Currently, if you install Wazuh using the quickstart script, vulnerability detection will not work for Ubuntu. The reason is a change in the format of vulnerability feeds from Canonical. This is being fixed for the 4.7.8 release of Wazuh, as detailed here: https://github.com/wazuh/wazuh/issues/20573.

To make it work for 4.7.0, you can use the recipe in the same Github issue:

• Download definition files locally.
• Unarchive the downloaded bz2 files
• Remove the first line in the XML file
• Change ownership of files to wazuh if not downloded with this account
• You can set up a cron job for this to make sure you have fresh vulnerability data.

In addition, you need to configure the ossec.conf file to use the local definition files for Canonical feeds.

Also, if the agent is installed in the newest version of Ubuntu (Mantic), you need to add the correct feed for this version, and then update the ossec.conf file to use it.