How can I restart Wazuh agent from Wazuh Manager

[Le Sok]

I installed Wazuh Virtual machine (OVA) from this https://documentation.wazuh.com/current/deployment-options/virtual-machine/virtual-machine.html .
And my Wazuh agent 2, 3 day disconnect 1 time and if Wazuh disconnect I need go to restart Wazuh agent physical at endpoint machine or I remote to restart Wazuh agent on endpoint computer so I don't want to do that because I have a lot of Wazuh agent on my company so how can I restart Wazuh agent on server? please guide me to do that.
Best regards.

[Jorge Alberto Marino]

Hello Le Sok,

First of all, I strongly recommend figuring out why this agent is disconnecting and fix it if possible.Check logs on the agent's side.

Secondly, and answering your question:

1. You can get the list of agents in the server running /var/ossec/bin/agent_control -l

2. If you know the agent ID, you can restart it remotely from the server running the command /var/ossec/bin/agent_control -R -u <agent_id>
3. You can restart all agents running the command /var/ossec/bin/agent_control -R -a

In the third place, you are facing a paradox. Because if the agent disconnects, you can't restart it remotely. It seems there is something wrong with the agent.

Again , I strongly recommend figuring out why this agent is disconnecting and fix it if possible.

Thank you, please come back with any feedback.

Regards,

Jorge Marino. Wazuh Core Team.

[Le Sok]

So how can I view logs Wazuh agent on Wazuh server. Because on I already restart it's doesn't work.
Best Regards

--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/1575ba92-09a8-4a38-8a0d-4186192ec471n%40googlegroups.com.

[Jorge Alberto Marino]

Hello Le Sok,

To see the latest logs of the agent, you have to check the /var/ossec/logs/ossec.log file in the agent's host.

If the agent has connection issues to the manager, you have to rely on the actual host logs.

Why is it disconnecting? Can you share the agent's log that is disconnecting?

Thank you.

[Le Sok]

My Wazuh agent is down from 28/09/2023 but logs on wazuh agent is can logs on 25 and 26 how can I check the logs on 28 

How can I check logs on 28 and 27
Best Regards

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/bd296ea5-4679-469b-a025-28abcd9f4726n%40googlegroups.com.

[Jorge Alberto Marino]

Hello,

Wazuh rotate logs and archives them in the directory /var/ossec/logs/wazuh/

There you can find archived logs.

If the agent was down before, you must check the latest log file available to find any reason of disconnection.

[Le Sok]

But this agent wazuh have only 2 days logs I created this wazuh agent maybe around 1 week but wazuh only logs 2 days.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/4b1ea689-d5b9-4c35-b2d4-a60f04fb3ce5n%40googlegroups.com.

[Jorge Alberto Marino]

It looks like you are checking the archived logs. It makes totally sense that you only have 2 days of archived logs.

The agent was down, and it couldn´t archive the rest of the logs after it was down.

You can check the /var/ossec/logs/ossec.log for the latest log that was generated by this agent before it went shut down.

It seems to be a misunderstanding of how log collection works. Please check here log how it works

We are not able to follow your request unless you share the latest logs from the disconnecting agent. Do not mix archived logs with actual logs.

If the agent daemon is down, it won't do anything, nor collecting data or archiving logs. Please take a look at official doc and come back with the latest log from the agent host.

There is no other way to find why this agent is disconnecting.

Also regarding your original request, we have already provided instructions on how to restart the agent remotely.

Thank you