Failed to start who data engine
136 views
Skip to first unread message
Sebastian Silva
Mar 3, 2022, 11:10:53 AM3/3/22
to Wazuh mailing list
Hello dear wazuh team,
I have a had a threat about this in the past because my Windows Wazuh agents did not return whodata auditing information to the manager.
After scrolling through the wazuh agent logs I now found the exact error message:
wazuh-agent: ERROR: (6621): Event Channel subscription could not be made. Whodata scan is disabled.
wazuh-agent: ERROR: (6710): Failed to start the Whodata engine. Directories/files will be monitored in Realtime mode
wazuh-agent: ERROR: (6710): Failed to start the Whodata engine. Directories/files will be monitored in Realtime mode
These two log lines always appear right after another so one should definitely cause the other.
The question now is why the event channel subscription could not be made AND why it is necessary for whodata.
Searching google and this forum I could not find an answer so I hope to get one here.
Thanks a lot in advance!
Cheers
Sebastian
Damian Nicastro
Mar 3, 2022, 3:21:09 PM3/3/22
to Wazuh mailing list
Hi @
Sebastian Silva
I hope you are fine.
I hope you are fine.
The first thing to consider is that the "whodata" feature for Windows is only supported from systems newer than Windows Vista. For more details, you can check the following document:
Another problem could be that the Audit Policies were not automatically configured in your system and you will need to do it manually. To check that, please follow this document:
If you are still having the issue, we might need to get the logs in debug mode to have more details of the issue:
Open C:\Program Files (x86)\ossec-agent\local_internal_options.conf as Administrator and add these lines to the file:
agent.debug=2
syscheck.debug=2
And restart the Wazuh agent
Then look for the same error in ossec.log file and copy all relevant information here. I would also like to have your <syscheck> configuration for further understanding.
I hope this helps.
Thanks
Damian Nicastro
Mar 3, 2022, 3:27:50 PM3/3/22
to Wazuh mailing list
Hi @Sebastian Silva
Another thing to have in mind is that "realtime" and "whodata" cannot be configured at the same time since this conflicts. "Whodata" config implies real time operation.
I hope this helps.
Thanks
Reply all
Reply to author
Forward
0 new messages