Agent never connected event though port 1515 and 1514 open and reachable
37 views
Skip to first unread message
Bayu Sangkaya (bayusky.labs)
Mar 14, 2026, 1:31:59 AM (2 days ago) Mar 14
to Wazuh | Mailing List
Hi team.
I have two agents that disconnected and now never connected.
The thing is no error authd module in ossec.log in agent and in manager.
Steps I already did.
1. Delete the agent from wazuh manager to force r-enroll
1. Delete the agent from wazuh manager to force r-enroll
2. Reinstall wazuh agent on VMs affected.
When reinstall, I've noticed there are no logs for authd/enrollment event though wazuh agent started successfully. So Ineed to do this agent-auth manually, and succeed.
But still never connected
Please Help me with this case.
Regards,
Bayu Sangkaya
hasitha.u...@wazuh.com
Mar 14, 2026, 2:48:20 AM (2 days ago) Mar 14
to Wazuh | Mailing List
Hi Bayu
Please allow me some time; I’m currently looking into this and will get back to you with an update as soon as possible.
Please allow me some time; I’m currently looking into this and will get back to you with an update as soon as possible.
hasitha.u...@wazuh.com
Mar 14, 2026, 3:32:41 AM (2 days ago) Mar 14
to Wazuh | Mailing List
Hi Bayu,
Never connected: The Wazuh agent has been enrolled but has not yet connected to the Wazuh manager.
Ref: https://documentation.wazuh.com/current/user-manual/agent/agent-enrollment/agent-life-cycle.html
Wazuh manager and agent ossec.log files located at:/var/ossec/logs/ossec.log• Wazuh manager and agent configuration files:/var/ossec/etc/ossec.conf• The list of agents using the command below:/var/ossec/bin/agent_control -lThese details will help us investigate the issue further.
Also, check if the agent is running properly: systemctl status wazuh-agent
Verifying communication with the Wazuh manager: On Linux and macOS systems (with netcat installed), open a terminal and run the following command. Replace <WAZUH_MANAGER_IP_ADDRESS> with your Wazuh manager IP address or FQDN (Fully Qualified Domain Name).
nc -zv <WAZUH_MANAGER_IP_ADDRESS> 1514 1515 55000
If there is connectivity, the output should be a connection success message:
If this failed, please check any network firewall blocking the connection.
If you have a Wazuh cluster, make sure that all Wazuh worker nodes and the manager node's disk space are enough because agent syncing issues arise whenever the worker nodes' disk space is full.
If connectivity between the manager and agents is unstable, agents may attempt to re-enroll with the Wazuh manager after some time, which can lead to duplicate agent name issues.Could you please validate that the connection is stable? If there is a load balancer in front of the Wazuh manager, verify that its configuration is correct and review the load balancer logs for any connection issues.
For more details regarding further troubleshooting, you can refer to this guide.
Let me know the update on this. So we can check further.
Never connected: The Wazuh agent has been enrolled but has not yet connected to the Wazuh manager.
Ref: https://documentation.wazuh.com/current/user-manual/agent/agent-enrollment/agent-life-cycle.html
Wazuh manager and agent ossec.log files located at:/var/ossec/logs/ossec.log• Wazuh manager and agent configuration files:/var/ossec/etc/ossec.conf• The list of agents using the command below:/var/ossec/bin/agent_control -lThese details will help us investigate the issue further.
Also, check if the agent is running properly: systemctl status wazuh-agent
Verifying communication with the Wazuh manager: On Linux and macOS systems (with netcat installed), open a terminal and run the following command. Replace <WAZUH_MANAGER_IP_ADDRESS> with your Wazuh manager IP address or FQDN (Fully Qualified Domain Name).
nc -zv <WAZUH_MANAGER_IP_ADDRESS> 1514 1515 55000
If there is connectivity, the output should be a connection success message:
- Connection to <WAZUH_MANAGER_IP_ADDRESS> port 1514 [tcp] succeeded!
- Connection to <WAZUH_MANAGER_IP_ADDRESS> port 1515 [tcp] succeeded!
- Connection to <WAZUH_MANAGER_IP_ADDRESS> port 55000 [tcp] succeeded!
If this failed, please check any network firewall blocking the connection.
If you have a Wazuh cluster, make sure that all Wazuh worker nodes and the manager node's disk space are enough because agent syncing issues arise whenever the worker nodes' disk space is full.
If connectivity between the manager and agents is unstable, agents may attempt to re-enroll with the Wazuh manager after some time, which can lead to duplicate agent name issues.Could you please validate that the connection is stable? If there is a load balancer in front of the Wazuh manager, verify that its configuration is correct and review the load balancer logs for any connection issues.
For more details regarding further troubleshooting, you can refer to this guide.
Let me know the update on this. So we can check further.
Bayu Sangkaya
Mar 14, 2026, 4:08:57 AM (2 days ago) Mar 14
to hasitha.u...@wazuh.com, Wazuh | Mailing List
Hi Hasitha,
Here's the screenshots
Wazuh manager
Wazuh manager
Screenshot of Wazuh agent status and connection to port 1515 and 1514
Log is nothing special only rotated and queue full because not connected despite port is open.
Regards,
Bayu Sangkaya
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/6OnoHe_sxE4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/48dca12b-0e35-4628-8363-34edca90c6ecn%40googlegroups.com.
Bayu Sangkaya
Mar 14, 2026, 5:37:34 AM (2 days ago) Mar 14
to hasitha.u...@wazuh.com, Wazuh | Mailing List
Add the latest log after wazuh agent restarted
No error recorded. But agent still disconnected.
hasitha.u...@wazuh.com
12:25 AM (9 hours ago) 12:25 AM
to Wazuh | Mailing List
Hi Bayu,
The current status is not visible in this screenshot.
It should show connected or disconnected status from the manager side.
For example:
root@node:/home/vagrant# /var/ossec/bin/agent_control -l
Wazuh agent_control. List of available agents:
ID: 000, Name: node (server), IP: 127.0.0.1, Active/Local
ID: 001, Name: Hasithas-MacBook-Air.local, IP: any, Active
ID: 005, Name: bento, IP: any, Disconnected
Verify it's connected to the manager from this command.
Please share the complete ossec.log from both the manager and agent sides so I can investigate any network or other issues. You can use the scp tool to transfer files between hosts and VMs. Also, you can use WinSCP, which is a GUI-based tool.
Please share the ossec.log from the manager and agent, so that we can check further.
The current status is not visible in this screenshot.
For example:
root@node:/home/vagrant# /var/ossec/bin/agent_control -l
Wazuh agent_control. List of available agents:
ID: 000, Name: node (server), IP: 127.0.0.1, Active/Local
ID: 001, Name: Hasithas-MacBook-Air.local, IP: any, Active
ID: 005, Name: bento, IP: any, Disconnected
Verify it's connected to the manager from this command.
Please share the complete ossec.log from both the manager and agent sides so I can investigate any network or other issues. You can use the scp tool to transfer files between hosts and VMs. Also, you can use WinSCP, which is a GUI-based tool.
Please share the ossec.log from the manager and agent, so that we can check further.
Reply all
Reply to author
Forward
0 new messages