed packages, and software inventories, Wazuh helps security teams identify known vulnerabilities before attackers can exploit them.
When vulnerability detection stops working, organizations can lose visibility into critical security risks and unknowingly leave systems exposed.
Unfortunately, “Wazuh vulnerability detection not working” is a common issue reported by administrators.
The problem can appear in several ways:
- No vulnerabilities are displayed in the Wazuh dashboard
- Vulnerability scans remain stuck in a pending state
- Agents stop reporting vulnerability data
- Newly discovered CVEs never appear in reports
- Vulnerability counts suddenly drop to zero
- The Vulnerability Detection module appears enabled but generates no results
These issues can be caused by anything from misconfigured agents and outdated vulnerability feeds to database synchronization problems and version incompatibilities.
In this troubleshooting guide, you’ll learn how Wazuh vulnerability detection works, the most common reasons it stops functioning, and step-by-step solutions to restore vulnerability visibility.
Whether you’re running Wazuh in a small environment or an enterprise deployment, these fixes will help you identify the root cause and get vulnerability detection operating correctly again.
If you’re also experiencing communication issues between agents and the manager, check out our guide on How to Install a Wazuh Agent on Windows Server and Wazuh Agent Not Connecting to Manager? 12 Fixes That Actually Work, as connectivity problems often impact vulnerability reporting.
How Wazuh Vulnerability Detection Works
Overview of the Vulnerability Detection Module
The Wazuh Vulnerability Detection module is designed to identify known security vulnerabilities affecting monitored endpoints.
It works by collecting software inventory information from Wazuh agents and comparing that data against trusted vulnerability databases containing Common Vulnerabilities and Exposures (CVEs).
When a vulnerable package or application is detected, Wazuh generates alerts and displays the affected systems within the dashboard, allowing security teams to prioritize remediation efforts.
Unlike traditional vulnerability scanners that actively probe systems over the network, Wazuh performs agent-based vulnerability assessment.
This approach provides detailed visibility into installed software while reducing network overhead and scan-related disruptions.
According to the MITRE CVE Program, the CVE system provides a standardized method for identifying publicly disclosed cybersecurity vulnerabilities, making it one of the foundational data sources used throughout the security industry.
Data Sources Used by Wazuh
To accurately identify vulnerabilities, Wazuh consumes vulnerability intelligence from multiple trusted sources.
Common sources include:
- National Vulnerability Database (NVD)
- Vendor-specific security advisories
- Operating system security repositories
- Distribution package databases
- CVE feeds maintained by software vendors
These feeds contain information such as:
- CVE identifiers
- Severity scores (CVSS)
- Affected software versions
- Remediation recommendations
- Publication and update dates
The quality and freshness of these vulnerability feeds directly affect detection accuracy.
If feed updates fail or become outdated, Wazuh may stop identifying newly disclosed vulnerabilities.
The National Institute of Standards and Technology (NIST) maintains the National Vulnerability Database, which serves as one of the most authoritative sources of vulnerability information used across the cybersecurity industry.
How Agents, Manager, and Vulnerability Feeds Interact
Several Wazuh components work together to perform vulnerability detection.
Wazuh Agent
- Collects software inventory data from endpoints
- Identifies installed packages and versions
- Sends inventory information to the Wazuh Manager
Wazuh Manager
- Receives inventory data from agents
- Downloads and maintains vulnerability intelligence feeds
- Correlates software inventories with known CVEs
- Generates vulnerability alerts
Indexer and Dashboard
- Store vulnerability results
- Display detected vulnerabilities
- Provide filtering, reporting, and investigation capabilities
When any of these components fail, vulnerability detection can stop functioning properly.
For example:
- Agents may stop sending inventory data
- Feed synchronization may fail
- The manager may be unable to process vulnerability information
- Indexer issues may prevent vulnerabilities from appearing in dashboards
This is similar to how integrations operate in How to Integrate Wazuh with Suricata for Better Threat Detection, where multiple components must exchange data successfully for detection results to appear.
Typical Vulnerability Detection Workflow
A normal Wazuh vulnerability detection process typically follows these steps:
- The Wazuh agent collects software inventory information from an endpoint.
- The inventory data is transmitted to the Wazuh Manager.
- The manager updates its vulnerability databases and CVE feeds.
- Wazuh compares installed software versions against known vulnerabilities.
- Matching CVEs are identified.
- Alerts are generated and indexed.
- Vulnerabilities become visible in the Wazuh dashboard.
Security researchers at the Cybersecurity and Infrastructure Security Agency (CISA) consistently emphasize that vulnerability management programs depend on accurate asset inventories and timely vulnerability intelligence.
If either component is missing, organizations can develop blind spots that allow exploitable vulnerabilities to remain undetected.
Understanding this workflow is important because every troubleshooting step later in this guide maps directly to one of these stages.
By identifying where the process breaks down, you can quickly determine why Wazuh vulnerability detection is not working and apply the appropriate fix.
Signs That Wazuh Vulnerability Detection Is Not Working
Identifying the symptoms of a vulnerability detection failure is the first step toward resolving the problem.
In many cases, Wazuh continues collecting logs and generating security alerts normally, making it easy to overlook issues within the vulnerability detection pipeline.
The following warning signs often indicate that vulnerability detection is not functioning correctly.
No Vulnerabilities Appearing in the Dashboard
One of the most obvious indicators is when the Vulnerabilities section of the Wazuh dashboard shows zero results across all monitored endpoints.
While it’s possible for a small environment to have very few vulnerabilities, most systems contain at least some outdated packages or software versions.
If the dashboard suddenly displays no vulnerabilities after previously showing results, there is likely a problem with vulnerability data collection, feed synchronization, or indexing.
Common indicators include:
- Total vulnerability count drops to zero
- Vulnerability dashboards remain blank
- Searches return no CVE records
- Existing vulnerability reports disappear unexpectedly
Vulnerability Inventory Shows Empty Results
Wazuh relies on software inventory data collected from agents.
If inventory collection stops working, vulnerability detection cannot determine which applications and packages are installed.
You may notice:
- Empty software inventories
- Missing package information
- Endpoints showing “No inventory available”
- Inventory reports failing to update
Without accurate inventory data, Wazuh has nothing to compare against vulnerability databases.
Newly Installed Software Is Not Being Scanned
A healthy vulnerability detection system should identify newly installed software during subsequent inventory scans.
Potential warning signs include:
- Recently installed applications never appear in inventory reports
- New packages are not evaluated for vulnerabilities
- Updated software versions remain unchanged in Wazuh
- Inventory timestamps remain static for extended periods
This often points to agent-side inventory collection issues.
Vulnerability Events Missing from Alerts
Even if vulnerabilities exist in the database, alert generation may fail.
Symptoms include:
- No vulnerability-related alerts appearing in the Security Events dashboard
- Missing CVE notifications
- No vulnerability alerts being forwarded to external systems
- Correlation rules failing to trigger
If alerts are missing while vulnerability data exists elsewhere, the issue may involve rule processing, indexing, or alert pipelines.
Delayed or Stale Vulnerability Data
Another common problem is outdated vulnerability information.
Signs of stale data include:
- Vulnerability reports not updating for days or weeks
- Recently disclosed CVEs never appearing
- Software updates not affecting vulnerability counts
- Feed synchronization timestamps becoming outdated
According to the National Institute of Standards and Technology (NIST), effective vulnerability management depends on timely vulnerability intelligence and continuous monitoring.
Delayed vulnerability data can create significant security blind spots.
If you notice one or more of these symptoms, the next step is identifying the root cause.
Common Causes of Wazuh Vulnerability Detection Issues
Several components must work correctly for Wazuh vulnerability detection to function properly.
A failure in any part of the process can prevent vulnerabilities from appearing.
Vulnerability Detection Module Is Disabled
One of the most overlooked causes is that the Vulnerability Detection module is disabled in the Wazuh Manager configuration.
This can happen after:
- Upgrades
- Configuration migrations
- Manual changes to ossec.conf
- Incorrect deployment templates
If the module is disabled, vulnerability analysis simply never runs.
Always verify that vulnerability detection is explicitly enabled before investigating more complex causes.
Outdated Vulnerability Feeds
Wazuh depends on regularly updated vulnerability feeds to identify newly discovered CVEs.
Problems can occur when:
- Feed downloads fail
- Update repositories become unreachable
- Synchronization processes stop
- Local feed databases become corrupted
Without current vulnerability intelligence, Wazuh cannot accurately match software inventories against known vulnerabilities.
The official Wazuh documentation recommends verifying feed synchronization whenever vulnerability detection results appear incomplete or outdated.
Agent Inventory Collection Problems
Software inventory data serves as the foundation of vulnerability detection.
Issues may occur when:
- Agents stop reporting inventory information
- Syscollector is disabled
- Inventory scans fail
- Endpoint software data becomes incomplete
Because vulnerability detection relies heavily on Syscollector, inventory collection problems frequently result in missing vulnerability data.
For a deeper understanding of Wazuh agent communication and configuration, see How to Install a Wazuh Agent on Windows Server.
Manager Synchronization Failures
The Wazuh Manager performs the correlation between software inventories and vulnerability databases.
Problems may occur if:
- Feed synchronization processes fail
- Internal databases become inconsistent
- Vulnerability scanner services stop responding
- Cluster synchronization issues occur in distributed deployments
These failures can prevent the manager from producing vulnerability findings even when agent inventories are available.
Database or Indexing Issues
In some cases, vulnerabilities are detected successfully but never appear in the dashboard.
Potential causes include:
- OpenSearch indexing failures
- Database corruption
- Storage limitations
- Search backend synchronization errors
When this happens, vulnerability data may exist within the manager logs but remain invisible to users.
If you’re troubleshooting indexing-related problems, you may also find Wazuh vs OpenSearch helpful for understanding the relationship between Wazuh and its search backend.
Unsupported Operating Systems
Not all operating systems receive the same level of vulnerability coverage.
Issues can arise when:
- Legacy operating systems are deployed
- Unsupported distributions are monitored
- Vendor feeds no longer provide updates
- Package formats are not fully recognized
Always verify that your operating system version is supported by the Wazuh release you’re running.
Connectivity Problems Between Agents and Manager
Vulnerability detection depends on reliable communication between endpoints and the manager.
Connectivity problems can prevent:
- Inventory uploads
- Configuration updates
- Synchronization requests
- Vulnerability scanning data transfers
Common causes include:
- Firewall restrictions
- Network outages
- DNS issues
- Certificate problems
If agents appear disconnected, review Wazuh Agent Not Connecting to Manager? 12 Fixes That Actually Work for a detailed troubleshooting process.
Insufficient Permissions or Configuration Errors
Incorrect permissions can prevent Wazuh from accessing inventory files, updating vulnerability databases, or writing scan results.
Examples include:
- Incorrect file ownership
- Restricted service accounts
- Invalid configuration syntax
- Missing required directories
Even a small configuration error can stop the vulnerability detection workflow from functioning correctly.
Security experts at the Center for Internet Security (CIS) consistently emphasize configuration management as a foundational security control because misconfigurations are among the most common causes of security monitoring failures.
Verify That Vulnerability Detection Is Enabled
Before troubleshooting advanced issues, verify that the Vulnerability Detection module is actually enabled and operating correctly.
This simple check resolves many cases where administrators assume vulnerability scanning is running when it is not.
Checking the Wazuh Manager Configuration
Begin by reviewing the Wazuh Manager configuration file:
sudo nano /var/ossec/etc/ossec.conf
Locate the vulnerability detection section and confirm that it exists within the configuration.
Depending on your Wazuh version, the configuration structure may differ slightly, but vulnerability detection should be explicitly enabled.
Look for entries related to:
- Vulnerability detection
- Vulnerability scanner configuration
- Feed update settings
- Scan intervals
If the section is missing entirely, the manager may not be performing vulnerability analysis.
Reviewing ossec.conf Settings
Carefully review all vulnerability-related settings for accuracy.
Verify:
- Vulnerability detection is enabled
- Feed update intervals are configured correctly
- Inventory collection requirements are met
- No conflicting settings exist
Also confirm that Syscollector is enabled on monitored agents because vulnerability detection depends on software inventory information.
For more information about creating and validating Wazuh configurations, see How to Create Custom Detection Rules in Wazuh (With Examples), which covers configuration management best practices.
Confirming Vulnerability Detection Services Are Running
Next, verify that the necessary Wazuh services are active.
Check the manager status:
sudo systemctl status wazuh-manager
You can also review Wazuh logs for vulnerability-related activity:
sudo tail -f /var/ossec/logs/ossec.log
Look for messages indicating:
- Vulnerability scanner initialization
- Feed downloads
- Inventory processing
- Successful scan completion
Warning messages, repeated errors, or failed initialization events often point directly to the root cause.
Restarting Services After Configuration Changes
If you make any configuration changes, restart the Wazuh Manager to ensure the updates are applied.
sudo systemctl restart wazuh-manager
After restarting:
- Confirm the service starts successfully.
- Review the logs for errors.
- Verify vulnerability-related processes initialize correctly.
- Wait for the next inventory synchronization cycle.
- Check the dashboard for updated vulnerability data.
Many administrators overlook this final step and continue troubleshooting before the updated configuration has actually taken effect.
Once you’ve confirmed vulnerability detection is enabled and running properly, the next step is validating that vulnerability feeds and software inventories are being collected successfully.
Check Vulnerability Feed Updates
Even when vulnerability detection is enabled, Wazuh cannot identify new CVEs unless its vulnerability feeds are updating successfully.
A broken feed synchronization process is one of the most common reasons administrators discover that Wazuh vulnerability detection is not working.
How Wazuh Downloads Vulnerability Feeds
Wazuh regularly downloads vulnerability intelligence from trusted sources and stores that information locally for analysis.
Depending on the operating systems being monitored, Wazuh may retrieve data from:
- National Vulnerability Database (NVD)
- Vendor security advisories
- Ubuntu Security Notices
- Red Hat Security Data
- Debian Security Tracker
- Microsoft vulnerability sources
- Other supported operating system repositories
The Wazuh Manager periodically synchronizes these feeds and updates its internal vulnerability database.
Once updated, the manager compares software inventory data against known CVEs to identify affected systems.
Verifying Feed Synchronization Status
Start by confirming that feed synchronization is occurring successfully.
Review the Wazuh logs and look for entries indicating:
- Feed downloads started successfully
- Feed updates completed successfully
- Vulnerability databases refreshed
- CVE data imported correctly
A healthy system should show periodic synchronization activity.
You can also compare:
- Last feed update timestamp
- Current date and time
- Recent CVE publication dates
If feed updates have not occurred for several days, vulnerability detection results may become outdated.
Identifying Feed Update Errors in Logs
Many synchronization issues can be diagnosed directly from the manager logs.
Common feed-related errors include:
- Download timeouts
- DNS resolution failures
- SSL certificate validation errors
- Repository connection failures
- Corrupted feed data
- Insufficient disk space
When reviewing logs, pay close attention to repeated error messages occurring during update cycles.
A single failed update may not be critical, but recurring synchronization failures usually indicate a persistent problem that must be resolved.
Forcing a Feed Update
If feed updates appear stale, forcing a synchronization can help determine whether the update process is functioning correctly.
First restart the manager:
sudo systemctl restart wazuh-manager
Then monitor the logs:
sudo tail -f /var/ossec/logs/ossec.log
Watch for:
- Feed initialization messages
- Successful downloads
- Database update events
- Synchronization completion messages
If errors appear immediately after restarting, they often reveal the root cause.
Confirm Syscollector Is Working Properly
Even perfectly updated vulnerability feeds are useless if Wazuh does not know what software is installed on endpoints.
This is where Syscollector becomes critical.
Syscollector gathers:
- Installed applications
- Operating system information
- Installed packages
- Software versions
- Hardware inventory
Without this information, vulnerability detection has nothing to compare against CVE databases.
If vulnerabilities are missing despite successful feed updates, the next area to investigate is Syscollector and software inventory collection.
Why Syscollector Is Required for Vulnerability Detection
Many administrators focus exclusively on vulnerability feeds when troubleshooting detection issues.
However, vulnerability detection depends equally on software inventory data collected through Syscollector.
If Syscollector stops working, vulnerability detection effectively stops working as well.
Checking Agent Inventory Collection
Syscollector runs on Wazuh agents and periodically collects software inventory information from monitored systems.
Verify that Syscollector is enabled in the agent configuration.
Review the agent configuration file and confirm that inventory collection settings are active.
Look for inventory-related data in the Wazuh dashboard, including:
- Installed software lists
- Operating system details
- Package inventories
- Hardware information
If inventory data is completely absent, Syscollector may be disabled or malfunctioning.
For a deeper understanding of Wazuh agent deployment and configuration, see How to Install a Wazuh Agent on Windows Server.
Verifying Installed Package Data
Next, confirm that package information is actually being collected.
A healthy agent should report details such as:
- Package names
- Installed versions
- Installation dates
- Operating system metadata
Compare the software inventory displayed in Wazuh with the actual software installed on the endpoint.
For example:
- Install a new package
- Wait for the next inventory scan
- Verify the package appears in Wazuh
If newly installed software never appears, inventory collection is likely failing.
Troubleshooting Missing Inventory Information
Several issues can prevent inventory data from reaching the manager.
Common causes include:
- Syscollector disabled in agent configuration
- Agent communication failures
- Corrupted inventory databases
- Unsupported operating systems
- Resource limitations on endpoints
- Agent service failures
You should also verify that agents are successfully communicating with the manager.
Connectivity issues frequently affect inventory reporting long before administrators notice missing vulnerability data.
If agent communication problems are suspected, review Wazuh Agent Not Connecting to Manager? 12 Fixes That Actually Work for detailed troubleshooting steps.
The official Wazuh documentation notes that vulnerability detection relies directly on Syscollector inventory information.
If inventory collection fails, vulnerability assessment cannot occur because Wazuh has no visibility into installed software.
Once you’ve confirmed that both vulnerability feeds and software inventories are functioning correctly, the next step is analyzing Wazuh logs for specific error messages.
Review Wazuh Logs for Errors
When troubleshooting complex vulnerability detection problems, Wazuh logs are often the fastest path to identifying the root cause.
Most feed synchronization failures, inventory collection issues, and configuration problems generate clear error messages within the manager logs.
Important Log Files to Check
The primary log file for troubleshooting vulnerability detection is:
/var/ossec/logs/ossec.log
This file contains information about:
- Vulnerability feed updates
- Agent communications
- Syscollector processing
- Database operations
- Service startup events
- Configuration validation
Depending on your deployment, you may also need to review:
- Indexer logs
- Dashboard logs
- Operating system logs
- Reverse proxy logs
However, ossec.log should always be your starting point.
Common Error Messages and Their Meanings
Certain errors appear frequently when vulnerability detection is not working.
| Error Type | Possible Cause |
|---|---|
| Feed download failed | Repository unreachable |
| SSL certificate error | Certificate validation failure |
| Connection timeout | Network connectivity issue |
| Inventory not found | Syscollector problem |
| Database write failure | Storage or permission issue |
| Invalid configuration | Configuration syntax error |
| Agent disconnected | Communication failure |
Rather than focusing on individual messages, look for recurring patterns that appear every synchronization cycle.
Repeated errors often point directly to the component causing the failure.
Using Command-Line Tools to Search Logs
Searching large log files manually can be difficult.
Useful commands include:
1. Search for vulnerability-related events:
grep -i vulnerability /var/ossec/logs/ossec.log
2. Search for errors:
grep -i error /var/ossec/logs/ossec.log
3. Search for warnings:
grep -i warning /var/ossec/logs/ossec.log
4. Monitor logs in real time:
tail -f /var/ossec/logs/ossec.log
These commands can quickly surface the messages most relevant to vulnerability detection issues.
Identifying Feed Download Failures
Feed synchronization failures are among the most common causes of missing vulnerability data.
Look for log entries indicating:
- Failed downloads
- Repository access problems
- DNS lookup failures
- SSL validation errors
- Interrupted synchronization jobs
- Corrupted feed imports
Cybersecurity experts frequently emphasize log analysis as one of the most effective troubleshooting techniques because logs reveal exactly what the software attempted to do and why it failed.
If feed download failures are present, investigate:
- Internet connectivity
- Firewall restrictions
- Proxy settings
- DNS configuration
- Certificate trust stores
You may also find it useful to compare your deployment with other Wazuh integrations, such as How to Integrate Wazuh with VirusTotal for Threat Intelligence, where successful external communication is equally critical for receiving security intelligence updates.
By carefully reviewing logs, administrators can usually identify the specific component causing vulnerability detection failures instead of relying on trial-and-error troubleshooting.
Verify Agent Connectivity and Registration
Vulnerability detection depends on a continuous flow of inventory data from Wazuh agents to the manager.
Even if vulnerability feeds, Syscollector, and dashboard services are functioning correctly, disconnected or improperly registered agents will prevent vulnerabilities from being detected.
If some systems show vulnerabilities while others do not, agent connectivity should be one of the first areas you investigate.
Confirming Agent Status
Start by verifying that affected agents are actively connected to the Wazuh Manager.
On the manager, list registered agents:
/var/ossec/bin/agent_control -l
Review the output and check:
- Agent status
- Agent ID
- Last keepalive time
- Agent IP address
- Connection state
Healthy agents should appear as active and regularly communicate with the manager.
Warning signs include:
- Disconnected status
- Long gaps since the last keepalive
- Agents missing from the list entirely
- Duplicate agent entries
If an endpoint is disconnected, inventory updates and vulnerability assessments will stop.
Checking Agent Communication
Next, verify that communication between the agent and manager is functioning correctly.
On the endpoint, confirm the Wazuh Agent service is running.
Linux:
sudo systemctl status wazuh-agent
Windows:
Get-Service WazuhSvc
Then review agent logs for communication errors.
Common communication problems include:
- DNS resolution failures
- Blocked firewall ports
- Incorrect manager IP addresses
- Certificate validation issues
- Network interruptions
You should also verify that the manager can receive incoming agent connections without restriction.
Resolving Disconnected Agent Issues
Disconnected agents are one of the most common causes of missing vulnerability data.
Typical fixes include:
- Restarting the Wazuh Agent service
- Restarting the Wazuh Manager service
- Updating manager connection settings
- Correcting firewall rules
- Verifying TLS certificates
- Resolving DNS issues
For example, if TCP port 1514 or 1515 is blocked, agents may be unable to send inventory data to the manager.
Re-enrolling Problematic Agents
If an agent remains disconnected after basic troubleshooting, re-enrollment may be necessary.
Re-enrollment can resolve:
- Corrupted agent keys
- Registration inconsistencies
- Authentication failures
- Agent database corruption
The general process involves:
- Removing the agent from the manager.
- Generating a new registration key.
- Re-registering the endpoint.
- Restarting agent services.
- Confirming successful communication.
After re-enrollment, monitor inventory synchronization and verify that vulnerability data begins appearing again.
In many environments, re-enrollment is faster than spending hours diagnosing a severely corrupted agent registration.
Troubleshoot Dashboard and Indexing Problems
Sometimes Wazuh successfully detects vulnerabilities, but they never appear in the dashboard.
In these cases, the problem is often related to indexing, search services, or dashboard synchronization rather than vulnerability detection itself.
Understanding the difference can save significant troubleshooting time.
Vulnerabilities Detected but Not Displayed
A common scenario occurs when:
- Vulnerability scans complete successfully
- Inventory collection is working
- Manager logs show vulnerability processing
- Dashboard displays no vulnerabilities
This usually indicates a storage or indexing issue.
To confirm whether vulnerabilities are actually being detected, review the manager logs and search for vulnerability-related events.
If detection events exist but the dashboard remains empty, focus your investigation on the indexer and dashboard components.
OpenSearch/Indexer Health Checks
The Wazuh Indexer stores vulnerability data and makes it searchable within the dashboard.
Verify that the indexer service is running correctly.
For Linux systems:
sudo systemctl status wazuh-indexer
You should also review:
- Cluster health
- Available disk space
- Index status
- Shard allocation
- Memory utilization
Potential warning signs include:
- Red cluster status
- Unassigned shards
- High disk usage
- Repeated indexing failures
- Search query errors
Storage-related issues frequently prevent new vulnerability data from being indexed successfully.
Rebuilding Indexes When Necessary
In some situations, index corruption or synchronization failures may require rebuilding indexes.
Possible indicators include:
- Missing historical vulnerabilities
- Incomplete search results
- Dashboard errors
- Corrupted index warnings
- Failed index migrations after upgrades
Before rebuilding indexes:
- Back up critical data
- Document current configurations
- Verify storage capacity
- Review official Wazuh procedures
Index rebuilding should generally be treated as a last resort after other troubleshooting methods have failed.
Resolving Dashboard Synchronization Issues
The Wazuh Dashboard depends on communication with the indexer and manager.
Synchronization issues may result from:
- Authentication failures
- API connectivity problems
- Version mismatches
- Plugin errors
- Index permission issues
Common symptoms include:
- Empty vulnerability panels
- Partial data visibility
- Dashboard timeout errors
- Missing vulnerability widgets
The official Wazuh documentation recommends keeping the Manager, Indexer, and Dashboard on compatible versions to avoid synchronization issues after upgrades.
If vulnerabilities are successfully indexed but still not visible, dashboard synchronization should become the primary troubleshooting focus.
Validate Operating System and Package Support
Not every operating system, package manager, or software repository receives the same level of vulnerability coverage.
In some cases, Wazuh vulnerability detection appears broken when the real issue is that the monitored platform has limited or unsupported vulnerability data available.
Before continuing with advanced troubleshooting, verify that your environment is fully supported.
Supported Linux Distributions
Linux generally receives the strongest vulnerability detection support within Wazuh.
Commonly supported distributions include:
- Ubuntu
- Debian
- Red Hat Enterprise Linux (RHEL)
- CentOS Stream
- Rocky Linux
- AlmaLinux
- Oracle Linux
- SUSE Linux Enterprise Server
Wazuh can identify vulnerabilities by comparing installed package information against vendor-supported security advisories and vulnerability databases.
However, support may vary depending on:
- Distribution version
- Package manager type
- Vendor advisory availability
- End-of-life status
If a Linux distribution has reached end-of-life, vulnerability coverage may become incomplete or unavailable.
Windows Vulnerability Detection Considerations
Windows vulnerability detection operates differently than Linux package-based analysis.
Instead of relying exclusively on package managers, Wazuh analyzes:
- Installed software
- Operating system information
- Microsoft security updates
- Software inventory data
Administrators should verify:
- Syscollector is enabled
- Software inventory collection is functioning
- Windows updates are reported correctly
- Supported Windows versions are deployed
For Windows environments, proper agent installation is critical.
See How to Install a Wazuh Agent on Windows Server if you need to validate agent deployment.
macOS Support Limitations
macOS environments may have more limited vulnerability coverage compared to Linux systems.
Factors affecting detection include:
- Available vulnerability data sources
- Software inventory collection capabilities
- Vendor disclosure practices
- Supported Wazuh versions
Organizations with large macOS deployments should carefully review current Wazuh documentation to understand platform-specific limitations.
Handling Unsupported Software Packages
Even on supported operating systems, not every software package can be evaluated for vulnerabilities.
Detection challenges often arise when using:
- Custom-built applications
- Internally developed software
- Proprietary packages
- Third-party repositories
- Unsupported package formats
In these situations, Wazuh may successfully collect inventory information but still fail to generate vulnerability findings because no matching vulnerability intelligence exists.
Security researchers at the National Cyber Security Centre (NCSC) consistently emphasize maintaining accurate software inventories and understanding asset coverage limitations as key components of effective vulnerability management.
If you determine that your operating system and software stack are fully supported, the next step is examining version compatibility issues between Wazuh components and verifying that all services are running supported releases.
Step-by-Step Fixes for the Most Common Scenarios
After troubleshooting dozens of Wazuh deployments, most vulnerability detection problems fall into a handful of common categories.
Use the following step-by-step fixes to quickly identify and resolve the issue affecting your environment.
Scenario 1: Vulnerability Detection Shows No Results
Diagnostic Checklist
If the Vulnerabilities dashboard is completely empty:
- Verify vulnerability detection is enabled
- Confirm vulnerability feeds are updating
- Verify Syscollector is enabled
- Check agent connectivity
- Review manager logs for errors
- Confirm indexer health
- Validate operating system support
Recommended Fixes
- Enable vulnerability detection in
ossec.conf. - Restart the Wazuh Manager.
- Verify feed synchronization completes successfully.
- Confirm software inventory data exists.
- Check for indexing failures.
- Review dashboard connectivity.
In many cases, missing inventory data or disabled vulnerability detection is responsible for empty results.
Scenario 2: Vulnerability Feed Not Updating
Feed Troubleshooting Process
Begin by reviewing:
- Internet connectivity
- DNS resolution
- Proxy settings
- SSL certificate validation
- Feed synchronization logs
Search logs for:
grep -i vulnerability /var/ossec/logs/ossec.log
Look specifically for:
- Download failures
- Timeout errors
- Authentication failures
- Repository connection problems
Recovery Steps
- Restart the Wazuh Manager.
- Verify external network access.
- Correct DNS or proxy settings.
- Resolve SSL certificate issues.
- Confirm successful feed downloads in logs.
For organizations using external intelligence sources, similar troubleshooting techniques are covered in How to Integrate Wazuh with VirusTotal for Threat Intelligence.
Scenario 3: Agents Not Reporting Software Inventory
Inventory Verification
Verify that Syscollector is operational.
Check whether:
- Software inventory data exists
- Operating system information is visible
- Installed packages are reported
- Inventory timestamps are updating
If inventory data is missing, vulnerability detection cannot function.
Configuration Corrections
Common fixes include:
- Enable Syscollector on the agent
- Restart the Wazuh Agent service
- Verify manager connectivity
- Re-register disconnected agents
- Review agent logs for inventory errors
If inventory data remains unavailable, revisit Wazuh Agent Not Connecting to Manager? 12 Fixes That Actually Work because communication problems often prevent inventory synchronization.
Scenario 4: Vulnerabilities Found but Missing from Dashboard
Indexing and Dashboard Fixes
If logs indicate vulnerabilities are being detected but nothing appears in the dashboard:
- Check Wazuh Indexer health
- Verify cluster status
- Review dashboard logs
- Validate index permissions
- Confirm component version compatibility
Also verify sufficient disk space is available.
Verification Steps
After making corrections:
- Restart affected services.
- Monitor indexer health.
- Search for vulnerability records.
- Refresh dashboard visualizations.
- Confirm new vulnerabilities appear.
Scenario 5: Recently Installed Software Not Detected
Inventory Refresh Methods
When newly installed applications do not appear:
- Verify Syscollector scan intervals
- Confirm agent connectivity
- Check inventory collection logs
- Validate package support
Compare the endpoint’s installed software against the inventory shown in Wazuh.
Rescanning Procedures
To force inventory updates:
- Restart the Wazuh Agent.
- Trigger a new inventory collection cycle.
- Restart the Wazuh Manager if necessary.
- Monitor logs for successful synchronization.
- Verify updated package information appears.
Once inventory data updates successfully, vulnerability detection should automatically evaluate newly discovered software against available CVE data.
Best Practices to Prevent Future Vulnerability Detection Problems
While most vulnerability detection issues can be fixed quickly, preventing them is far more efficient than troubleshooting them after visibility has been lost.
The following best practices help maintain reliable vulnerability monitoring.
Keep Wazuh Updated
New Wazuh releases frequently include:
- Vulnerability detection improvements
- Bug fixes
- Performance enhancements
- Expanded operating system support
- Feed synchronization updates
Running outdated versions can introduce compatibility issues and reduce detection accuracy.
The official Wazuh team recommends following supported upgrade paths and maintaining version consistency across the Manager, Indexer, and Dashboard.
Monitor Feed Synchronization Regularly
Don’t wait until vulnerability data disappears.
Regularly monitor:
- Feed update timestamps
- Synchronization logs
- Download failures
- Database refresh events
Many administrators create automated checks that alert when feeds have not updated within an expected timeframe.
Audit Agent Health Frequently
Since vulnerability detection relies on endpoint inventory data, agent health should be reviewed regularly.
Monitor:
- Connected agents
- Last keepalive times
- Inventory update frequency
- Registration status
- Communication errors
Regular audits help identify issues before vulnerability visibility is affected.
Enable Alerting for Vulnerability Detection Failures
Consider creating custom monitoring rules that alert when:
- Feed updates fail
- Inventory collection stops
- Vulnerability databases become stale
- Agent counts drop unexpectedly
You can implement custom monitoring logic using techniques described in How to Create Custom Detection Rules in Wazuh (With Examples).
Proactive alerting significantly reduces detection gaps.
Review Vulnerability Inventory Data Periodically
Periodic reviews help verify that vulnerability detection remains accurate.
Review:
- Software inventories
- Vulnerability counts
- Recently discovered CVEs
- Endpoint coverage
- High-risk assets
According to guidance from the Center for Internet Security (CIS), continuous asset visibility and vulnerability management are foundational cybersecurity controls that should be regularly validated.
Frequently Asked Questions
Question: Why is Wazuh not showing vulnerabilities?
The most common causes include:
- Vulnerability detection disabled
- Failed feed updates
- Syscollector not collecting inventory data
- Agent communication issues
- Indexing or dashboard problems
- Unsupported operating systems
Start by verifying inventory collection and feed synchronization, as these are responsible for most cases.
Question: How often does Wazuh update vulnerability feeds?
The update frequency depends on your configuration and Wazuh version.
In most deployments, feeds are synchronized automatically at regular intervals to ensure newly disclosed CVEs are available for analysis.
Always verify synchronization timestamps if vulnerability data appears outdated.
Question: Does vulnerability detection require Syscollector?
Yes.
Syscollector collects software inventory information that vulnerability detection uses to identify affected packages and applications.
Without Syscollector, Wazuh cannot determine what software is installed and therefore cannot perform vulnerability analysis.
Question: Can firewall rules prevent vulnerability detection from working?
Yes.
Firewall restrictions can block:
- Agent-to-manager communication
- Feed downloads
- Dashboard access
- Indexer synchronization
Network connectivity should always be verified when troubleshooting vulnerability detection issues.
Question: How do I force Wazuh to rescan vulnerabilities?
The most common approach is:
- Ensure Syscollector inventory data is current.
- Restart the Wazuh Manager.
- Monitor feed synchronization logs.
- Verify updated inventory information appears.
- Confirm vulnerabilities are recalculated and displayed.
Question: Why are some packages missing from vulnerability reports?
Possible reasons include:
- Unsupported software packages
- Missing vulnerability intelligence
- Incomplete inventory collection
- Unsupported operating systems
- Vendor advisories not available
Not every package has associated vulnerability data available for analysis.
Question: Does vulnerability detection work on Windows and Linux?
Yes.
Wazuh supports vulnerability detection on both Windows and Linux systems, although coverage and detection methods differ depending on the operating system, package ecosystem, and available vendor security data.
Linux distributions generally offer the broadest vulnerability coverage due to their package management ecosystems and publicly available security advisories.
Conclusion
When Wazuh vulnerability detection is not working, the root cause typically falls into one of a few categories: disabled vulnerability scanning, failed feed synchronization, missing software inventory data, agent communication problems, indexing issues, or unsupported platforms.
The most effective troubleshooting approach is to follow the vulnerability detection workflow step by step:
- Verify vulnerability detection is enabled.
- Confirm vulnerability feeds are updating.
- Validate Syscollector inventory collection.
- Check agent connectivity and registration.
- Review manager logs for errors.
- Verify indexer and dashboard health.
- Confirm operating system and package support.
In most environments, the problem can be identified quickly by checking feed synchronization logs and software inventory data first.
These two components form the foundation of Wazuh’s vulnerability assessment process.
As a final troubleshooting checklist, always verify:
- Vulnerability detection is enabled
- Vulnerability feeds are current
- Syscollector is collecting inventory
- Agents are connected
- Logs contain no critical errors
- Indexer services are healthy
- Vulnerabilities appear in dashboard searches
By implementing proactive monitoring, regular agent audits, feed synchronization checks, and routine inventory validation, you can minimize future detection gaps and ensure Wazuh continues providing accurate visibility into vulnerabilities across your environment.
For additional Wazuh hardening and optimization strategies, you may also find these guides useful:
- How to Reduce False Positives in Wazuh
- Wazuh Agent Not Connecting to Manager? 12 Proven Fixes
- How to Configure File Integrity Monitoring (FIM) in Wazuh
- How to Integrate Wazuh with Suricata for Better Threat Detection
A properly configured vulnerability detection system is one of the most valuable security capabilities in Wazuh, helping organizations identify and remediate risks before they become incidents.
Be First to Comment