Wazuh agent ossec.conf rules doesn't sync with Wazuh Manager ossec.conf

116 views
Skip to first unread message

Mr VR

unread,
Mar 26, 2025, 5:58:36 AM3/26/25
to Wazuh | Mailing List
Hi Team,

I'm facing issue in ossec.conf FIM rules doesn't sync up with agents.

I also referred this link but the agent.conf rules doesn't sync with wazuh manager ossec.conf

Request you to help in this resolving this issue.

Regards,
Vignesh

Bony V John

unread,
Mar 26, 2025, 6:51:19 AM3/26/25
to Wazuh | Mailing List

Hi,

Could you please provide more details about your issue? Are you facing an issue related to Wazuh centralized agent configuration? Please let me know what kind of FIM configuration you are trying to set up.

In Wazuh, the agent.conf file does not sync with the Wazuh manager's ossec.conf file. The Wazuh manager’s ossec.conf is used to configure the Wazuh manager service, while the agent.conf file is used to configure Wazuh agents remotely using the Wazuh manager through its centralized agent configuration capability.

If you need to configure the Wazuh agents remotely, you can use the Wazuh centralized agent configuration. For that, you first need to create a group and add the agents to that group. By using groups, you can configure multiple agents from the Wazuh manager. You can refer Wazuh agent grouping documentation for this.

After that, you can add your configurations in the agent.conf file to configure the agents remotely. You can refer to the Wazuh centralized agent configuration documentation for detailed guidance.

Note: -
When setting up remote commands in the shared agent configuration, you must enable remote commands for Agent Modules. This is done by adding the following line to the /var/ossec/etc/local_internal_options.conf file on the agent:

wazuh_command.remote_commands=1

You can also refer Wazuh FIM configuration documentation for the guidance.

Mr VR

unread,
Mar 26, 2025, 12:20:24 PM3/26/25
to Bony V John, Wazuh | Mailing List
Hi John,

Thanks for your prompt response. 

I have tried all the documents you have shared. I have to manually open the ossec.conf n edit syscheck in the agent server after that it triggers integrity alert. I hv three agent groups. 

Let me know what specifically I have to configure in shared (agent.conf) for FIM

Regards, 
Vignesh


--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/8B_iePcKkcg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/wazuh/95794abf-0c40-4ec3-95d0-7f4e3ea31daen%40googlegroups.com.

Mr VR

unread,
Mar 27, 2025, 5:52:33 AM3/27/25
to Wazuh | Mailing List
Hi Team,

wazuh-ag.png

I have done all the configuration still it's not sync.

wazuh-ag.png

Let me know what changes to be done in <syscheck></syscheck>. I have also tried add directories sync app directory like /var/www/html/.  Still it's syncing with the agents.

Mr VR

unread,
Mar 28, 2025, 1:02:42 AM3/28/25
to Wazuh | Mailing List
Hi Team,

Let me know if you have any solution for this issue.

Waiting for the response.

Regards,
Vignesh

On Wednesday, 26 March 2025 at 16:21:19 UTC+5:30 Bony V John wrote:

Bony V John

unread,
Apr 1, 2025, 7:35:03 AM4/1/25
to Wazuh | Mailing List

Hi,

I apologize for the late response. Could you please let me know the version of Wazuh manager and Wazuh agent that you are using? To check the version, you can run the following command on both servers:

/var/ossec/bin/wazuh-control info

Restart the Wazuh manager service:
systemctl restart wazuh-manager

To ensure the shared configurations are correct, run the below command:
/var/ossec/bin/verify-agent-conf

If there is an issue, check the configuration that you have done. 

Please share the /var/ossec/etc/shared/<agent-group-name>/agent.conf file from the Wazuh manager server so we can analyze it on our end.

Restart the Wazuh agent service:

systemctl restart wazuh-agent

Also, please share the Wazuh agent's /var/ossec/logs/ossec.log file that is showing the issue.

Share the Wazuh manager /var/ossec/logs/ossec.log file with us to check if there is any error entries.

You can also check if the new configurations are added to the Wazuh agent's /var/ossec/etc/shared/agent.conf file.

Additionally, you can refer to the Wazuh syscheck configuration documentation to validate your FIM configuration.

Mr VR

unread,
Apr 10, 2025, 1:23:15 AM4/10/25
to Wazuh | Mailing List
Hi John,

PFA snapshots of agent conf and version control info. The new conf doesn't push the agent.conf.

Every time I have change change FIM conf in agent ossec.conf to execute the <syscheck></syscheck>

Request you to help in resolving this issue.

Regards,
Vignesh
1.png
2.png
Reply all
Reply to author
Forward
0 new messages