Wazuh agent always disconnect after few hours Windows 10 pro
535 views
Skip to first unread message
Le Sok
Oct 3, 2023, 11:09:55 PM10/3/23
to Wazuh | Mailing List
I install Wazuh ova from this link https://documentation.wazuh.com/current/deployment-options/virtual-machine/virtual-machine.html
and Wazuh agent version 4.4.5
In my company have a few endpoint has Wazuh agent and I after I deploy agent on endpoint machine after few hours Wazuh agent is disconnect and how can I fix it's without go to endpoint machine to restart Wazuh agent or remote to restart agent. I don't know why they're disconnect and logs I don't know how to view logs on Wazuh manager because If I go to endpoint to check logs it's really bother them.
here is my ossec.conf in Wazuh. Please help me to solve thus problem.
Best Regards.
and Wazuh agent version 4.4.5
In my company have a few endpoint has Wazuh agent and I after I deploy agent on endpoint machine after few hours Wazuh agent is disconnect and how can I fix it's without go to endpoint machine to restart Wazuh agent or remote to restart agent. I don't know why they're disconnect and logs I don't know how to view logs on Wazuh manager because If I go to endpoint to check logs it's really bother them.
here is my ossec.conf in Wazuh. Please help me to solve thus problem.
Best Regards.
Stuti Gupta
Oct 4, 2023, 12:00:07 AM10/4/23
to Wazuh | Mailing List
Hi Le Sok,
Hope you are doing well today and thank you for using wazuh.
Yes, there is a way to restart the agent from the wazuh manager for that you can use the command: /var/ossec/bin/agent_control -R -a (for all the agents) /var/ossec/bin/agent_control -R --u <ID> (for specific agent). To know the root cause of the issue please share the following details and information.
Hope you are doing well today and thank you for using wazuh.
Yes, there is a way to restart the agent from the wazuh manager for that you can use the command: /var/ossec/bin/agent_control -R -a (for all the agents) /var/ossec/bin/agent_control -R --u <ID> (for specific agent). To know the root cause of the issue please share the following details and information.
- What versions of Wazuh agent and manager are you using? (Note that the manager and the agent have to be running the same versions or the agent version has to be lower than the manager version)
- Do all the agents you intend to connect to the Wazuh manager have unique hostnames? (All agent names should be unique. you can add the agent enrollment variable in the agent ossec.conf file and give the agents unique names. This configuration can be found here.)
- Please share the manager ossec.log file located at /var/ossec/logs/ossec.log.
- Can you please share the log file of the wazuh agent which is getting disconnected frequently? The location of the agent log file is dependent on the operating system: For Linux-based systems, /var/ossec/logs/ossec.log. For Windows endpoints at C:\Program Files (x86)\ossec-agent\ossec.log
For agent troubleshooting, you can refer to https://documentation.wazuh.com/current/user-manual/agent-enrollment/troubleshooting.html
Hope this will help. Looking forward to your response.
Regards,
Stuti Gupta
Hope this will help. Looking forward to your response.
Regards,
Stuti Gupta
Stuti Gupta
Oct 4, 2023, 12:44:13 AM10/4/23
to Wazuh | Mailing List
Hi again,
That is unusual, is it a fresh agent enrollment? If not Please restart the Windows agent first and then Please share the agent logs that will be on the agent server. For Windows endpoints at C:\Program Files (x86)\ossec-agent\ossec.log . If still there are no logs then run the following command at Windows Agent then send the output
.\wazuh-agent-4.3.6-1.msi /l*v installer.log or you can find the file at C:\Program Files (x86)\ossec-agent\installer, Please share that file .
Also, share the ossec.log related to that agent from the manager server using the command /var/ossec/logs/ossec.log | grep <windows agent id>. Also, share the ossec. conf of agent
It is recommended to update the wazuh agent for that you can follow https://documentation.wazuh.com/current/upgrade-guide/wazuh-agent/windows.html and for the remote upgrade you can follow https://documentation.wazuh.com/current/user-manual/agents/remote-upgrading/upgrading-agent.html
Regards,
That is unusual, is it a fresh agent enrollment? If not Please restart the Windows agent first and then Please share the agent logs that will be on the agent server. For Windows endpoints at C:\Program Files (x86)\ossec-agent\ossec.log . If still there are no logs then run the following command at Windows Agent then send the output
.\wazuh-agent-4.3.6-1.msi /l*v installer.log or you can find the file at C:\Program Files (x86)\ossec-agent\installer, Please share that file .
Also, share the ossec.log related to that agent from the manager server using the command /var/ossec/logs/ossec.log | grep <windows agent id>. Also, share the ossec. conf of agent
It is recommended to update the wazuh agent for that you can follow https://documentation.wazuh.com/current/upgrade-guide/wazuh-agent/windows.html and for the remote upgrade you can follow https://documentation.wazuh.com/current/user-manual/agents/remote-upgrading/upgrading-agent.html
Regards,
Le Sok
Oct 4, 2023, 12:54:16 AM10/4/23
to Wazuh | Mailing List
In wazuh manager don't have directory /var/ossec/logs/ossec.log
I dont why wazuh agent always disconnect
I dont why wazuh agent always disconnect
Stuti Gupta
Oct 4, 2023, 1:01:03 AM10/4/23
to Wazuh | Mailing List
Please use the cat at the beginning of the command cat /var/ossec/logs/ossec.log | grep <windows agent id>
Before sharing the logs please do these:- Please restart the Windows agent first and then Please share the agent logs that will be on the agent server. For Windows endpoints at C:\Program Files (x86)\ossec-agent\ossec.log . If still there are no logs then run the following command at Windows Agent then send the output
.\wazuh-agent-4.3.6-1.msi /l*v installer.log or you can find the file at C:\Program Files (x86)\ossec-agent\installer, Please share that file .
Also, share the ossec.log related to that agent from the manager server using the command /var/ossec/logs/ossec.log | grep <windows agent id>. Also, share the ossec. conf of agent
It is recommended to update the wazuh agent for that you can follow https://documentation.wazuh.com/current/upgrade-guide/wazuh-agent/windows.html and for the remote upgrade you can follow https://documentation.wazuh.com/current/user-manual/agents/remote-upgrading/upgrading-agent.html
Before sharing the logs please do these:- Please restart the Windows agent first and then Please share the agent logs that will be on the agent server. For Windows endpoints at C:\Program Files (x86)\ossec-agent\ossec.log . If still there are no logs then run the following command at Windows Agent then send the output
.\wazuh-agent-4.3.6-1.msi /l*v installer.log or you can find the file at C:\Program Files (x86)\ossec-agent\installer, Please share that file .
Also, share the ossec.log related to that agent from the manager server using the command /var/ossec/logs/ossec.log | grep <windows agent id>. Also, share the ossec. conf of agent
It is recommended to update the wazuh agent for that you can follow https://documentation.wazuh.com/current/upgrade-guide/wazuh-agent/windows.html and for the remote upgrade you can follow https://documentation.wazuh.com/current/user-manual/agents/remote-upgrading/upgrading-agent.html
Le Sok
Oct 4, 2023, 2:31:09 AM10/4/23
to Stuti Gupta, Wazuh | Mailing List
I just see this. but when I restart wazuh agent manually on Windows endpoint it's active and simple. But still don't know what wrong with this wazuh agent
--
You received this message because you are subscribed to the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/04eedb9e-36d3-42ca-96a8-6cb920888164n%40googlegroups.com.
Stuti Gupta
Oct 4, 2023, 3:02:21 AM10/4/23
to Wazuh | Mailing List
Hi ,
Please share the full log file so we can know the root cause of what you have shared is very few. Without the agent logs it is difficult to find the root cause and its solution Please share the all information and details asked below:
Please share the full log file so we can know the root cause of what you have shared is very few. Without the agent logs it is difficult to find the root cause and its solution Please share the all information and details asked below:
- Let us know if it is a fresh agent enrollment.
- Please restart the Windows agent first and then Please share the agent logs that will be on the agent server. For Windows endpoints at C:\Program Files (x86)\ossec-agent\ossec.log (full file)
- If still there are no logs then run the following command at Windows Agent then send the output or please share that file: \wazuh-agent-4.3.6-1.msi /l*v installer.log or you can find the file at C:\Program Files (x86)\ossec-agent\installer,
- Also, share the ossec.log related to that agent from the manager server using the command /var/ossec/logs/ossec.log | grep <windows agent id>(each and every log)
- Please, share the ossec. conf of agent
It is recommended to update the wazuh agent for that you can follow https://documentation.wazuh.com/current/upgrade-guide/wazuh-agent/windows.html and for the remote upgrade you can follow https://documentation.wazuh.com/current/user-manual/agents/remote-upgrading/upgrading-agent.html
Stuti Gupta
Oct 4, 2023, 5:31:33 AM10/4/23
to Wazuh | Mailing List
Hi again,
2023/10/03 10:54:25 wazuh-agent: ERROR: Could not EvtFormatMessage() with flags (1) which returned (15029) 2023/10/03 10:54:25 wazuh-agent: ERROR: Could not get message for (Security) 2023/10/03 10:54:25 wazuh-agent: ERROR: Could not EvtFormatMessage() with flags (1) which returned (15029) 2023/10/03 10:54:25 wazuh-agent: ERROR: Could not get message for (Security)
2023/10/03 10:54:25 wazuh-agent: ERROR: Could not EvtFormatMessage() with flags (1) which returned (15029) 2023/10/03 10:54:25 wazuh-agent: ERROR: Could not get message for (Security) 2023/10/03 10:54:25 wazuh-agent: ERROR: Could not EvtFormatMessage() with flags (1) which returned (15029) 2023/10/03 10:54:25 wazuh-agent: ERROR: Could not get message for (Security)
According to the Windows error codes, the error is due to a formatting error caused by not finding a specific resource type. This is generating conflicts and not allowing the Wazuh-agent to monitor the events, under the default Security and application channel. Please refer to https://github.com/wazuh/wazuh/issues/4658
Le Sok
Oct 5, 2023, 3:07:41 AM10/5/23
to Wazuh | Mailing List
Hi sorry for late response,
So can I fix this problem or not sir ?
So can I fix this problem or not sir ?
Stuti Gupta
Oct 5, 2023, 4:13:49 AM10/5/23
to Wazuh | Mailing List
According to the Windows error codes, the error is due to a formatting error caused by not finding a specific resource type. This is generating conflicts and not allowing the Wazuh-agent to monitor the events, under the default Security and application channel. That is resolved in Please refer to https://github.com/wazuh/wazuh/issues/4658
Regards,
Regards,
Reply all
Reply to author
Forward
0 new messages