Request for help in RCA finding Regarding Wazuh Agent Configuration Change
xeption
Hello Team,
I hope this email finds you well.
We are currently facing an issue with one of our Wazuh agents. It appears that a modification was made to the ossec.conf file, after which the agent went offline. The agent logs indicate that the configuration change was not compatible with the ossec.conf file, resulting in the service disruption.
At this point, we are unable to determine the root cause of the modification. Our team did not make any changes on the endpoint during the period in question. However, upon investigation, we found that a similar configuration is currently defined in the agent.conf group configuration on the Wazuh Manager side, although it was not present at the time of the incident.
We would like to understand how this configuration could have been reflected in the ossec.conf file on the agent and whether there is any mechanism through which the manager-side configuration can automatically update the agent configuration.
Could you please help us identify the root cause and clarify the configuration synchronization behavior between agent.conf and ossec.conf?
<agent_config>
<localfile>
<location>/var/log/mongodb/mongod.log</location>
<log_format>syslog</log_format>
</localfile>
<syscheck>
<directories check_all="yes" report_changes="yes" realtime="yes">/data/mongodb</directories>
</syscheck>
</agent_config>
<agent_config>
<localfile>
<log_format>json</log_format>
<location>/var/log/mongodb/auditLog.json</location>
</localfile>
</agent_config>
Stuti Gupta
Yes, you can update or modify the ossec.conf at the agent side from the manager's side agent.conf, this is the centralised-configuration feature. This works with the agent grouping system. You can modify or share the same configuration to multi agent at once, if they belong to the same group, using the centralised configuration
The changes made in agent.conf on the manager side will overwrite the ossec.conf at the endpoint.
However, the changes don't reflect directly in the ossec.conf of the agent side. It will reflect in the /var/ossec/etc/shared/merged.mg or at C:\Program Files (x86)\ossec-agent\shared\ merged.mg (according to the agent's OS). And it will apply to only those agents that belong to that group.
To know more about the centralised configuration, you can refer to https://documentation.wazuh.com/current/user-manual/reference/centralized-configuration.html
Now, as you mentioned, the agent stops working, having the same configuration at agent.conf and ossec.conf on the agent side, should not cause the agent to fail. I have tested that.
Can you please share the ossec.log from the agent side, so I can know the cause of the agent not working?
Linux/Unix: /var/ossec/logs/ossec.log
macOS: /Library/Ossec/logs/ossec.log
Windows 64-bit: C:\Program Files (x86)\ossec-agent\ossec.log
Please make sure the manager version is equal to or higher than the agent version.
Looking forward to your response.
xeption
Hello Stuti,
Thank you for your response.
I understood your explanation. However, I found that the additional configuration had been added after the closing </ossec_config> tag, as shown below:
<ossec_config>I have now corrected the configuration issue, and there are no related errors appearing in the ossec.log file for that date.
Thank you for your assistance.
regards,