wazuh-manager.service: Critical error reading XML file 'etc/ossec.conf'

4,635 views
Skip to first unread message

cyber ninjas

unread,
Apr 10, 2023, 11:51:11 AM4/10/23
to Wazuh mailing list
Hello Team,

I am very new to Wazuh, so I apologize if this question has been asked and answered before.

I am getting an error restarting the Wazuh manager service after making changes to the ossec.conf file. This is what journalctl -xe tells me:

Apr 10 15:42:08 wazuh env[403457]: 2023/04/10 15:42:08 wazuh-csyslogd: CRITICAL: (1226): Error reading XML file 'etc/ossec.conf':  (line 0).
Apr 10 15:42:08 wazuh env[403423]: wazuh-csyslogd: Configuration error. Exiting
Apr 10 15:42:08 wazuh systemd[1]: wazuh-manager.service: Control process exited, code=exited, status=1/FAILURE

What is the best way to troubleshoot the .conf? I have read through it a number of times but cannot identify the issue. Any help you can provide is greatly appreciated.

Sincerely,

Jennifer A.

Julian Bustamante Narvaez

unread,
Apr 10, 2023, 12:05:06 PM4/10/23
to Wazuh mailing list
Hi,  i hope you are well.
what changes did you make?
what wazuh version do you have?
can you share me the ossec.conf file?

Regards.

Julian Bustamante Narvaez

unread,
Apr 10, 2023, 10:46:39 PM4/10/23
to Wazuh mailing list
Hi, according on what you emailed me, your error is here ---> <logall>no/logall>

should be <logall>no</logall>
i tried it and server works fine


Regards

cyber ninjas

unread,
Apr 11, 2023, 8:54:44 AM4/11/23
to Wazuh mailing list
Thank you very much, Julian. It is resolved for me as well.

Have a great day!

Jennifer A.

Charles Kung

unread,
Apr 26, 2023, 12:46:51 AM4/26/23
to Wazuh mailing list
Hello Julian,

I got the same error when I tried to start wazuh agent with the following errors.

The Error :

 wazuh-agentd: ERROR: (1230): Invalid element in the configuration: 'enabled'.

wazuh-agentd: ERROR: (1202): Configuration error at 'etc/ossec.conf'.

wazuh-agentd: CRITICAL: (1215): No client configured. Exiting.

wazuh-agentd: Configuration error. Exiting


Followed the info and edit the ossec.conf and removed the repeated section.
https://groups.google.com/g/wazuh/c/BY2dKhk5ais

I check the ossec.conf permission, it seemed fine

permission.png
Please find attached ossec.conf 

Thanks!
Charles
ossec.txt

Julian Bustamante Narvaez

unread,
Apr 26, 2023, 1:17:12 AM4/26/23
to Wazuh mailing list
Hi Charles Kung,  i hope you are well.

what operating system do you use? Mac? which version?

what version of wazuh do you use? 

What configurations were you doing before the error appeared?

Regards

Charles Kung

unread,
Apr 26, 2023, 8:58:12 PM4/26/23
to Wazuh mailing list

Hello Julian,

I got the same error when I tried to start wazuh agent with the following errors.

The Error :

 wazuh-agentd: ERROR: (1230): Invalid element in the configuration: 'enabled'.

wazuh-agentd: ERROR: (1202): Configuration error at 'etc/ossec.conf'.

wazuh-agentd: CRITICAL: (1215): No client configured. Exiting.

wazuh-agentd: Configuration error. Exiting


Followed the info and edit the ossec.conf and removed the repeated section.
https://groups.google.com/g/wazuh/c/BY2dKhk5ais

I check the ossec.conf permission, it seemed fine

permission.png

Please find attached ossec.conf 

Thanks!
Charles
ossec.txt

Julian Bustamante Narvaez

unread,
Apr 27, 2023, 9:26:22 AM4/27/23
to Wazuh mailing list

""Thanks Julian,


1. Macbook air Ventura 13.3.1
2. Wazuh Ver 4.4.0

Copied the following command then try to file:///home/thejbte/Pictures/Screenshots/Screenshot%20from%202023-04-27%2008-13-37.png
start the Wazuh agent but got error.
curl -so wazuh-agent.pkg https://packages.wazuh.com/4.x/macos/wazuh-agent-4.4.0-1.pkg && sudo launchctl setenv WAZUH_MANAGER 'n1.ndr24.com' WAZUH_AGENT_GROUP 'default' WAZUH_AGENT_NAME 'charles-mac' && sudo installer -pkg ./wazuh-agent.pkg -target /"

Hi, I replicated the command in another mac version and works fine.

Vagrants-MacBook-Pro:~ vagrant$ sudo /Library/Ossec/bin/wazuh-control restart
Killing wazuh-modulesd...
Killing wazuh-logcollector...
Killing wazuh-syscheckd...
Killing wazuh-agentd...
Killing wazuh-execd...
Wazuh v4.4.0 Stopped
Starting Wazuh v4.4.0...
Started wazuh-execd...
Started wazuh-agentd...
Started wazuh-syscheckd...
Started wazuh-logcollector...
Started wazuh-modulesd...
Completed.
Vagrants-MacBook-Pro:~ vagrant$
 

However I see that the problem is here, when I replicate the problem the error shown is the same

ossec_config>
  <client>
    <server>
      <address>n1.ndr24.com</address>
      <port>1514</port>
      <protocol>tcp</protocol>
    </server>
    <config-profile>darwin, darwin22, darwin22.4</config-profile>
    <notify_time>10</notify_time>
    <time-reconnect>60</time-reconnect>
    <auto_restart>yes</auto_restart>
    <crypto_method>aes</crypto_method>
    <enrollment>
      <enabled>yes</enabled>
      <agent_name>charles-mac</agent_name>
      <groups>default</groups>
      <authorization_pass_path>etc/authd.pass</authorization_pass_path>
    </enrollment>

      <enabled>yes</enabled>
      <agent_name>charles-mac</agent_name>
      <groups>default</groups>
      <authorization_pass_path>etc/authd.pass</authorization_pass_path>
    <enrollment>

  </client>


delete that  block.
      <enabled>yes</enabled>
      <agent_name>charles-mac</agent_name>
      <groups>default</groups>
      <authorization_pass_path>etc/authd.pass</authorization_pass_path>
    <enrollment>


Regards

Charles Kung

unread,
Apr 27, 2023, 10:33:45 PM4/27/23
to Wazuh mailing list

Thank you so much! Julian, It's working now after deleting the block. Cheers!


ckung@charless-air ~ % sudo /Library/Ossec/bin/wazuh-control start

Starting Wazuh v4.4.0...

Started wazuh-execd...

Started wazuh-agentd...

Started wazuh-syscheckd...

Started wazuh-logcollector...

Started wazuh-modulesd...

Completed.


Ângelo Rafael Rodrigues

unread,
May 23, 2024, 8:37:17 AM5/23/24
to Wazuh | Mailing List
Hi team!

Someone would help me w/ these below error please?

[root@wazuh-server etc]# systemctl start wazuh-manager

Job for wazuh-manager.service failed because the control process exited with error code. See "systemctl status wazuh-manager.service" and "journalctl -xe" for details.

[root@wazuh-server etc]# systemctl status wazuh-manager

wazuh-manager.service - Wazuh manager

   Loaded: loaded (/usr/lib/systemd/system/wazuh-manager.service; enabled; vendor preset: disabled)

   Active: failed (Result: exit-code) since Wed 2024-05-22 13:09:24 UTC; 4s ago

  Process: 17433 ExecStart=/usr/bin/env /var/ossec/bin/wazuh-control start (code=exited, status=1/FAILURE)


May 22 13:09:24 wazuh-server env[17433]: 2024/05/22 13:09:24 wazuh-csyslogd: ERROR: (1226): Error readin...e 0).

May 22 13:09:24 wazuh-server env[17433]: wazuh-csyslogd: Configuration error. Exiting

Hint: Some lines were ellipsized, use -l to show in full.

[root@wazuh-server etc]# 


The changes made were the activation of vulnerability detector for scan servers, ossec.conf attached.

Thanks in advance for this support!

Ângelo



ossec.conf

Ângelo Rafael Rodrigues

unread,
May 23, 2024, 8:37:32 AM5/23/24
to Wazuh | Mailing List
Hello community!

I'm very new on wazuh, and i'm having these same challenge.
The wazuh-manager not starts after activate the vulnerability detector module following the wazuh community.
Would be possible someone help me on that?
ossec.conf file is attached.

Thanks in advance!

Ângelo

Em quinta-feira, 27 de abril de 2023 às 23:33:45 UTC-3, Charles Kung escreveu:
ossec.conf
Reply all
Reply to author
Forward
0 new messages