Wazuh Agent stopping automatically after few seconds
304 views
Skip to first unread message
Heverty Dourado
Feb 21, 2025, 1:49:26 AM2/21/25
to Wazuh | Mailing List
Hi!
I updated the Wazuh agent on some Windows machines to the latest version, 4.10.1, and now on several of these machines I’m facing a major issue: after updating and starting the agent, it stops on its own after a few seconds of running. On some machines with this issue, the service remains active for up to 5 minutes before it is stopped. I have already checked the antivirus and confirmed that it does not interfere with the agent’s execution. Could you help us with this critical issue? The same problem does not occur on Linux servers.
Wazuh version: 4.10.1
Wazuh agent: 4.10.1
Here are some example logs from one of the affected machines:
2025/02/20 18:56:16 wazuh-agent: INFO: (1410): Reading authentication keys file. 2025/02/20 18:56:16 wazuh-agent: INFO: Using notify time: 10 and max time to reconnect: 60 2025/02/20 18:56:16 wazuh-agent: INFO: Started (pid: 5296). 2025/02/20 18:56:16 rootcheck: INFO: Started (pid: 5296). 2025/02/20 18:56:16 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\batfile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2025/02/20 18:56:16 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\cmdfile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2025/02/20 18:56:16 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\comfile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2025/02/20 18:56:16 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\exefile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2025/02/20 18:56:16 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\piffile', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2025/02/20 18:56:16 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2025/02/20 18:56:16 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Directory', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2025/02/20 18:56:16 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Folder', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2025/02/20 18:56:16 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2025/02/20 18:56:16 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Classes\Protocols', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2025/02/20 18:56:16 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Policies [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2025/02/20 18:56:16 wazuh-agent: INFO: Windows version is 6.0 or newer. (Microsoft Windows 10 Enterprise [Ver: 10.0.19045.5487] - Wazuh v4.10.1). 2025/02/20 18:56:16 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Policies', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2025/02/20 18:56:16 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Security', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2025/02/20 18:56:16 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2025/02/20 18:56:16 wazuh-agent: INFO: (1951): Analyzing event log: 'Application'. 2025/02/20 18:56:16 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2025/02/20 18:56:16 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2025/02/20 18:56:16 wazuh-agent: WARNING: (1958): Log file 'Security' is duplicated. 2025/02/20 18:56:16 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2025/02/20 18:56:16 wazuh-agent: INFO: (1951): Analyzing event log: 'System'. 2025/02/20 18:56:16 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2025/02/20 18:56:16 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2025/02/20 18:56:16 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2025/02/20 18:56:16 wazuh-agent: INFO: (1950): Analyzing file: 'active-response\active-responses.log'. 2025/02/20 18:56:16 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2025/02/20 18:56:16 wazuh-agent: INFO: (1951): Analyzing event log: 'Microsoft-Windows-Sysmon/Operational'. 2025/02/20 18:56:16 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2025/02/20 18:56:16 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2025/02/20 18:56:16 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2025/02/20 18:56:16 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2025/02/20 18:56:16 wazuh-agent: INFO: (1951): Analyzing event log: 'Security'. 2025/02/20 18:56:16 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2025/02/20 18:56:16 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2025/02/20 18:56:16 wazuh-modulesd:agent-upgrade: INFO: (8153): Module Agent Upgrade started. 2025/02/20 18:56:16 wazuh-agent: INFO: (1951): Analyzing event log: 'Microsoft-Windows-PowerShell/Operational'. 2025/02/20 18:56:16 sca: INFO: Module started. 2025/02/20 18:56:16 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2025/02/20 18:56:16 wazuh-modulesd:ciscat: INFO: Module disabled. Exiting... 2025/02/20 18:56:16 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2025/02/20 18:56:16 sca: INFO: Loaded policy 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win10_enterprise.yml' 2025/02/20 18:56:16 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2025/02/20 18:56:16 sca: INFO: Starting Security Configuration Assessment scan. 2025/02/20 18:56:16 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2025/02/20 18:56:16 wazuh-agent: INFO: Using AES as encryption method. 2025/02/20 18:56:16 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components [x64]', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2025/02/20 18:56:16 wazuh-agent: INFO: Trying to connect to server ([siem.<redacted>.com.br]:1514/tcp). 2025/02/20 18:56:16 wazuh-agent: INFO: (6002): Monitoring registry entry: 'HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components', with options 'size | permissions | owner | group | mtime | hash_md5 | hash_sha1 | hash_sha256' 2025/02/20 18:56:16 wazuh-agent: INFO: (6003): Monitoring path: 'c:\programdata\microsoft\windows\start menu\programs\startup', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | realtime'. 2025/02/20 18:56:16 wazuh-agent: INFO: (6003): Monitoring path: 'c:\users\<redacted>\downloads', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | realtime'. 2025/02/20 18:56:16 wazuh-agent: INFO: (6003): Monitoring path: 'c:\users\<redacted>\downloads', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | realtime'. 2025/02/20 18:56:16 wazuh-agent: INFO: (6003): Monitoring path: 'c:\users\Default\downloads', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | realtime'. 2025/02/20 18:56:16 wazuh-agent: INFO: (6003): Monitoring path: 'c:\users\Public\downloads', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | realtime'. 2025/02/20 18:56:16 wazuh-agent: INFO: (6003): Monitoring path: 'c:\users\<redacted>\downloads', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | realtime'. 2025/02/20 18:56:16 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'. 2025/02/20 18:56:16 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\system32', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'. 2025/02/20 18:56:16 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\system32\drivers\etc', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'. 2025/02/20 18:56:16 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\system32\wbem', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'. 2025/02/20 18:56:16 wazuh-agent: INFO: (6003): Monitoring path: 'c:\windows\system32\windowspowershell\v1.0', with options 'size | permissions | owner | group | mtime | inode | hash_md5 | hash_sha1 | hash_sha256 | attributes | scheduled'. 2025/02/20 18:56:16 wazuh-agent: INFO: (6206): Ignore 'file' entry 'c:\programdata\microsoft\windows\start menu\programs\startup\desktop.ini' 2025/02/20 18:56:16 wazuh-agent: INFO: (6207): Ignore 'file' sregex '.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$' 2025/02/20 18:56:16 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\Security\Policy\Secrets' 2025/02/20 18:56:16 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users' 2025/02/20 18:56:16 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs' 2025/02/20 18:56:16 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP' 2025/02/20 18:56:16 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSIn' 2025/02/20 18:56:16 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSOut' 2025/02/20 18:56:16 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap' 2025/02/20 18:56:16 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo' 2025/02/20 18:56:16 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PolicyAgent\Parameters\Cache' 2025/02/20 18:56:16 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx' 2025/02/20 18:56:16 sca: INFO: Starting evaluation of policy: 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win10_enterprise.yml' 2025/02/20 18:56:16 wazuh-agent: INFO: (6206): Ignore 'registry' entry 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ADOVMPPackage\Final' 2025/02/20 18:56:17 wazuh-agent: INFO: (6207): Ignore 'registry' sregex '\Enum$' 2025/02/20 18:56:17 wazuh-agent: INFO: Started (pid: 5296). 2025/02/20 18:56:17 wazuh-modulesd:osquery: INFO: Module disabled. Exiting... 2025/02/20 18:56:17 wazuh-modulesd:syscollector: INFO: Module started. 2025/02/20 18:56:17 wazuh-modulesd:syscollector: INFO: Starting evaluation. 2025/02/20 18:56:17 wazuh-agent: INFO: (6000): Starting daemon... 2025/02/20 18:56:17 wazuh-agent: INFO: (6010): File integrity monitoring scan frequency: 43200 seconds 2025/02/20 18:56:17 wazuh-agent: INFO: (6008): File integrity monitoring scan started. 2025/02/20 18:56:17 wazuh-agent: INFO: Started (pid: 5296). 2025/02/20 18:56:17 wazuh-agent: INFO: (4102): Connected to the server ([siem.<redacted>.com.br]:1514/tcp). 2025/02/20 18:56:18 wazuh-modulesd:syscollector: INFO: Evaluation finished.With the agent stopped, I accessed win32ui.exe, went to Manage, and clicked on Restart:
At this point, the agent was "Running" and then stopped on its own.
Here is my ossec.conf authd section:
<!-- Configuration for wazuh-authd -->
<auth>
<disabled>no</disabled>
<port>1515</port>
<use_source_ip>no</use_source_ip>
<purge>yes</purge>
<use_password>yes</use_password>
<ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
<!-- <ssl_agent_ca></ssl_agent_ca> -->
<ssl_verify_host>no</ssl_verify_host>
<ssl_manager_cert>etc/sslmanager.cert</ssl_manager_cert>
<ssl_manager_key>etc/sslmanager.key</ssl_manager_key>
<ssl_auto_negotiate>no</ssl_auto_negotiate>
</auth>
I did not find anything related in the ossec.log.
The client_keys file contains the IDs of the agents with the problem.
note that this problem started in version 4.7.5, however, most agents connected correctly and stayed connected, and some had these inconsistencies, now, practically all do not stay connected
What can i do to solve this?
Olusegun Adenrele Oyebo
Feb 21, 2025, 5:10:56 AM2/21/25
to Wazuh | Mailing List
Hello Heverty,
We will need to get more information in the logs which could give a clue into the issue.
Kindly enable debug logging on one or two of the affected agents by following the below steps:
- Go to the file C:\Program Files (x86)\ossec-agent\local_internal_options.conf on the affected agent(s) and add the below entries (reference1 | reference2):
agent.debug=2
windows.debug=2- Restart the Wazuh agent service to apply changes with the command net stop wazuhsvc && net start wazuhsvc (open cmd with admin privilege to run the command)
- Allow it to run for some time, and once the agent service stops again on its own, kindly share the full C:\Program Files (x86)\ossec-agent\ossec.log file for further review
Will be expecting your feedback on the outcome.
Best regards.
Heverty Dourado
Feb 21, 2025, 8:42:40 AM2/21/25
to Wazuh | Mailing List
Hello Olusegun!
Thanks for your response.
I did the process you asked, enabled debugging, started the agent and waited for it to stop on its own, and attached are the logs of these activities
Thanks for your response.
I did the process you asked, enabled debugging, started the agent and waited for it to stop on its own, and attached are the logs of these activities
I look forward to further guidance, thank you!
Message has been deleted
Olusegun Adenrele Oyebo
Feb 24, 2025, 5:56:14 AM2/24/25
to Wazuh | Mailing List
Hello Heverty,
Sorry for the late response.
We have been reviewing your issue.
Can you share with us the affected Windows version(s)? From the logs you shared, I can see that the agent is running on Windows 10 22H2, is it specific to this OS version, or there are other affected OS versions?
Also, kindly check the application logs in the event viewer for further review. A sample log is below:
Log Name: Application
Source: Application Error
Date: 16.03.2021 10:43:14
Event ID: 1000
Task Category: (100)
Level: Error
Keywords: Classic
User: N/A
Computer:
Description:
Faulting application name: ossec-agent.exe, version: 0.0.0.0, time stamp: 0x60127559
Faulting module name: ossec-agent.exe, version: 0.0.0.0, time stamp: 0x60127559
Exception code: 0xc0000005
Fault offset: 0x0000e6e5
Faulting process id: 0x16fc
Source: Application Error
Date: 16.03.2021 10:43:14
Event ID: 1000
Task Category: (100)
Level: Error
Keywords: Classic
User: N/A
Computer:
Description:
Faulting application name: ossec-agent.exe, version: 0.0.0.0, time stamp: 0x60127559
Faulting module name: ossec-agent.exe, version: 0.0.0.0, time stamp: 0x60127559
Exception code: 0xc0000005
Fault offset: 0x0000e6e5
Faulting process id: 0x16fc
Will be expecting your feedback.
Best regards.
Heverty Dourado
Feb 25, 2025, 12:29:54 AM2/25/25
to Wazuh | Mailing List
Hello Olusegun!
Level: Error
Keywords:Classic
User: N/A
No problem.
I did more tests and with the sample I have, this only happen on Windows 10 and 11 (22H2) machines (with some, not all), this problem hasn't happened on Windows Servers and Linux servers.
Looking my event viewer, and to my surprise, I didn't find any Wazuh-related logs in the Application, only in the System logs. And to make matters worse, the only information present is:
Log Name: System
Source: Service Control Manager
Date: 24/02/2025 14:54:14
Event ID:7034
Task Category:None
Looking my event viewer, and to my surprise, I didn't find any Wazuh-related logs in the Application, only in the System logs. And to make matters worse, the only information present is:
Log Name: System
Source: Service Control Manager
Date: 24/02/2025 14:54:14
Event ID:7034
Task Category:None
Level: Error
Keywords:Classic
User: N/A
Computer: DESKTOP.<redacted>.com.br
Description:
The Wazuh service was terminated unexpectedly. This has happened 10 time(s).
Event XML:
<Event xmlns=“http://schemas.microsoft.com/win/2004/08/events/event”>
<System>
<Provider Name=“Service Control Manager” Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}” EventSourceName=“Service Control Manager” />
<EventID Qualifiers=“49152”>7034</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime=“2025-02-24T17:54:14.5581063Z” />
<EventRecordID>47327</EventRecordID>
<Correlation />
<Execution ProcessID=“856” ThreadID=“3776” />
<Channel>System</Channel>
<Computer>DESKTOP.<redacted>.com.br</Computer>
<Security />
</System>
<EventData>
<Data Name=“param1”>Wazuh</Data>
<Data Name=“param2”>10</Data>
<Binary>570061007A00750068005300760063000000</Binary>
</EventData>
</Event>
Description:
The Wazuh service was terminated unexpectedly. This has happened 10 time(s).
Event XML:
<Event xmlns=“http://schemas.microsoft.com/win/2004/08/events/event”>
<System>
<Provider Name=“Service Control Manager” Guid="{555908d1-a6d7-4695-8e1e-26931d2012f4}” EventSourceName=“Service Control Manager” />
<EventID Qualifiers=“49152”>7034</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime=“2025-02-24T17:54:14.5581063Z” />
<EventRecordID>47327</EventRecordID>
<Correlation />
<Execution ProcessID=“856” ThreadID=“3776” />
<Channel>System</Channel>
<Computer>DESKTOP.<redacted>.com.br</Computer>
<Security />
</System>
<EventData>
<Data Name=“param1”>Wazuh</Data>
<Data Name=“param2”>10</Data>
<Binary>570061007A00750068005300760063000000</Binary>
</EventData>
</Event>
j
It's very confuse. How we can proceed?
It's very confuse. How we can proceed?
Olusegun Adenrele Oyebo
Mar 3, 2025, 9:03:03 AM3/3/25
to Wazuh | Mailing List
Hello Heverty,
Sorry for the late response.
Unfortunately, the ossec.log file you shared does not show the problem. Can you try an agent by disabling sca and syscollector, restarting the agent service and sharing a fresh debug logs for further review?
Also, can you share the ossec.conf file from one of the affected agents, avoiding to publish sensitive information if applicable?
Will you have enabled the centralized configuration, being the problem, when the server asks you to update the configuration this generates the problem?
Will be expecting your feedback.
Best regards.
Reply all
Reply to author
Forward
0 new messages