What do you need help with?

We are here and ready to help.
Email: servicedesk@socfortress.co

    How to Enable the Wazuh Vulnerability Module on Docker-Based Wazuh Workers

    Taylor Walton

    13-Jan-2026

    How to Enable the Wazuh Vulnerability Module on Docker-Based Wazuh Workers

    This article walks through how to resolve an IndexerConnector initialization failure that prevents the Wazuh Vulnerability module (and related state indexes) from starting correctly on a Wazuh Worker running inside a Docker container.

    What You’ll See When It’s Broken

    If the worker cannot authenticate to (or validate TLS with) the Wazuh Indexer, you’ll typically see repeated warnings like this in ossec.log:

    2026/01/13 13:29:30 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities-*', retrying until the connection is successful.

    This usually means one (or more) of the following:

    • Required TLS certificates are missing inside the worker container
    • ossec.conf points to the wrong Indexer hosts (or wrong protocol/port)
    • Indexer credentials are not stored in the Wazuh keystore

    Step 1: Get a Shell Into the Wazuh Worker Container

    First, list containers and identify the correct Wazuh Worker container:

    docker ps

    Once you have the container ID, open a shell in the container:

    docker exec -it container_id /bin/bash

    Step 2: Ensure Required TLS Certificates Exist Inside the Container

    To establish a trusted TLS connection to the Wazuh Indexer, the worker container must have the correct certificate files present under:

    /var/ossec/etc/

    The Wazuh Worker provisioning app should normally copy these certificates automatically. If you need to fix it manually, you must create (or copy in) the following files inside the worker container:

    • /var/ossec/etc/manager-key.pem
    • /var/ossec/etc/manager.pem
    • /var/ossec/etc/root-ca.pem

    Important: You specifically need to copy the customer-specific manager certificates into the worker container (for example, manager.pem and manager-key.pem) and ensure the correct root CA (for example, from root-CA.PIM) is placed as root-ca.pem.

    From inside the container, confirm the files exist:

    ls -l /var/ossec/etc/*.pem

    Step 3: Validate the Indexer Configuration in ossec.conf

    Next, confirm that the Wazuh Vulnerability / Indexer integration is enabled and pointing to the correct Wazuh Indexer nodes.

    If the container doesn’t have a text editor installed, you can install nano (example using dnf):

    dnf install nano -y

    Open the Wazuh configuration file:

    nano /var/ossec/etc/ossec.conf

    Locate (or add/update) the following section and ensure the list matches your Indexer nodes, and the certificate paths match the files you created/copied into /var/ossec/etc/:

    <indexer>
 <enabled>yes</enabled>
 <hosts>
 <host>https://10.100.102.5:9200</host>
 <host>https://10.100.102.6:9200</host>
 <host>https://10.100.102.7:9200</host>
 </hosts>
 <ssl>
 <certificate_authorities>
 <ca>/var/ossec/etc/root-ca.pem</ca>
 </certificate_authorities>
 <certificate>/var/ossec/etc/manager.pem</certificate>
 <key>/var/ossec/etc/manager-key.pem</key>
 </ssl>
</indexer>

    Save the file and exit (CTRL+O, Enter, then CTRL+X in nano).

    Step 4: Add Wazuh UI / Indexer Credentials to the Keystore

    Even with correct TLS certificates and host settings, the worker still needs valid credentials stored in the Wazuh keystore so it can authenticate to the Indexer.

    From inside the worker container, add the username (commonly admin) and password to the keystore:

    /var/ossec/bin/wazuh-keystore -f indexer -k username -v admin
    /var/ossec/bin/wazuh-keystore -f indexer -k password -v YOUR_PASSWORD

    Step 5: Restart Wazuh and Verify Success

    Restart Wazuh services inside the worker container:

    /var/ossec/bin/wazuh-control restart

    Then tail the log to verify the Indexer connector initializes successfully:

    tail -f /var/ossec/logs/ossec.log

    If the fix is successful, you should now see messages like:

    2026/01/13 13:35:38 indexer-connector: INFO: IndexerConnector initialized successfully for index: wazuh-states-inventory-hardware-*.
2026/01/13 13:35:38 indexer-connector: INFO: IndexerConnector initialized successfully for index: wazuh-states-inventory-protocols-*.
2026/01/13 13:35:38 indexer-connector: INFO: IndexerConnector initialized successfully for index: wazuh-states-inventory-interfaces-*.
2026/01/13 13:35:38 logger-helper: INFO: InventoryHarvesterFacade module started.
2026/01/13 13:35:38 indexer-connector: INFO: IndexerConnector initialized successfully for index: wazuh-states-inventory-networks-*.

    At this point, the worker should be able to initialize state indexes and support the Vulnerability module properly.

    Troubleshooting Tips

    • Still seeing retries? Re-check the Indexer host IPs/ports and confirm the Indexer is reachable from the worker network path.
    • TLS errors in logs? Confirm the correct CA is in root-ca.pem and the manager certificate/key pair matches the customer environment.
    • Auth failures? Re-run the keystore commands and confirm the password is correct for the Indexer/Wazuh UI admin user.

    Result: Once certificates, Indexer hosts, and keystore credentials are correct, the IndexerConnector will initialize successfully and the worker will stop retrying the vulnerabilities/state indexes.

    Facebook Share Tweet

    Was this article helpfu?

    Yes No

    Thank you for voting

    Comments

    ×
    Select company

    You are related to multiple companies. Please select the company you wish to login as.