Hello Splunk Community,
I'm seeking help regarding an issue I’m facing.
The main problem is that vulnerability detection data is not showing up in my Splunk dashboard.
Wazuh is installed and running correctly, and other data appears to be coming through, but the vulnerability detection events are missing.
I've verified that:
Wazuh services are running properly without critical errors.
Vulnerability Detector is enabled in the Wazuh configuration (ossec.conf).
Wazuh agents are reporting other types of events successfully.
Despite this, no vulnerability data appears in the dashboard.
Could someone guide me on how to troubleshoot this?
Any advice on checking Wazuh modules, Splunk sourcetypes, indexes, or forwarder configurations would be highly appreciated.
Thank you in advance for your support!
Hi @livehybrid
First of all, thanks for your response.
When I search using index="wazuh-alerts", I get lots of events.
For the search index="wazuh-alerts" "Medium", I get 7 events.
Hi @ranafge
Do those 7 medium events look like the ones you would expect to see in the dashboards? Without seeing the data its hard for us to work out so please provide redacted samples if you can.
Is the data JSON structured? Does it have a field data -> vulnerability -> severity when looking at the event(s)?
🌟 Did this answer help you? If so, please consider:
Your feedback encourages the volunteers in this community to continue contributing
Hi @livehybrid,
Thanks for your response.
Yes it is JSON structured data but there is not data like data -> vulnerability -> severity.
How can i send you root cause analysis data?
sample data :
{"timestamp":"2025-04-29T12:44:53.812+0600","rule":{"level":5,"description":"Systemd: Service exited due to a failure.","id":"40704","firedtimes":4,"mail":false,"groups":["local","systemd"],"gpg13":["4.3"],"gdpr":["IV_35.7.d"]},"agent":{"id":"001","name":"debian-pc","ip":"192.168.11.XX"},"manager":{"name":"ubuntu"},"id":"1745909093.11585380","full_log":"Apr 29 06:44:53 proxmox systemd[1]: logstash.service: Main process exited, code=exited, status=1/FAILURE","predecoder":{"program_name":"systemd","timestamp":"Apr 29 06:44:53","hostname":"proxmox"},"decoder":{"name":"systemd"},"location":"journald"}
Hi @ranafge
The first thing I would try here is opening some of the searches in the dashboards in Search (Click the little magnifying glass) and check for any errors.
If still no results then you can try removing various parts of the search to see if there is a particular line which is causing the issue, if this happens let us know the specifics and we can work out what the issue is.
🌟 Did this answer help you? If so, please consider:
Your feedback encourages the volunteers in this community to continue contributing
First of all thanks for your reply.
I ran the following search in Splunk:
I also tested for other severity levels like "High" and "Low," but the result was always 0.
This indicates that no vulnerability detection events are being indexed in Splunk.
Even though other types of data are coming through, there are currently no events where data.vulnerability.severity is populated with "High," "Medium," or "Low."
It suggests that either:
Vulnerability Detector is not generating results,
The events are not being forwarded to Splunk properly,
Or the events are being indexed but under a different sourcetype, index, or field structure.
Would appreciate any guidance on how to dig deeper into this!
Hi @ranafge
Okay, this is progress in terms of diagnosing.
So - you see events if you search index="wazuh-alerts" ?
If you search index="wazuh-alerts" "Medium" - do you get any result then? Im trying to determine if its a field extraction issue or if the data is actually missing.
🌟 Did this answer help you? If so, please consider:
Your feedback encourages the volunteers in this community to continue contributing
Hi @livehybrid
First of all, thanks for your response.
When I search using index="wazuh-alerts", I get lots of events.
For the search index="wazuh-alerts" "Medium", I get 7 events.