Commands to deactivate and reactivate wazuh agent via CLI Windows

[Johny Novent]

Hi wazuh community 

Recently I tried to create a script in python that deactivate and reactivate the wazuh agent remotely

I tried the command sc start WazuhSvc and sc stop WazuhSvc

the stop command works fine and the agent is stopped

but the command stop I think kills the process and when I tried to reactivate manually in Windows i got this error 

I tried to use the same sc start command but it doesn't work

there are another different commands to use to stop and start the wazuh agent remotely via CLI in Windows ???

[Olamilekan Abdullateef Ajani]

Hello,

"Recently I tried to create a script in python that deactivate and reactivate the wazuh agent remotely" I would like more information around this and this idea behind the use case. You also mentioned a service that can be stopped and restarted. That command stops the Wazuh service and can also be used to start it so when you try to deactivate, what exactly is your script doing?

That being said, the error you encountered indicates that there is a misconfiguration in your Wazuh agent's ossec.conf file located at: "C:\Program Files (x86)\ossec-agent\ossec.conf" You may want to review that file and ensure XML format is correct (no missing </tag>)

Try to start and stop the agent normally without the script and verify the operation.

sc stop WazuhSvc
sc start WazuhSvc

OR with PowerShell:

Stop-Service -Name WazuhSvc
Start-Service -Name WazuhSvc

For further diagnosis, you may share the ossec.log file from the agent, redacting any sensitive information: C:\Program Files (x86)\ossec-agent\ossec.log

Please let me know what you find.

[Johny Novent]

Hi  Olamilekan Abdullateef Ajani

thank you so much for your answer today I tried uninstall wazuh and reinstalled again and it works when I used the command  

sc stop WazuhSvc
sc start WazuhSvc

the stop and start command works inside the machine from the terminal but if I want to restart remotely from another machine how I can get that?

I need to restart manually the agent because when I  tried to restart remotely this is not possible because the agent is offline so I need another way to restart from another machine

[Olamilekan Abdullateef Ajani]

Hello again,

What you are trying to do is entirely machine dependent, because the Wazuh manager is able to handle the Wazuh agent when online. What you are trying to achieve is more about server management, which a third-party tool like PDQ should help resolve. If your systems are joined to the domain, services like SCCM, or even GPO via PowerShell, will deploy.

PowerShell remoting leverages the Windows Remote Management (WinRM) service, a contemporary, adaptable, and secure method for command execution. This means you need to enable WinRM and configure a listener on the remote computer.

Then you can execute the command below on another computer.

Invoke-Command -ComputerName "ComputerA_Hostname_or_IP" -ScriptBlock {
    # Check if the service is running, then restart it
    if ((Get-Service -Name wazuh).Status -ne 'Running') {
        Start-Service -Name wazuh
    }
}

For the service control utility, almost the same approach requires several RPC/SMB ports to be open, making it less secure and harder to configure than WinRM (Ports 139/445, plus various high-range ports).

# Check service status
sc \\ComputerA_Hostname_or_IP query wazuh

# Start the service
sc \\ComputerA_Hostname_or_IP start wazuh

You can learn more about this in the documentation below:

https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7.5

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc742126(v=ws.11)