wazuh agent is showing disconnected in portal

[Rajjab Shaikh]

Hello Everyone,

I am new wazuh technology,

we have installed agent in one of server and agent looks running on server but still its showing disconnected,

Regards,

Rajjab

[Miguelangel Freitas]

Hi Rajjab,

Let me try to help you with your issue, can you please check the following:

• Review on the ossec.log on the agent if they can connect to the manager, you should see a message similar to:

ossec-agentd: INFO: (4102): Connected to the server (<address>:<port>).

• Verify if the client.keys line on the agent is the same than their pair on the client.keys file on the manager side, more info about the client.keys:

https://documentation.wazuh.com/current/development/client-keys.html

https://documentation.wazuh.com/current/user-manual/registering/registration-process.html#agent-keys

• If there any firewall or similar that could be blocking the connection attempt between the agent and the manager. By default, the manager/agent use the 1514/UDP port to maintain communications, this can be customized as well: 

https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/client.html

https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/remote.html

You can also use tools like netcat or similar in order verify if it can establish a bidirectional connection between the agent and the manager.

• Please check if all services are up and running either on the agent and the manager, you can use the ossec-control utility:

# /var/ossec/bin/ossec-control status

https://documentation.wazuh.com/current/user-manual/reference/tools/ossec-control.html

In addition, please send us a copy of the ossec.log file from the agent and the manager without sensitive information in order to review more in deep. Thanks in advance!

I hope it helps.

Best Regards,

Miguelangel Freitas

 

www.wazuh.com

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/26f7159a-6fd3-40fa-9a9d-5688bddd9549%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Daniel Kionka]

I have a similar problem. I verified my client.keys. My agent ossec.log just repeats these lines:

2018/05/11 00:19:28 ossec-agentd: INFO: Trying to connect to server (172.27.0.64/172.27.0.64:1514).

2018/05/11 00:19:49 ossec-agentd: WARNING: (4101): Waiting for server reply (not started). Tried: '172.27.0.64/172.27.0.64'.

What should I expect when I run nc? On the manager I am running:

tail -f ossec.log

On the agent I run:

echo hello | ncat -u 172.27.0.64 1514

Then on the manager, each time I echo I get:

2018/05/11 01:07:12 ossec-remoted: WARNING: (1213): Message from '172.25.0.1' not allowed.

This at least tells me that I can connect. Is there some dummy message I can send with nc? Am I supposed to get something back? Can I find out why the message is not allowed?

[Tosh Lenya]

Hey Daniel,

I experienced the same issue and I resolved it my re-importing the keys. You should can remove they key and recreate it on the server and then import it into the client.

Regards,
Tosh

[Tosh Lenya]

Something else, Confirm that remoted daemon is running on the Wazuh Server.

On Wednesday, May 9, 2018 at 10:56:52 PM UTC+3, Rajjab Shaikh wrote:

[Miguelangel Freitas]

Hi,

Sorry for the misunderstanding, I was referring to the netcat usage in order to verify if you can make a connection between the agent and the manager with the required port/protocol. Running an nc in listening mode on the manager and then another nc in client mode on the agent to verify connectivity. Also, the Wazuh Manager use their own communication protocol in order to connect with the agents:

https://documentation.wazuh.com/current/development/message-format.html#secure-message-format

In addition to what Tosh said, if the agent was registered with their host IP Address the manager will verify that the original connection comes from the registered IP, otherwise will deny the connection, please ensure that the IP address used for the registration is the same that origins the connection to the manager:

https://documentation.wazuh.com/current/development/client-keys.html

I hope it helps.

Best regards,

Miguelangel Freitas

 

www.wazuh.com

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/f83b09d1-4c28-4b45-9109-32685d5512a7%40googlegroups.com.

[Daniel Kionka]

I got it working again by restarting the docker environment. I am using docker-compose.yml from wazuh-docker. It was not enough to ossec-control restart or redo the client.keys. I needed to: docker-compose down / up -d. Recreating the environment is not a problem as long as I rarely have to do it.

Thanks for the info on the message format. It is obviously not something I can do from the command line. I should note that I am still getting the same warning in the manager log when I echo hello from the agent, so that seems to be expected behavior.

On the client.keys, I was using "any" for the IP. But with moving a laptop from the office to home, it could be some network issue.

[Rajjab Shaikh]

Hi Everyone,

Thanks for your valuable update,

Now agent status is showing "Never Connected" from manage console,

Agent OS - Windows

Regards,

Rajjab Shaikh

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/2ee83d8f-0366-4201-a701-f1683635a14e%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Rajjab Shaikh

Mobile: + 91 9833662304

[Miguelangel Freitas]

Hi Rajjab,

Sorry to hear you still have problems. I'm wondering if you already take a look at the troubleshooting list I sent you earlier. Can you also describe us more your current installation, is the agent behind a NAT or similar (the manager will only grant access to an agent when it's origin the connection from the registered IP address, at least you're using the "any" keyword).

Can you please send us a copy of the ossec.log of the agent and the manager as well in order to review it, please remove any sensitive information. Thanks!

Best Regards,

Miguelangel Freitas

 

www.wazuh.com

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CACBt2GPtxn8%3D9%2BWVfhOWWz4r79km5Oq05fuE26_bH3D%3DVuLECg%40mail.gmail.com.

[Rajjab Shaikh]

Hi Miguelangel

thanks for update,

We are not configure Wazuh in NAT rule, there are 38 agent server are configured successfully but we found few server is showing "never connected", even i followed your step still facing issue,

Regards,

Rajjab SDhai

[Rajjab Shaikh]

here is Ossec.log details:

2018/05/14 05:37:07 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: 10.*.*.*

2018/05/14 05:47:08 ossec-agentd: INFO: Trying to connect to server (10.53.2.204:1514).

2018/05/14 05:47:29 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: 10.*.*.*

2018/05/14 05:57:30 ossec-agentd: INFO: Trying to connect to server (10.53.2.204:1514).

2018/05/14 05:57:51 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: 10.*.*.*

2018/05/14 06:07:52 ossec-agentd: INFO: Trying to connect to server (10.53.2.204:1514).

2018/05/14 06:08:13 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: 10.*.*.*

2018/05/14 06:18:14 ossec-agentd: INFO: Trying to connect to server (10.53.2.204:1514).

2018/05/14 06:18:35 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: 10.*.*.*

2018/05/14 06:28:36 ossec-agentd: INFO: Trying to connect to server (10.53.2.204:1514).

2018/05/14 06:28:57 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: 10.*.*.*

2018/05/14 06:38:58 ossec-agentd: INFO: Trying to connect to server (10.53.2.204:1514).

2018/05/14 06:39:19 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: 10.*.*.*

2018/05/14 06:49:20 ossec-agentd: INFO: Trying to connect to server (10.53.2.204:1514).

2018/05/14 06:49:41 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: 10.*.*.*

2018/05/14 06:59:42 ossec-agentd: INFO: Trying to connect to server (10.53.2.204:1514).

2018/05/14 07:00:03 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: 10.*.*.*

2018/05/14 07:10:04 ossec-agentd: INFO: Trying to connect to server (10.53.2.204:1514).

2018/05/14 07:10:25 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: 10.*.*.*

2018/05/14 07:20:26 ossec-agentd: INFO: Trying to connect to server (10.53.2.204:1514).

2018/05/14 07:20:47 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: 10.*.*.*

2018/05/14 07:30:48 ossec-agentd: INFO: Trying to connect to server (10.53.2.204:1514).

2018/05/14 07:31:09 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: 10.*.*.*

2018/05/14 07:41:10 ossec-agentd: INFO: Trying to connect to server (10.53.2.204:1514).

2018/05/14 07:41:31 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: 10.*.*.*

2018/05/14 07:51:32 ossec-agentd: INFO: Trying to connect to server (10.53.2.204:1514).

2018/05/14 07:51:53 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: 10.*.*.*

2018/05/14 08:01:54 ossec-agentd: INFO: Trying to connect to server (10.53.2.204:1514).

2018/05/14 08:02:15 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: ' 10.*.*.*

2018/05/14 08:12:16 ossec-agentd: INFO: Trying to connect to server (10.53.2.204:1514).

2018/05/14 08:12:37 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: 10.*.*.*

Note :- 10.*.*.* is a ossec server IP

Regards,

Rajjab Shaikh

[Miguelangel Freitas]

Hi Rajjab,

As I see the agent is unable to connect to their manager, this could be doing for several reasons:

1. The client.keys is not the same on both ends.
2. The IP Address used for registration is not the same than the one that originated the connection. This could be because of a NAT between the manager and the agent or the IP Address used for the registration is not the same that the one belongs to the agent. Can you please register the agent again but in this case using the "any" keyword instead of the host IP Address, just for testing purpose.
3. Another option is a firewall or similar that could be blocking the connection between the agent and the manager.

I hope this helps, please not hesitate to contact us again. Thanks!

Best Regards,

Miguelangel Freitas

 

www.wazuh.com

[Rajjab Shaikh]

Thanks for your update ,

I have updated the agent to 3.2.1, now its look connected but still in manager is showing "Neve Connected"

2018/05/14 10:01:05 ossec-syscheckd: INFO: Monitoring directory: 'C:\Documents and Settings/All Users/Start Menu/Programs/Startup', with options perm | size | owner | group | md5sum | sha1sum | realtime.

2018/05/14 10:01:05 ossec-syscheckd: INFO: Monitoring directory: 'C:\Users/Public/All Users/Microsoft/Windows/Start Menu/Startup', with options perm | size | owner | group | md5sum | sha1sum | realtime.

2018/05/14 10:01:05 ossec-syscheckd: INFO: Started (pid: 25308).

2018/05/14 10:01:15 ossec-agent: WARN: Process locked. Waiting for permission...

2018/05/14 10:01:26 ossec-agentd(4101): WARN: Waiting for server reply (not started). Tried: ' 10.*.*.* '.

2018/05/14 10:01:28 ossec-agentd: INFO: Trying to connect to server 10.*.*.* , port 1514.

2018/05/14 10:01:28 INFO: Connected to  10.*.*.*  at address 10.*.*.*, port 1514

Regards,

Rajjab Shaikh

[Miguelangel Freitas]

Hi Rajjab,

Sorry for the late reply.

Can you please verify the agent status, try the following:

1. Get the current agent id, on Windows agents you can review the client.keys file located at C:\Program Files (x86)\ossec-agent\client.keys, the first column on that file represent the current ID of the agent.
2. Then use the agent_control tool located on the manager to verify the agent status: https://documentation.wazuh.com/current/user-manual/reference/tools/agent_control.html
• /var/ossec/bin/agent_control -i <agent_id>
3. Please share with us the output and remove sensitive data.

Thanks in advance!

Best Regards,

Miguelangel Freitas.