Wazuh Syscolector (Not Enough Hardware or Operating System Information)
30 views
Skip to first unread message
Yogi Valentino
Mar 1, 2026, 12:54:15 AM (4 days ago) Mar 1
to Wazuh | Mailing List
Hi, I have a problem with my Wazuh. Why is it always tell me " Not enough hardware or operating system information"
From the Agent ossec.log
2026/02/28 08:55:14 wazuh-modulesd:syscollector: INFO: Module started.
2026/02/28 08:55:14 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2026/02/28 08:55:14 wazuh-agent: INFO: (4102): Connected to the server ([192.168.69.197]:1514/tcp).
2026/02/28 08:55:14 rootcheck: INFO: Starting rootcheck scan.
2026/02/28 08:55:14 wazuh-agent: INFO: Started (pid: 20568).
2026/02/28 08:55:14 wazuh-agent: INFO: (6000): Starting daemon...
2026/02/28 08:55:14 wazuh-agent: INFO: (6010): File integrity monitoring scan frequency: 43200 seconds
2026/02/28 08:55:14 wazuh-agent: INFO: (6008): File integrity monitoring scan started.
2026/02/28 08:55:14 rootcheck: WARNING: No winmalware file: './shared/win_malware_rcl.txt'
2026/02/28 08:55:14 rootcheck: WARNING: No winapps file: './shared/win_applications_rcl.txt'
2026/02/28 08:55:14 wazuh-agent: INFO: (6035): Analyzing Windows volumes
2026/02/28 08:55:18 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2026/02/28 08:55:19 wazuh-agent: INFO: Agent is now online. Process unlocked, continuing...
2026/02/28 08:55:19 rootcheck: INFO: Ending rootcheck scan.
2026/02/28 08:55:38 wazuh-agent: INFO: (6009): File integrity monitoring scan ended.
2026/02/28 08:55:38 wazuh-agent: INFO: FIM sync module started.
2026/02/28 08:55:38 wazuh-agent: INFO: (6012): Real-time file integrity monitoring started.
2026/02/28 08:55:38 wazuh-agent: INFO: (6019): File integrity monitoring real-time Whodata engine started.
2026/02/28 08:55:44 sca: INFO: Evaluation finished for policy 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win11_enterprise.yml'
2026/02/28 08:55:44 sca: INFO: Security Configuration Assessment scan finished. Duration: 30 seconds.
Agent (ossec.conf)
<!-- System inventory -->
<wodle name="syscollector">
<disabled>no</disabled>
<scan_on_start>yes</scan_on_start>
<interval>5m</interval>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="yes">yes</ports>
<processes>yes</processes>
<users>yes</users>
<groups>yes</groups>
<services>yes</services>
</wodle>
Server (ossec.conf)
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="yes">yes</ports>
<processes>yes</processes>
<users>yes</users>
<groups>yes</groups>
<services>yes</services>
<browser_extensions>yes</browser_extensions>
<!-- Database synchronization settings -->
<synchronization>
<max_eps>10</max_eps>
</synchronization>
</wodle>
Server Log
Feb 28, 2026 @ 15:20:05.000 wazuh-modulesd:syscollector INFO Stop received for Syscollector. Feb 28, 2026 @ 15:20:05.000 wazuh-modulesd:syscollector INFO Module finished. Feb 28, 2026 @ 15:21:05.000 wazuh-modulesd:syscollector INFO Module started. Feb 28, 2026 @ 15:21:05.000 wazuh-modulesd:syscollector INFO Starting evaluation. Feb 28, 2026 @ 15:21:06.000 wazuh-modulesd:syscollector INFO Evaluation finished. Feb 28, 2026 @ 15:26:06.000 wazuh-modulesd:syscollector INFO Stop received for Syscollector. Feb 28, 2026 @ 15:26:06.000 wazuh-modulesd:syscollector INFO Module finished. Feb 28, 2026 @ 15:26:24.000 wazuh-modulesd:syscollector INFO Module started. Feb 28, 2026 @ 15:26:24.000 wazuh-modulesd:syscollector INFO Starting evaluation. Feb 28, 2026 @ 15:26:25.000 wazuh-modulesd:syscollector INFO Evaluation finished. Feb 28, 2026 @ 16:10:37.000 wazuh-modulesd:syscollector INFO Stop received for Syscollector. Feb 28, 2026 @ 16:10:37.000 wazuh-modulesd:syscollector INFO Module finished. Feb 28, 2026 @ 16:11:01.000 wazuh-modulesd:syscollector INFO Module started. Feb 28, 2026 @ 16:11:01.000 wazuh-modulesd:syscollector INFO Starting evaluation. Feb 28, 2026 @ 16:11:04.000 wazuh-modulesd:syscollector INFO Evaluation finished. Feb 28, 2026 @ 16:26:01.000 wazuh-modulesd:syscollector INFO Stop received for Syscollector. Feb 28, 2026 @ 16:26:01.000 wazuh-modulesd:syscollector INFO Module finished. Feb 28, 2026 @ 16:26:14.000 wazuh-modulesd:syscollector INFO Module started. Feb 28, 2026 @ 16:26:14.000 wazuh-modulesd:syscollector INFO Starting evaluation. Feb 28, 2026 @ 16:26:16.000 wazuh-modulesd:syscollector INFO Evaluation finished.
I'm not using All-in-One deployment Wazuh, I'm using step-by-step Installation and self-signed SSL
I believe it's because the Syscollector but everything i did come to nothing, Any ideas?
From the Agent ossec.log
2026/02/28 08:55:14 wazuh-modulesd:syscollector: INFO: Module started.
2026/02/28 08:55:14 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2026/02/28 08:55:14 wazuh-agent: INFO: (4102): Connected to the server ([192.168.69.197]:1514/tcp).
2026/02/28 08:55:14 rootcheck: INFO: Starting rootcheck scan.
2026/02/28 08:55:14 wazuh-agent: INFO: Started (pid: 20568).
2026/02/28 08:55:14 wazuh-agent: INFO: (6000): Starting daemon...
2026/02/28 08:55:14 wazuh-agent: INFO: (6010): File integrity monitoring scan frequency: 43200 seconds
2026/02/28 08:55:14 wazuh-agent: INFO: (6008): File integrity monitoring scan started.
2026/02/28 08:55:14 rootcheck: WARNING: No winmalware file: './shared/win_malware_rcl.txt'
2026/02/28 08:55:14 rootcheck: WARNING: No winapps file: './shared/win_applications_rcl.txt'
2026/02/28 08:55:14 wazuh-agent: INFO: (6035): Analyzing Windows volumes
2026/02/28 08:55:18 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2026/02/28 08:55:19 wazuh-agent: INFO: Agent is now online. Process unlocked, continuing...
2026/02/28 08:55:19 rootcheck: INFO: Ending rootcheck scan.
2026/02/28 08:55:38 wazuh-agent: INFO: (6009): File integrity monitoring scan ended.
2026/02/28 08:55:38 wazuh-agent: INFO: FIM sync module started.
2026/02/28 08:55:38 wazuh-agent: INFO: (6012): Real-time file integrity monitoring started.
2026/02/28 08:55:38 wazuh-agent: INFO: (6019): File integrity monitoring real-time Whodata engine started.
2026/02/28 08:55:44 sca: INFO: Evaluation finished for policy 'C:\Program Files (x86)\ossec-agent\ruleset\sca\cis_win11_enterprise.yml'
2026/02/28 08:55:44 sca: INFO: Security Configuration Assessment scan finished. Duration: 30 seconds.
Agent (ossec.conf)
<!-- System inventory -->
<wodle name="syscollector">
<disabled>no</disabled>
<scan_on_start>yes</scan_on_start>
<interval>5m</interval>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="yes">yes</ports>
<processes>yes</processes>
<users>yes</users>
<groups>yes</groups>
<services>yes</services>
</wodle>
Server (ossec.conf)
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="yes">yes</ports>
<processes>yes</processes>
<users>yes</users>
<groups>yes</groups>
<services>yes</services>
<browser_extensions>yes</browser_extensions>
<!-- Database synchronization settings -->
<synchronization>
<max_eps>10</max_eps>
</synchronization>
</wodle>
Server Log
Feb 28, 2026 @ 15:20:05.000 wazuh-modulesd:syscollector INFO Stop received for Syscollector. Feb 28, 2026 @ 15:20:05.000 wazuh-modulesd:syscollector INFO Module finished. Feb 28, 2026 @ 15:21:05.000 wazuh-modulesd:syscollector INFO Module started. Feb 28, 2026 @ 15:21:05.000 wazuh-modulesd:syscollector INFO Starting evaluation. Feb 28, 2026 @ 15:21:06.000 wazuh-modulesd:syscollector INFO Evaluation finished. Feb 28, 2026 @ 15:26:06.000 wazuh-modulesd:syscollector INFO Stop received for Syscollector. Feb 28, 2026 @ 15:26:06.000 wazuh-modulesd:syscollector INFO Module finished. Feb 28, 2026 @ 15:26:24.000 wazuh-modulesd:syscollector INFO Module started. Feb 28, 2026 @ 15:26:24.000 wazuh-modulesd:syscollector INFO Starting evaluation. Feb 28, 2026 @ 15:26:25.000 wazuh-modulesd:syscollector INFO Evaluation finished. Feb 28, 2026 @ 16:10:37.000 wazuh-modulesd:syscollector INFO Stop received for Syscollector. Feb 28, 2026 @ 16:10:37.000 wazuh-modulesd:syscollector INFO Module finished. Feb 28, 2026 @ 16:11:01.000 wazuh-modulesd:syscollector INFO Module started. Feb 28, 2026 @ 16:11:01.000 wazuh-modulesd:syscollector INFO Starting evaluation. Feb 28, 2026 @ 16:11:04.000 wazuh-modulesd:syscollector INFO Evaluation finished. Feb 28, 2026 @ 16:26:01.000 wazuh-modulesd:syscollector INFO Stop received for Syscollector. Feb 28, 2026 @ 16:26:01.000 wazuh-modulesd:syscollector INFO Module finished. Feb 28, 2026 @ 16:26:14.000 wazuh-modulesd:syscollector INFO Module started. Feb 28, 2026 @ 16:26:14.000 wazuh-modulesd:syscollector INFO Starting evaluation. Feb 28, 2026 @ 16:26:16.000 wazuh-modulesd:syscollector INFO Evaluation finished.
I'm not using All-in-One deployment Wazuh, I'm using step-by-step Installation and self-signed SSL
I believe it's because the Syscollector but everything i did come to nothing, Any ideas?
hasitha.u...@wazuh.com
Mar 1, 2026, 1:39:28 AM (4 days ago) Mar 1
to Wazuh | Mailing List
Hi Yogi,
The Syscollector module is responsible for collecting endpoint details such as hardware, packages, OS, and network information.
First, check whether Syscollector is running properly on the endpoint. Check this log file to verify on the agent side.
C:\Program Files (x86)\ossec-agent\ossec.log
If it is running every hour, it should show output similar to:
If Syscollector is not running, check the Wazuh agent ossec.conf file using the documentation mentioned above.
If Syscollector is running fine on the endpoint, then on the Wazuh manager, check whether there are any agent sync issues or indexer connection errors in ossec.log. Run the below command on the Wazuh manager CLI:
cat /var/ossec/logs/ossec.log | grep -iE "sync|indexer-connector|error|warn"
Check if there are any error or warning logs related to agent sync or indexer connection.
If you find indexer authentication errors, you can update the Wazuh Indexer username and password in the Wazuh manager keystore using the wazuh-keystore tool:
echo '<WAZUH_INDEXER_USERNAME>' | /var/ossec/bin/wazuh-keystore -f indexer -k username
echo '<WAZUH_INDEXER_PASSWORD>' | /var/ossec/bin/wazuh-keystore -f indexer -k password
Replace <WAZUH_INDEXER_USERNAME> and <WAZUH_INDEXER_PASSWORD> with the correct credentials.
Also, verify the <indexer> configuration section in the Wazuh manager ossec.conf file. You can refer to the Wazuh documentation for configuration validation and more details about updating the keystore.
If the issue persists, check the Indexer logs:
cat /var/log/wazuh-indexer/wazuh-cluster.log | grep -iE "error|warn"
Verify wazuh-states-* index status, run the following on the Indexer server:
curl -k -u admin:<password> https://127.0.0.1:9200/_cat/indices/wazuh-states-*?v
Replace <PASSWORD> with the correct credentials.
Ensure the index status is green.
Check indexer health
curl -k -u admin:<password> https://127.0.0.1:9200/_cluster/health?prettyVerify that:
Cluster status is not red
Shard limits are not exceeded
No allocation failures exist
For further analysis, please share:
Command outputs above
Relevant log snippets
This information will help us investigate the issue further and assist you more effectively.
The Syscollector module is responsible for collecting endpoint details such as hardware, packages, OS, and network information.
First, check whether Syscollector is running properly on the endpoint. Check this log file to verify on the agent side.
C:\Program Files (x86)\ossec-agent\ossec.log
If it is running every hour, it should show output similar to:
- 2025/12/02 11:14:07 wazuh-modulesd:syscollector: INFO: Starting evaluation.
- 2025/12/02 11:14:10 wazuh-modulesd:syscollector: INFO: Evaluation finished.
- 2025/12/02 12:14:12 wazuh-modulesd:syscollector: INFO: Starting evaluation.
- 2025/12/02 12:14:43 wazuh-modulesd:syscollector: INFO: Evaluation finished.
If Syscollector is not running, check the Wazuh agent ossec.conf file using the documentation mentioned above.
If Syscollector is running fine on the endpoint, then on the Wazuh manager, check whether there are any agent sync issues or indexer connection errors in ossec.log. Run the below command on the Wazuh manager CLI:
cat /var/ossec/logs/ossec.log | grep -iE "sync|indexer-connector|error|warn"
Check if there are any error or warning logs related to agent sync or indexer connection.
If you find indexer authentication errors, you can update the Wazuh Indexer username and password in the Wazuh manager keystore using the wazuh-keystore tool:
echo '<WAZUH_INDEXER_USERNAME>' | /var/ossec/bin/wazuh-keystore -f indexer -k username
echo '<WAZUH_INDEXER_PASSWORD>' | /var/ossec/bin/wazuh-keystore -f indexer -k password
Replace <WAZUH_INDEXER_USERNAME> and <WAZUH_INDEXER_PASSWORD> with the correct credentials.
Also, verify the <indexer> configuration section in the Wazuh manager ossec.conf file. You can refer to the Wazuh documentation for configuration validation and more details about updating the keystore.
If the issue persists, check the Indexer logs:
cat /var/log/wazuh-indexer/wazuh-cluster.log | grep -iE "error|warn"
Verify wazuh-states-* index status, run the following on the Indexer server:
curl -k -u admin:<password> https://127.0.0.1:9200/_cat/indices/wazuh-states-*?v
Replace <PASSWORD> with the correct credentials.
Ensure the index status is green.
Check indexer health
curl -k -u admin:<password> https://127.0.0.1:9200/_cluster/health?prettyVerify that:
Cluster status is not red
Shard limits are not exceeded
No allocation failures exist
For further analysis, please share:
Command outputs above
Relevant log snippets
This information will help us investigate the issue further and assist you more effectively.
Reply all
Reply to author
Forward
0 new messages