Wazuh Agent Connection Issue on Athena OS with Docker
Madushanka Nayanajith
I hope you're doing well.
I am currently facing an issue where I am able to create a Wazuh agent, but it is not connecting to the Wazuh server. I am running Wazuh Manager, Wazuh Indexer, Wazuh Dashboard, and the agent all within Docker containers on my Arch Linux-based Athena OS.
I have checked the configuration and the Wazuh manager's IP address is set correctly in the agent configuration file (172.19.0.3), and the ports are open as shown below:
[root@athena xghost]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
b9669aa23262 wazuh/wazuh-dashboard:4.5.2 "/entrypoint.sh" 23 hours ago Up 2 hours 443/tcp, 0.0.0.0:443->5601/tcp, [::]:443->5601/tcp single-node-wazuh.dashboard-1
2486ad81b53f wazuh/wazuh-manager:4.5.2 "/init" 23 hours ago Up 53 minutes 0.0.0.0:1514-1515->1514-1515/tcp, [::]:1514-1515->1514-1515/tcp, 0.0.0.0:514->514/udp, [::]:514->514/udp, 0.0.0.0:55000->55000/tcp, [::]:55000->55000/tcp, 1516/tcp single-node-wazuh.manager-1
2784fb1258b7 wazuh/wazuh-indexer:4.5.2 "/entrypoint.sh open…" 23 hours ago Up 2 hours 0.0.0.0:9200->9200/tcp, [::]:9200->9200/tcp single-node-wazuh.indexer-1
[root@athena xghost]# docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' 2486ad81b53f
172.19.0.3
Agent Configuration:
<ossec_config>
<client>
<server>
<address>172.19.0.3</address>
<port>1514</port>
<protocol>tcp</protocol>
</server>
<config-profile>centos, centos6, centos6.10</config-profile>
<notify_time>10</notify_time>
<time-reconnect>60</time-reconnect>
<auto_restart>yes</auto_restart>
<crypto_method>aes</crypto_method>
</client>
</ossec_config>
However, the agent is not connecting despite all configurations seeming correct. I’ve checked the server IP and port, and I can confirm they are properly configured. I would appreciate any insights or assistance on how to resolve this issue. And i will attached wazuh-dashboard image
Thank you for your time and support.
Madushanka Nayanajith
I hope you're doing well.
I am currently facing an issue where I am able to create a Wazuh agent, but it is not connecting to the Wazuh server. I am running Wazuh Manager, Wazuh Indexer, Wazuh Dashboard, and the agent all within Docker containers on my Arch Linux-based Athena OS.
I have checked the configuration and the Wazuh manager's IP address is set correctly in the agent configuration file (172.19.0.3), and the ports are open as shown below:
Agent Configuration:
<client>
<server>
<address>172.19.0.3</address>
<port>1514</port>
<protocol>tcp</protocol>
</server>
<config-profile>centos, centos6, centos6.10</config-profile>
<notify_time>10</notify_time>
<time-reconnect>60</time-reconnect>
<auto_restart>yes</auto_restart>
<crypto_method>aes</crypto_method>
</client>
</ossec_config>
However, the agent is not connecting despite all configurations seeming correct. I’ve checked the server IP and port, and I can confirm they are properly configured. I would appreciate any insights or assistance on how to resolve this issue.
Thank you for your time and support.
hasitha.u...@wazuh.com
Never connected: The Wazuh agent has been enrolled but has not yet connected to the Wazuh manager.
Steps to troubleshoot this issue.
- Restart the Wazuh Agent
Try restarting the agent to see if it resolves the connection problem. Run this command:
systemctl restart wazuh-agent - Check the Agent Status
Verify that the agent is running properly by checking its status:
systemctl status wazuh-agent - Review the Troubleshooting Guide
We have an agent troubleshooting guide available. Please take a look at it and follow the steps if you encounter a similar issue. - Check Logs for Errors
To diagnose the problem further, please share the ossec.log files from both the Wazuh agent and the Wazuh manager. Here’s how to retrieve them:- On the Wazuh Agent (Linux):
Run this command to filter errors or warnings:
cat /var/ossec/logs/ossec.log | grep -i -E "error|warn" - On the Wazuh Manager:
If your Wazuh manager is running in a Docker container:
a. Navigate to the directory containing the docker-compose.yml file (e.g., wazuh-docker/single-node or wazuh-docker/multi-node).
b. List the running containers:
docker-compose ps
c. Access the Wazuh manager container’s shell (replace single-node-wazuh.manager-1 with your container name if different):
docker exec -it single-node-wazuh.manager-1 bash
d. Inside the container, run:
cat /var/ossec/logs/ossec.log | grep -i -E "error|warn"
- On the Wazuh Agent (Linux):
- Verify Network Connectivity
Ensure the agent can communicate with the Wazuh manager over the required ports (1514, 1515, and 55000). On a Linux system with netcat installed, run:
nc -zv <WAZUH_MANAGER_IP_ADDRESS> 1514 1515 55000
Replace <WAZUH_MANAGER_IP_ADDRESS> with the IP address or Fully Qualified Domain Name (FQDN) of your Wazuh manager.- If successful, you’ll see messages like:
Connection to <WAZUH_MANAGER_IP_ADDRESS> port 1514 [tcp] succeeded!
Connection to <WAZUH_MANAGER_IP_ADDRESS> port 1515 [tcp] succeeded!
Connection to <WAZUH_MANAGER_IP_ADDRESS> port 55000 [tcp] succeeded! - If it fails, check your network configuration (firewalls, routing, etc.).
- If successful, you’ll see messages like:
If the issue persists, please share the error/warning logs from both the Wazuh agent and manager so we can investigate further. Let us know if you need additional help!
Regards,
Hasitha Upekshitha