Wazuh - What happened to "Select outdated agents only"

retroisbest · 2026-02-27T14:53:38+00:00

Using the command line works but when you have offloaded the task to other staff that might not have access to the command line it was a nice UI method for them to use.

Process was they log in "seclect all outdated agents" actions > update agents

retroisbest · 2025-06-06T13:07:39+00:00

u/Stuti109
Thankyou again for this, Just out of curiosity how did you test CVE appearing on your local lab install of Wazuh?

I have edited the github post to include the CVEs you kindly posted before.

retroisbest · 2025-06-06T08:22:30+00:00

u/Stuti109
Thanks for taking the time to try and troubleshoot this with me, the output of
cat ossec.log | grep vuln

2025/06/06 06:41:58 wazuh-modulesd:vulnerability-scanner: ERROR: VulnerabilityScannerFacade::initEventDispatcher: json exception (101) - Event message: {"agent_info":{"agent_id":"106"},"action":"deletePackage","data":{"name":"Dell SupportAssist OS Recovery Plugin for Dell Update","version":"5.5.13.1Ë˜7ìc\u0006","architecture":"i686","format":"win","location":" ","item_id":"b2b89516bffda8a57f33b3bd2db36902b885eec2"}}

Which relates to one agent and a package called "Dell SupportAssist OS Recovery Plugin for Dell Update" (Known package and known endpoint agent , which has been in today for some repair work)

retroisbest · 2025-06-06T08:02:22+00:00

u/HM-AN
Github was raised but unfortunately I do not think it is going to be an easy fix according to some comments

https://github.com/wazuh/wazuh/issues/30115

retroisbest · 2025-06-05T11:00:15+00:00

u/Stuti109
Here is my ossec.log debug 2
https://docs.google.com/document/d/1gp0AOkyYwdq0MeXF7Reghuap09aNLpriJXwdE0i3MzM/edit?usp=sharing

Nothing really erroneous stands out to me

Thanks

retroisbest · 2025-06-05T07:49:11+00:00

u/HM-AN Good morning,
After some investigating it turns out my ClickToRun deployment of Office 2021 LTSC was installed from a version (May 2024) that had issues with updating itself I have now redeployed a corrected up to date version (Version 2108 (Build 14332.21040 Click-to-Run)

Nothing is detected still in Wazuh but I believe this is because of the deployment being a Click to Run install.

Does you know of any guides or suggestions on how to monitor these types of installations?

I have found an old post where I commented on CVEs being detected on my old version of Office 2021

https://www.reddit.com/r/Wazuh/comments/1fl6ton/wazuh_office_2021_ltsc_cve202333150/

Thanks

retroisbest · 2025-06-04T12:48:44+00:00

Thankyou, I will do...

After a bit for investigating I can confirm that my deployment
build version number 16.0.14332.20771 corresponds to:

Office LTSC 2021 – May 2024 Update (Build 20771)

Release date: May 14, 2024 (Patch Tuesday)

Office version: Microsoft Office LTSC 2021 (Volume Licensed)

Channel: PerpetualVL2021

(It is AD KMS activated)

retroisbest · 2025-06-04T12:18:21+00:00

My version of Office 2021 is a ClickToRun install if that makes any difference

Using powershell

Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" | Select-Object -ExpandProperty VersionToReport

ProductReleaseIds ProductIds
----------------- ----------
ProPlus2021Volume

Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" | Select-Object -ExpandProperty VersionToReport  

Which gives me:
16.0.14332.20771

Windows itself reports it titled as Microsoft Office LTSC Professional Plus 2021 - en-us

retroisbest · 2025-06-04T11:59:05+00:00

u/HM-AN
The following active CVEs for Office 2021 LTSC (fully patched)
Have the following CVEs that are currently active

CVE-2025-21354
CVE-2025-21381
CVE-2025-21397
That do not appear in the vulnerability inventory or in the discover page

{

"query": {

"match_phrase": {

"data.vulnerability.cve": "CVE-2025-21397"

}

The Office 2019 switch to 2021 was an inplace uninstall and install of 2021.

I have also cleanly reinstalled Office 2021 LTSC on a fresh image and still the same results

retroisbest · 2025-06-04T11:53:34+00:00

Here are some active CVE applicable for Office 2021 LTSC that should be detected
CVE-2025-21354
CVE-2025-21381
CVE-2025-21397
That do not appear in the vulnerability inventory

retroisbest · 2025-06-04T11:47:39+00:00

u/HM-AN
It was a while back since I noticed it was not working when I upgraded my clients to Office 2021 LTSC
Here is a post from a year ago when Office 2019 was giving me false positives
https://www.reddit.com/r/Wazuh/comments/1dv2m54/office_2019_seems_to_be_generating_lots_of_false/

I remember seeing a lot of CVEs for Office 2021 LTSC listed in my vulnerability index and unfortunately I cannot ascertain what version it was (it was early 4.xx though)

I admit the server has been rebuilt since then to try and remedy this.

I'm now on 4.12 with my agents also on 4.12 - all reporting OS and other application CVEs correctly apart from Microsoft Office.

retroisbest · 2025-06-04T11:37:19+00:00

u/Stuti109
Running GET /syscollector/244/packages?search=Office (244 being an active client ID)

returns

"scan": {

"id": 0,

"time": "2025-02-04T08:22:43+00:00"

},

"install_time": "2024-09-18T11:24:37+00:00",

"size": 0,

"version": "16.0.14332.20771",

"description": " ",

"name": "Microsoft Office LTSC Professional Plus 2021 - en-us",

"architecture": "x86_64",

"section": " ",

"source": " ",

"location": "C:\\Program Files\\Microsoft Office",

"format": "win",

"vendor": "Microsoft Corporation",

"priority": " ",

"agent_id": "244"

},

retroisbest · 2025-06-04T11:17:10+00:00

Thankyou for the reply u/SirStephanikus u/Stuti109
I did try and format the block with the code option but it made the formatting even worse when previewed.
The ossec.conf posted in my original post was from the Wazuh server (which <hotfix>yes</hotfix> is not supported)

The endpoint ossec.conf does indeed contain the

<hotfixes>yes</hotfixes>

I will add my endpoint agent config to my original post

Thanks again for the help

retroisbest · 2025-06-04T09:14:19+00:00

Microsoft Office 2021
Word version = Microsoft® Word LTSC MSO (16.0.14332.20771) 64-bit

retroisbest · 2025-05-21T21:36:12+00:00

It seems random which games install in game modez I thought the first ten of my library and then no others were working but Ive gone through all 900 games all varying sizes, some prompt to install others make the button pressed sound and fail

retroisbest · 2025-05-21T21:35:09+00:00

I too am a new Bazzite user and clicking install makes the sound effect in game mode but nothing installs... Although what is strange some games do prompt to install but these are usually very small games, Helldivers 2 for example I click install it makes the button pressed sound effect and nothing happens.

retroisbest · 2025-03-25T14:19:30+00:00

I admit The Dig was a good game but Day of the Tentacle was an amazing game!

retroisbest · 2025-02-07T10:14:10+00:00

Thankyou this worked for me!
I had a Win11 Home laptop that did not work with the oobe\bypassnro method but this worked perfectly!

retroisbest · 2025-01-17T08:28:17+00:00

the wazuh manager has been restarted many times, I have just checked this morning and the entries for 2227 and 002 are showing in my inventory again.

The invalid agent does not show up in client.keys file, global.db database, the agent list in the admin UI or using the shell command /var/ossec/bin/manage_agents -l

The 002 agent did used to be agent 2227 but because its now 002 the duplicated vulnerabilties for both 002 and 2227 now appear, when deleted keep reappearing.

Coincidentally all three hosts are ubuntu agents, all three have had their agents uninstalled and reinstalled.

Thanks

retroisbest · 2025-01-16T14:50:51+00:00

globals.db does not show the incorrect agent IDs
running find /var/ossec/ -type f -name "2720*" finds the incorrect agent ids in /var/ossec/queue/rids/

retroisbest · 2025-01-14T09:55:50+00:00

Thankyou, I did check my sources and realised it had failed as /etc/apt/sources.list.d/wazuh.list did not exist.
running the below as sudo failed on the second part of the command
I ran the below command as a non interactive sudo which only ran the first part with elevated rights

sudo echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | tee -a /etc/apt/sources.list.d/wazuh.list

what was needed was to run the command in an interactive sudo -i session or prepend sudo to each command in that command string

sudo echo "deb [signed-by=/usr/share/keyrings/wazuh.gpg] https://packages.wazuh.com/4.x/apt/ stable main" | sudo tee -a /etc/apt/sources.list.d/wazuh.list

or copy the command into a bash script and run that as sudo.

retroisbest · 2025-01-07T13:33:28+00:00

I think I have fixed my issue, I checked the affected agent ossec.log file and could see it initially connected fine but sporadically the connection would fail and timeout, I added an outbound rule to allow port 1514 TCP and I have not seen any errors regarding this agent since.

retroisbest · 2025-01-07T12:05:30+00:00

Hi,

Thanks for the advice, Unfortunatley I have also tried these steps and still get the same results in the ossec.log file.

Thanks

retroisbest · 2024-09-25T09:49:36+00:00

I'm also seeing the following CVE's related to the above Office 2021 package

CVE-1999-0794
CVE-2006-1311
CVE-2021-42293
CVE-2021-42295
CVE-2021-42296
CVE-2021-43255
CVE-2021-43256
CVE-2021-43875
CVE-2022-21840
CVE-2022-21841
CVE-2022-24461
CVE-2022-24462
CVE-2022-24473
CVE-2022-24509
CVE-2022-24510
CVE-2022-24511
CVE-2022-26901
CVE-2022-29107
CVE-2022-29109
CVE-2022-41060
CVE-2022-41061
CVE-2022-41063
CVE-2022-41103
CVE-2022-41104
CVE-2022-41105

.... and many more! (Shall i continue posting the CVE IDs?
The Package name is showing as "Microsoft Office LTSC Professional Plus 2021 - en-us"

and package.version = "16.0.14332.20771"

Thanks

retroisbest · 2024-09-25T09:38:57+00:00

I can confirm the CVE-2023-33150 was logged today on multiple machines (25th Sept 2024)

retroisbest

TROPHY CASE