Wazuh agent automatically getting stopped

[Bhagyesh Parmar]

Hi,

I have noticed that my wazuh agent service is automatically getting turned off / stopped.

Can anyone know any know what cloud be the reason behind it ?

Regards,

Bhagyesh

[Francis Timilehin Jeremiah]

Hello, 

What type of agent is this, Windows or Linux? Can you review the ossec.log and ossec.conf of the agent. There might be some misconfiguration in the configuration file that is causing the agent to stop. Check the log to see what the error is, implement the correction in the .conf file and restart the agent.

Francis.

[Ramiro Dapozo]

Hi, I made a mistake and replied to Bhagyesh privately. He already gave me some info. They're using Wazuh version 4.2.2 and it's running on Windows 10 Pro.
They also sent me the ossec.log file (attached to this email).
Now, this log looks like the agent logs. It seems it's failing to connect to the manager. The manager could itself be having an issue (for which case I would need you to send me the manager logs), the agent could be misconfigured, or there could be some connectivity issues preventing the agent from contacting the manager successfully.

Could you please send us the manager logs, version and operating system?

Best,

Ramiro

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/7b4dce81-e016-4511-b0f2-912775c30217n%40googlegroups.com.

[Ramiro Dapozo]

Hi Baghyesh,
I just wanted to let you know that I am currently looking into this. I need to recreate a similar environment (having an Active Domain user) to make sure I can help you. However, you not being able to see the contents ossec folder as a domain user probably makes sense and is expected, as the agent runs as NT AUTHORITY/SYSTEM user. 

There are two things in that image that make me curious:

* Why is the IP showing as "z.z.z.z" is that just you obfuscating the IP address?
* Note the "An established connection was aborted by the software in your host machine" message. It sounds like there might be a firewall rule that is blocking certain outgoing connections. Could you please check this?

I'll let you know when I have more information.

Best,

Ramiro

On Wed, Dec 1, 2021 at 12:15 AM Bhagyesh Parmar <101bh...@gmail.com> wrote:

Hi Ramiro,

I can send you the server logs but before that i would like to tell you something strange that i have noticed.

Windows 10 pro the running system has 2 user accounts.

1. Active Directory User

2. local administrator account

Before a few weeks the agent was running fine but suddenly it stopped sending the data. We already have other agents installed on other systems as well and running fine and sending the logs properly but with this only facing the issue.

also have noticed that ossec folder is not accessible from Active Directory user account, it is showing empty but when i switch to local administrator account i can able to see all file inside ossec and agent is also showing in running state but somehow it is not sending the data to

the server.

Is there any issue with permissions or something else blocking it and how can I find out who is preventing the agent from making the connection ?

Please refer to the latest logs in the attached image (local admin account).

Regards,

Bhagyesh

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CALhfC5x4cTSqatymwwfz6E2qgzpWT1AKNScQ_cohZqVa%2Bz72MA%40mail.gmail.com.

[Ramiro Dapozo]

Hi Bhagyesh, 

There is a debug logging option that could help us pinpoint the problem. You need to add the following line to your local_internal_options.conf file:
windows.debug=2

After doing that and restarting the manager, please try to reproduce the problem you are having and then do the following:
* Send me the ossec.conf, internal_options.conf, local_internal_options.conf, ossec.conf files.

* Open the Event Viewer (Ctrl + R, type in eventvwr and hit Enter), go to the Windows Logs -> Application, order by Source and find those that are "Application Error" and go through them finding those whose descriptions (under the General tab on the panel below) contain "Faulting application name: wazuh-agent.exe". After finding those events, right click on them, click on Copy and then Copy Details as Text and include the copied text in the response to this email. 

Here is an example of an event where dwm.exe crashed:

Let me know how that goes.

Best,

Ramiro Dapozo

[Bhagyesh Parmar]

Thanks, I will do that. 

Regards,

Bhagyesh