Can't start the Wazuh agent on Mac

1,464 views
Skip to first unread message

Idan Kaufman

unread,
Nov 29, 2022, 5:51:27 AM11/29/22
to Wazuh mailing list
hello, 

After installing the agent on several computers, I tried to start the agent and it succeeded on all computers except 2.
On the 2 computers that failed I got the following error
 
The Error :

2022/11/29 12:47:32 wazuh-agentd: ERROR: (1230): Invalid element in the configuration: 'enabled'.

2022/11/29 12:47:32 wazuh-agentd: ERROR: (1202): Configuration error at 'etc/ossec.conf'.

2022/11/29 12:47:32 wazuh-agentd: CRITICAL: (1215): No client configured. Exiting.

wazuh-agentd: Configuration error. Exiting

thanks,
Idan 


Screenshot 2022-11-29 at 12.48.45.png

Mauro Agustín Malara

unread,
Nov 29, 2022, 6:01:23 AM11/29/22
to Wazuh mailing list
Hi,

Can you please share with us (in files) your `client` configuration block from both agents?

Regards!

Rafa Martins

unread,
Dec 1, 2022, 11:22:39 AM12/1/22
to Wazuh mailing list
I am also having the same problem to start the agent on Mac.
Attached the client config
ossec.conf

Mauro Agustín Malara

unread,
Dec 2, 2022, 2:18:22 PM12/2/22
to Wazuh mailing list

Hi,

I can see you have this invalid configuration inside your macOS agent:

      <enabled>yes</enabled>
      <groups>workstation-mac</groups>
      <enabled>yes</enabled>
      <groups>workstation-mac</groups>
      <enabled>yes</enabled>
      <groups>workstation-mac</groups>
      <enabled>yes</enabled>
      <groups>workstation-mac</groups>
      <enabled>yes</enabled>
      <groups>workstation-mac</groups>

Please:

  1. Stop the agent /Library/Ossec/bin/wazuh-control stop
  2. Remove the mentioned configuration in your agent’s ossec.conf file
  3. Clear and follow the log in other CLI by running: cat /dev/null > /Library/Ossec/logs/ossec.log && tail -F /Library/Ossec/logs/ossec.log
  4. Start the agent by running /Library/Ossec/bin/wazuh-control start
  5. If the agent does not start correctly, please, send me the output of the tail command (where you could see errors or warnings messages)

Regards.




Rafa Martins

unread,
Dec 6, 2022, 9:34:16 AM12/6/22
to Wazuh mailing list
Hi Mauro, I removed this configurations, and now it's ok.

Strange because the file was not edited, this information was added during the installation

Thanks !

Mauro Agustín Malara

unread,
Dec 6, 2022, 10:51:13 AM12/6/22
to Wazuh mailing list

Hi!

Sounds weird. Can you share with me the part of your CLI history where you install Wazuh?
Also, can you run the following command and share the output with me: system_profiler SPSoftwareDataType?

Regards!

Rafa Martins

unread,
Dec 6, 2022, 4:17:16 PM12/6/22
to Wazuh mailing list

1. Install Wazuh
curl -so wazuh-agent-4.3.10.pkg https://packages.wazuh.com/4.x/macos/wazuh-agent-4.3.10-1.pkg && sudo launchctl setenv WAZUH_MANAGER 'server01' WAZUH_AGENT_GROUP 'workstation-mac' && sudo installer -pkg ./wazuh-agent-4.3.10.pkg -target /

sudo /Library/Ossec/bin/wazuh-control start


2. system_profiler SPSoftwareDataType

Software:

    System Software Overview:

      System Version: macOS 13.0.1 (22A400)
      Kernel Version: Darwin 22.1.0
      Boot Volume: Macintosh HD
      Boot Mode: Normal
      Computer Name: 
      User Name: System Administrator (root)
      Secure Virtual Memory: Enabled
      System Integrity Protection: Enabled
      Time since boot: 2 hours, 52 minutes

Steven Kan

unread,
May 3, 2023, 7:11:45 PM5/3/23
to Wazuh mailing list
Hi, 

I am also getting the same error when attempting to start the Wazuh agent on macOS (13.3). wazuh-server is 4.4.1 and resolvable as such:

nslookup wazuh-server
Server: 192.168.0.12
Address: 192.168.0.12#53
Name: wazuh-server.my.domain

Address: 192.168.0.179

Attempting:

sudo /Library/Ossec/bin/wazuh-control start 

results in:

2023/05/03 16:07:30 wazuh-agentd: ERROR: (1230): Invalid element in the configuration: 'enabled'.
2023/05/03 16:07:30 wazuh-agentd: ERROR: (1202): Configuration error at 'etc/ossec.conf'.
2023/05/03 16:07:30 wazuh-agentd: CRITICAL: (1215): No client configured. Exiting.
wazuh-agentd: Configuration error. Exiting

My <client> block from /Library/Ossec/etc/ossec.conf is as follows:

<client>
<server>
<address>wazuh-server</address>
<port>1514</port>
<protocol>tcp</protocol>
</server>
<config-profile>darwin, darwin22, darwin22.4</config-profile>
<notify_time>10</notify_time>
<time-reconnect>60</time-reconnect>
<auto_restart>yes</auto_restart>
<crypto_method>aes</crypto_method>
<enabled>yes</enabled>
<groups>default</groups>
<authorization_pass_path>etc/authd.pass</authorization_pass_path>
<agent_name>StevensMacBookPro23</agent_name>
<enabled>yes</enabled>
<groups>default</groups>
<authorization_pass_path>etc/authd.pass</authorization_pass_path>
<agent_name>StevensMacBookPro23</agent_name>
<enabled>yes</enabled>
<groups>default</groups>
<authorization_pass_path>etc/authd.pass</authorization_pass_path>
<enrollment>
<enabled>yes</enabled>
<groups>default</groups>
<authorization_pass_path>etc/authd.pass</authorization_pass_path>
</enrollment>
</client>

I don't have a key set up yet, as I'm just testing. 

Thanks!
Reply all
Reply to author
Forward
0 new messages