Group based agent configuration
34 views
Skip to first unread message
Miran Ul Haq
Apr 17, 2026, 11:29:25 AM (10 days ago) Apr 17
to Wazuh | Mailing List
Hi community,
I need help with configuration using agent.conf file. Basically, we have divided agents based on OS (Windows and Linux).
Next, in the agent.conf file of Linux group, we added this script
<localfile>
<localfile>
<log_format>json</log_format>
<location>/tmp/packetbeat/packetbeat-*.ndjson</location>
</localfile>
</localfile>
However, this did not work. Then to troubleshoot, we added the same script in the wazuh-manger's ossec.conf file and it worked perfectly.
We need assistance with this, considering should we keep this practice, or this should have worked with agent.conf file?
Thanks and Regards,
Miran
Miran
Diego Guerrero
Apr 17, 2026, 3:23:15 PM (10 days ago) Apr 17
to Wazuh | Mailing List
Hi Miran Ul Haq
Best practice is to keep it in agent.conf, grouped by OS and centrally managed.
You need to do the following steps to troubleshoot:
1. Check if agent is not actually in the Linux group, confirm in the UI: Dashboard → Agents → check "Groups" or CLI:
/var/ossec/bin/agent_groups -l
Then verify:
/var/ossec/bin/agent_groups -a -i <agent_id> -g linux
If the agent is not in the group, it will never receive agent.conf.
2. After modifying agent.conf, agent need to pull updated configuration. You can restart agent, wait (default ~10 minutes) or force a restart with:
systemctl restart wazuh-agent
3. Wildcard handling, try explicitly:
<localfile>
<log_format>json</log_format>
<location>/tmp/packetbeat/*.ndjson</location>
</localfile>
Also confirm files actually exist with:
ls -l /tmp/packetbeat/
4. File permissions related with the agent, it runs as wazuh user, not root.
Check:
sudo -u wazuh cat /tmp/packetbeat/packetbeat-*.ndjson
If that fails there is a permission issue.
5. Confirm centralized config actually reached the agent, on the agent, check if agent.conf exists:
ls -l /var/ossec/etc/shared/linux/agent.conf
If not, manager didn't push it, you can find more details on /var/ossec/logs/ossec.log
Best practice is to keep it in agent.conf, grouped by OS and centrally managed.
You need to do the following steps to troubleshoot:
1. Check if agent is not actually in the Linux group, confirm in the UI: Dashboard → Agents → check "Groups" or CLI:
/var/ossec/bin/agent_groups -l
Then verify:
/var/ossec/bin/agent_groups -a -i <agent_id> -g linux
If the agent is not in the group, it will never receive agent.conf.
2. After modifying agent.conf, agent need to pull updated configuration. You can restart agent, wait (default ~10 minutes) or force a restart with:
systemctl restart wazuh-agent
3. Wildcard handling, try explicitly:
<localfile>
<log_format>json</log_format>
<location>/tmp/packetbeat/*.ndjson</location>
</localfile>
Also confirm files actually exist with:
ls -l /tmp/packetbeat/
4. File permissions related with the agent, it runs as wazuh user, not root.
Check:
sudo -u wazuh cat /tmp/packetbeat/packetbeat-*.ndjson
If that fails there is a permission issue.
5. Confirm centralized config actually reached the agent, on the agent, check if agent.conf exists:
ls -l /var/ossec/etc/shared/linux/agent.conf
If not, manager didn't push it, you can find more details on /var/ossec/logs/ossec.log
Miran Ul Haq
Apr 20, 2026, 10:22:57 AM (7 days ago) Apr 20
to Wazuh | Mailing List
Hi Diego,
Regards,
Miran
Thanks for sharing the troubleshooting steps. I have adjusted the permissions for wazuh user to read packetbeat files. But I am facing a different issue and allow me to explain.
I ran ping google.com command
Packetbeat files are being store in /tmp/packetbeat/ folder
Wazuh log-collector is able to read these files
Rule test confirms the decoder and rules are accurate
Packetbeat files are being store in /tmp/packetbeat/ folder
Wazuh log-collector is able to read these files
Rule test confirms the decoder and rules are accurate
Wazuh manager alerts.json file shows that alerts are being received for the Ping command
But logs are not visible on Dashboard, what am I missing here?
Regards,
Miran
Miran Ul Haq
Apr 22, 2026, 6:18:07 AM (5 days ago) Apr 22
to Wazuh | Mailing List
Hi Diego,
Packetbeat is capturing logs from all linux endpoints except Wazuh Manager. Is there anyway to fix this?
I was able to fix the issue. Again, it was simple permissions issue.
Another problem I identified is that when we provide specific configuration to Shared Linux Group, ultimately it does not work on Wazuh Manger.
Packetbeat is capturing logs from all linux endpoints except Wazuh Manager. Is there anyway to fix this?
Thanks.
Reply all
Reply to author
Forward
0 new messages