indexer-connector: WARNING: Failed to sync agent

346 views
Skip to first unread message

Anil Kumar

unread,
Sep 9, 2024, 12:36:37 AM9/9/24
to Wazuh | Mailing List
Hi All,

Can someone point hep with troubleshooting this issue. 

Infa -> 
Single Server (Fresh Wazuh 4.9)
Agents (ubuntu 20,22, Wazuh 4.9)

All four agents are 
indexer-connector: WARNING: Failed to sync agent '036' with the indexer.
indexer-connector: WARNING: Failed to sync agent '035' with the indexer.
indexer-connector: WARNING: Failed to sync agent '004' with the indexer.
indexer-connector: WARNING: Failed to sync agent '033' with the indexer.

Tried till now,
restart agent -> Done
Reinstall agent -> Done

but not able to get that away from server ossec.logs

Md. Nazmur Sakib

unread,
Sep 9, 2024, 2:47:52 AM9/9/24
to Wazuh | Mailing List

Hi Anil Kumar,


Indexer-connector: WARNING: Failed to sync agent 'id' with the indexer.

There are two possible causes for this error

  • If your indexer connector isn't in 'green' state or if you have a problem with the certs/credentials, the connection won't be possible and the agent vulnerabilities won't be indexed

  • There is a cool-down time that prevents the same agent to re-sync with the indexer too often, this is to avoid overloading the indexer with requests. If everything is OK, the module will try again later.


Can you verify the health of your Wazuh Indexer cluster? For example: GET _cluster/health Index management > Dev Tools


Did you update the wazuh-keystore in the upgrade steps? Check the corresponding guide at https://documentation.wazuh.com/current/upgrade-guide/upgrading-central-components.html


You must have your cluster in green status because the indexer_module won't sync the vulnerabilities otherwise. It might be related to the unassigned_shards you show in the health command.

Can you please remove the unassigned indexer using this command:

curl -k -XGET -u user:pass "https://<elasticsearxch>:9200/_cat/shards" | grep UNASSIGNED | awk '{print $1}' | xargs -i curl -k -XDELETE -u user:pass "https://<indexer_ip>:9200/{}"


To get more information if the error persists, temporarily enable wazuh_modules.debug=2 in /var/ossec/etc/local_internal_options.conf . Restart the wazuh-manager and share the /var/ossec/logs/ossec.log


Let me know if you need further assistance on this.

Dmitry Mikheev

unread,
Sep 9, 2024, 3:16:11 AM9/9/24
to Wazuh | Mailing List
Hi Nazmur Sakib,
I have the same problem. How did you propose to fix it? I regularly fix it this way:

PUT .opendistro-*/_settings
{
  "index.number_of_replicas" : 0,
  "index.auto_expand_replicas": false


but the errors continue and every other day new unassigned indexer :(


Kuba Staśkiewicz

unread,
Oct 15, 2024, 5:29:08 AM10/15/24
to Wazuh | Mailing List
This way we remove the indexes completely instead of changing the number of replicas to 0. Will these indexes be restored automatically?

I deleted two indexes “.opendistro-alerting-alerts” and “.opendistro-alerting-alert-history-2024.10.09” in this way, how can I recreate them?
Reply all
Reply to author
Forward
0 new messages