when i "tail -f /var/ossec/logs/ossec.log" at Server-01
2026/07/01 12:39:13 indexer-connector: WARNING: Failed to sync agent '001': No available server
2026/07/01 12:39:13 indexer-connector: WARNING: Failed to sync agent '001': No available server
2026/07/01 12:49:07 agent_control: ERROR: Wazuh is running in cluster mode: agent_control is not available in worker nodes. Please, try again in the master node: <master-IP> .
2026/07/01 12:54:14 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2026/07/01 12:54:36 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2026/07/01 13:32:57 agent_control: ERROR: Wazuh is running in cluster mode: agent_control is not available in worker nodes . Please, try again in the master node: <master-IP> .
2026/07/01 13:54:37 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2026/07/01 13:54:59 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2026/07/01 14:55:01 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2026/07/01 14:55:22 wazuh-modulesd:syscollector: INFO: Evaluation finished.
<!--
Wazuh - Agent - Default configuration for Windows
More info at: https://documentation.wazuh.com
Mailing list: https://groups.google.com/forum/#!forum/wazuh
-->
<ossec_config>
<client>
<server>
<address><LoadBalacer-IP></address>
<port>1514</port>
<protocol>tcp</protocol>
</server>
<config-profile>windows, windows10</config-profile>
<crypto_method>aes</crypto_method>
<notify_time>20</notify_time>
<time-reconnect>60</time-reconnect>
<auto_restart>yes</auto_restart>
<enrollment>
<enabled>yes</enabled>
<groups>Endpoints,Testing,Windows</groups>
</enrollment>
</client>
<!-- Agent buffer options -->
<client_buffer>
<disabled>no</disabled>
<queue_size>5000</queue_size>
<events_per_second>500</events_per_second>
</client_buffer>
<!-- Log analysis -->
<localfile>
<location>Application</location>
<log_format>eventchannel</log_format>
</localfile>
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and
EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
EventID != 5152 and EventID != 5157]</query>
</localfile>
<localfile>
<location>System</location>
<log_format>eventchannel</log_format>
</localfile>
<localfile>
<location>active-response\active-responses.log</location>
<log_format>syslog</log_format>
</localfile>
<!-- Policy monitoring -->
<rootcheck>
<disabled>no</disabled>
<windows_apps>./shared/win_applications_rcl.txt</windows_apps>
<windows_malware>./shared/win_malware_rcl.txt</windows_malware>
</rootcheck>
<!-- Security Configuration Assessment -->
<sca>
<enabled>yes</enabled>
<scan_on_start>yes</scan_on_start>
<interval>12h</interval>
<skip_nfs>yes</skip_nfs>
</sca>
<!-- File integrity monitoring -->
<syscheck>
<disabled>no</disabled>
<!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>43200</frequency>
<!-- Default files to be monitored. -->
<directories recursion_level="0" restrict="regedit.exe$|system.ini$|win.ini$">%WINDIR%</directories>
<directories recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$|net.exe$|net1.exe$|netsh.exe$|reg.exe$|regedt32.exe|regsvr32.exe|runas.exe|sc.exe|schtasks.exe|sethc.exe|subst.exe$">%WINDIR%\SysNative</directories>
<directories recursion_level="0">%WINDIR%\SysNative\drivers\etc</directories>
<directories recursion_level="0" restrict="WMIC.exe$">%WINDIR%\SysNative\wbem</directories>
<directories recursion_level="0" restrict="powershell.exe$">%WINDIR%\SysNative\WindowsPowerShell\v1.0</directories>
<directories recursion_level="0" restrict="winrm.vbs$">%WINDIR%\SysNative</directories>
<!-- 32-bit programs. -->
<directories recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$|net.exe$|net1.exe$|netsh.exe$|reg.exe$|regedit.exe$|regedt32.exe$|regsvr32.exe$|runas.exe$|sc.exe$|schtasks.exe$|sethc.exe$|subst.exe$">%WINDIR%\System32</directories>
<directories recursion_level="0">%WINDIR%\System32\drivers\etc</directories>
<directories recursion_level="0" restrict="WMIC.exe$">%WINDIR%\System32\wbem</directories>
<directories recursion_level="0" restrict="powershell.exe$">%WINDIR%\System32\WindowsPowerShell\v1.0</directories>
<directories recursion_level="0" restrict="winrm.vbs$">%WINDIR%\System32</directories>
<directories realtime="yes">%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup</directories>
<ignore>%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini</ignore>
<ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ignore>
<!-- Windows registry entries to monitor. -->
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Classes\Protocols</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Policies</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components</windows_registry>
<!-- Windows registry entries to ignore. -->
<registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users</registry_ignore>
<registry_ignore type="sregex">\Enum$</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSIn</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSOut</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PolicyAgent\Parameters\Cache</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ADOVMPPackage\Final</registry_ignore>
<!-- Frequency for ACL checking (seconds) -->
<windows_audit_interval>60</windows_audit_interval>
<!-- Nice value for Syscheck module -->
<process_priority>10</process_priority>
<!-- Maximum output throughput -->
<max_eps>50</max_eps>
<!-- Database synchronization settings -->
<synchronization>
<enabled>yes</enabled>
<interval>5m</interval>
<max_eps>10</max_eps>
</synchronization>
</syscheck>
<!-- System inventory -->
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="yes">yes</ports>
<processes>yes</processes>
<users>yes</users>
<groups>yes</groups>
<services>yes</services>
<browser_extensions>yes</browser_extensions>
<!-- Database synchronization settings -->
<synchronization>
<max_eps>10</max_eps>
</synchronization>
</wodle>
<!-- CIS policies evaluation -->
<wodle name="cis-cat">
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
<java_path>\\server\jre\bin\java.exe</java_path>
<ciscat_path>C:\cis-cat</ciscat_path>
</wodle>
<!-- Osquery integration -->
<wodle name="osquery">
<disabled>yes</disabled>
<run_daemon>yes</run_daemon>
<bin_path>C:\Program Files\osquery\osqueryd</bin_path>
<log_path>C:\Program Files\osquery\log\osqueryd.results.log</log_path>
<config_path>C:\Program Files\osquery\osquery.conf</config_path>
<add_labels>yes</add_labels>
</wodle>
<!-- Active response -->
<active-response>
<disabled>no</disabled>
<ca_store>wpk_root.pem</ca_store>
<ca_verification>yes</ca_verification>
</active-response>
<!-- Choose between plain or json format (or both) for internal logs -->
<logging>
<log_format>plain</log_format>
</logging>
</ossec_config>
<!-- END of Default Configuration. -->
What i am missing here because, everything was good at the build as the documentation and test but now things mess up.
You have the agent connected to your manager and sending keep-alive messages, but you do not have logs from the agent in the archive.
Just to confirm, go to the Wazuh dashboard. Go to Agents management > Summary
and check if the agents show as active.
One more thing to consider. Archives must be enabled on ALL 3 server nodes. The agent could be reporting to any of the 3 workers via HAProxy. If you enabled logall_json on only one node, events landing on the other two never get archived.
On every server node:
And restart the manager.
I think the issue is related to the communication between the agent - LB- manager.
Can you check your agent’s ossec log to see if you can see any errors or warnings?
Linux/Unix /var/ossec/logs/ossec.log
macOS /Library/Ossec/logs/ossec.log
Windows C:\Program Files (x86)\ossec-agent\ossec.log
Also, for testing, can you point one of the agent’s IP directly to the manager node instead of the LB?
This is just to confirm the issue is related to the LB.
<client>
<server>
<address>10.0.0.10</address>
<port>1514</port>
<protocol>tcp</protocol>
</server>
Update the IP, save the configuration and restart the agent.
Now try to generate some logs.
If you still do not get any logs in the archive, check the network connection following this doc:
Verifying communication with the Wazuh manager
If you get logs in after pointing directly to the manager, share the LB configuration so that I can review it from my end.
Hide any sensitive information like public IP.
I look forward to your update.