Agents is in active state but showing disconnected in dashboard

[Chandra pal singh Chauhan]

Hello Team,

I am facing an issue where the AWS server agents are showing as disconnected on the dashboard, but when I check the status on the server, it shows as active. This issue has occurred three times in the last two months, while other endpoints are working fine.

Kindly look into this matter.

[Bony V John]

Hi Chandra,

Could you please let us know which version of the Wazuh server you are using and the version of the agent that is showing this issue? If the agent version is newer than the manager, it can cause version conflict issues.

You should also check if the network connection between the Wazuh Manager server and the affected agents is stable. You can run the following command on the agent server when you face this issue again. This will verify the connection between the Wazuh Agent and the Wazuh Manager on port 1514:  

nc -vz <wazuh-manager-IP> 1514

Replace the <wazuh-manager-IP> with the IP address of your Wazuh Manager server.

If there are no connection issues, the output will look like this:

If the connection fails, please verify your network configurations.

Also, when you encounter this disconnection issue, check for error entries in the Wazuh Manager and Wazuh Agent logs. You can run the following command on both servers to look for relevant log entries:

cat /var/ossec/logs/ossec.log | grep -iE "error|warn|fatal|crit"

For agents on Windows, the log file is located at: C:\Program Files (x86)\ossec-agent\ossec.log

Additionally, you can refer to the Wazuh troubleshooting documentation for further guidance.

[Chandra pal singh Chauhan]

Hi  Bony,

1. version of the Wazuh server and Agent: 4.9.2

2. Verify the connection between the Wazuh Agent and the Wazuh Manager on port 1514:

Agent side:

i atteched log file for your referance and also other agents working fine without any problem. problem occurred only cloud account.

if you need anything please feel free to ask. 

[Chandra pal singh Chauhan]

Hello team,

any update on this?

[Bony V John]

Hi,

I apologize for the delayed response. From the logs you shared, it seems necessary to confirm the Wazuh Manager and Wazuh Agent versions.

Run the following command on the Wazuh Manager:  

/var/ossec/bin/wazuh-control -j info

On Windows, search for "Manage Agent" in the search bar, open it with administrator privileges, and check the Wazuh Agent version. I have attached a sample screenshot for reference. 

 

If the Wazuh Agent version is higher than the Wazuh Manager version, there will be a compatibility issue. In this case, it is recommended to upgrade the Wazuh Manager to the latest version. You can follow the Wazuh upgrade documentation for this process.

The error you are seeing is related to the force block option for authd.

https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/auth.html#force

This issue occurs because the system is trying to replace an existing agent with a new one, but since the agent is still connected, it is being blocked.  

You can edit the force options on Wazuh manager ossec.conf file, or re-register your agent.