Wazuh manager and agent on the same server.

[Carlos Romero]

My English isn't very good. I have a 3-server Wazuh distribution for better performance. Unfortunately, IT staff mistakenly installed the Wazuh agent on the Wazuh Manager server, which caused the manager service to no longer exist and prevented the service from being brought online. Is it possible to reinstall Wazuh Manager without losing synchronization with the indexer and dashboard? Is there a step-by-step guide? I greatly appreciate your help.

[Bony V John]

Hi,

Please allow me some time. I’m working on this and will get back to you with an update as soon as possible.

[Bony V John]

Hi,

Normally, if we try to install the Wazuh agent on the Wazuh manager server, it will not allow it because of the package conflict issue like below:

Error: wazuh-agent conflicts with wazuh-manager-4.13.1-1.x86_64
Error: wazuh-manager conflicts with wazuh-agent-4.13.1-1.x86_64

First, make sure the agent is installed or not and whether the Wazuh manager service is there or not:

systemctl status wazuh-agent

Check if the Wazuh agent package is present or not.

Also, check the Wazuh manager service:

systemctl status wazuh-manager

If the Wazuh agent service is present in the Wazuh manager server or you get an output like below when checking the agent status:

● wazuh-agent.service
   Loaded: not-found (Reason: No such file or directory)
   Active: failed (Result: exit-code) since Fri 2025-09-26 10:47:06 IST; 1min 59s ago

This indicates the agent service is installed but not able to start due to a conflict issue.

In this case, the Wazuh manager ossec.conf file will be replaced with the agent ossec.conf file.
Check if it has changed or not:

cat /var/ossec/etc/ossec.conf

If it is not changed, take a backup of the file and copy it somewhere else.
Also, check the custom rules, decoders, CDB lists, custom scripts, etc. on the server if you have added any:  

ll /var/ossec/etc/rules/

ll /var/ossec/etc/decoders/

ll /var/ossec/etc/lists/
ll /var/ossec/integrations/

Also, take a backup of the /var/ossec/logs/alerts directory for safety.
And take a backup of the certificates as well, located in the /etc/filebeat/certs/ directory. This will helps if incase, we need to reinstall filebeat.

If you have added any custom configurations in your old Wazuh manager, run the above commands and check if they exist. If they are still there, take a backup of those custom files outside of the /var/ossec/ directory or copy them to another server.

Then first uninstall the Wazuh agent:
You can follow this Wazuh documentation for removing the agent from the Wazuh manager server.

Based on your server OS, run the correct uninstallation command from the documentation.

Also, if the Wazuh manager package exists, remove that as well:

• If you are using Ubuntu OS:  

apt-get remove --purge wazuh-manager -y

• If you are using CentOS or Red Hat:  

yum remove wazuh-manager -y

rm -rf /var/ossec/

Then confirm that the Wazuh manager and agent packages have been removed and the ossec directory has been deleted:

systemctl status wazuih-agent

systemctl status wazuh-manager

ll /var/ossec

After that, you can re-install the Wazuh manager.

For that, follow this Wazuh documentation.

This documentation is for installing Wazuh manager version 4.12.0. If you are using a different version, you need to change the documentation version at the top of the page and install the exact version of your old Wazuh manager.

After installing Wazuh manager, check if Filebeat is present or not:

systemctl status filebeat

If the Filebeat package is present, there is no need to install it again. You can skip all the steps up to the Wazuh indexer connection configuration section in the documentation.
Then follow the remaining steps from the Wazuh indexer connection configuration section.

After that, check if you are able to access the Wazuh dashboard again. If you are, then you can add the backed-up rules, decoder files, etc. to the Wazuh manager again manually.
Also, re-enroll the agents again.

I have tested this on my end and these steps worked for me to resolve the issue.

[Carlos Romero]

Thank you very much.

I'll do what you're told and report back on the results.

Carlos.