indexer-connector: WARNING: Failed to sync agent

17 views
Skip to first unread message

Ahmed Awwad

unread,
Jul 2, 2026, 3:16:24 AM (24 hours ago) Jul 2
to Wazuh | Mailing List
 Hi everyone

I had just built a new Wazuh Cluster (3 Server nodes, 3 indexer nodes) + HAProxy LB
all build verification was good, but when onboarded a windows machine 
No logs received, Agent Status Active, Keepalive keep sending,, 
I had enabled Archive. * index, no logs 

I checked Master Node logs i found this 
grep -iE "indexer|inventory" /var/ossec/logs/ossec.log
2026/07/01 09:57:53 wazuh-modulesd:inventory-harvester: INFO: Stopping inventory_harvester module.
2026/07/01 09:57:53 logger-helper: INFO: Inventory harvester module stopped.
2026/07/01 09:57:56 wazuh-modulesd:inventory-harvester: INFO: Loaded Inventory harvester module.
2026/07/01 09:58:05 wazuh-modulesd:inventory-harvester: INFO: Loaded Inventory harvester module.
2026/07/01 09:58:05 wazuh-modulesd:inventory-harvester: INFO: Starting inventory_harvester module.
2026/07/01 09:58:06 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-inventory-packages-wazuh_cluster', retrying until the connection is successful.
2026/07/01 09:58:06 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-vulnerabilities-wazuh_cluster', retrying until the connection is successful.
2026/07/01 09:58:07 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-inventory-system-wazuh_cluster', retrying until the connection is successful.
2026/07/01 09:58:08 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-inventory-processes-wazuh_cluster', retrying until the connection is successful.
2026/07/01 09:58:09 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-inventory-ports-wazuh_cluster', retrying until the connection is successful.
2026/07/01 09:58:10 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-inventory-hotfixes-wazuh_cluster', retrying until the connection is successful.
2026/07/01 09:58:11 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-inventory-hardware-wazuh_cluster', retrying until the connection is successful.
2026/07/01 09:58:12 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-inventory-protocols-wazuh_cluster', retrying until the connection is successful.
2026/07/01 09:58:13 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-inventory-interfaces-wazuh_cluster', retrying until the connection is successful.
2026/07/01 09:58:14 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-inventory-networks-wazuh_cluster', retrying until the connection is successful.
2026/07/01 09:58:15 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-inventory-users-wazuh_cluster', retrying until the connection is successful.
2026/07/01 09:58:16 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-inventory-groups-wazuh_cluster', retrying until the connection is successful.
2026/07/01 09:58:17 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-inventory-browser-extensions-wazuh_cluster', retrying until the connection is successful.
2026/07/01 09:58:18 indexer-connector: WARNING: IndexerConnector initialization failed for index 'wazuh-states-inventory-services-wazuh_cluster', retrying until the connection is successful.
2026/07/01 09:58:18 logger-helper: INFO: InventoryHarvesterFacade module started.
2026/07/01 13:19:19 wazuh-modulesd:inventory-harvester: INFO: Stopping inventory_harvester module.
2026/07/01 13:19:19 logger-helper: INFO: Inventory harvester module stopped.
2026/07/01 13:19:21 wazuh-modulesd:inventory-harvester[870585] wm_harvester.c:151 at wm_inventory_harvester_read(): INFO:Loaded Inventory harvester module.
2026/07/01 13:19:31 wazuh-modulesd:inventory-harvester[870959] wm_harvester.c:151 at wm_inventory_harvester_read(): INFO:Loaded Inventory harvester module.
2026/07/01 13:19:31 wazuh-modulesd[870959] main.c:105 at main(): DEBUG: Created new thread for the 'inventory_harvester' module.
2026/07/01 13:19:31 wazuh-modulesd:inventory-harvester[870959] wm_harvester.c:56 at wm_inventory_harvester_main(): INFO: Starting inventory_harvester module.
2026/07/01 13:19:31 wazuh-modulesd:inventory-harvester[870959] wm_harvester.c:48 at wm_inventory_harvester_log_config(): DEBUG: {"indexer":{"enabled":"yes","hosts":["https://<indexer-IP-03>:9200","https://<indexer-IP-02>:9200","https://<indexer-IP-01>:9200"],"ssl":{"certificate_authorities":["/etc/filebeat/certs/root-ca.pem"],"certificate":"/etc/filebeat/certs/wazuh-master.pem","key":"/etc/filebeat/certs/wazuh-master-key.pem"}},"clusterEnabled":true,"clusterName":"wazuh_cluster","cluste                                    rNodeName":"wazuh-master"}
2026/07/01 13:19:31 wazuh-modulesd:vulnerability-scanner[870959] wm_vulnerability_scanner.c:45 at wm_vulnerability_scanner_log_config(): DEBUG: {"vulnerability-detection":{"enabled":"yes","index-status":"yes","feed-update-interval":"60m","cti-url":"https://cti.wazuh.com/api/v1/catalog/contexts/vd_1.0.0/consumers/vd_.8.0"},"wmMaxEps":100,"translationLRUSize":2048,"osdataLRUSize":1000,"remediationLRUSize":2048,"managerDisabledScan":1,"reportQueueSize":262144,"indexer":{"enabled":"yes","hosts":["https://<indexer-IP-03>:9200","https://<indexer-IP-02>:9200","https://<indexer-IP-01>:9200"],"ssl":{"certificate_authorities":["/etc/filebeat/certs/root-ca.pem"],"certificate":"/etc/filebeat/certs/wazuh-master.pem","key":"/etc/filebeat/certs/wazuh-master-key.pem"}},"clusterEnabled":true,"clusterName":"wazuh_cluster","clusterNodeName":"wazuh-master"}
2026/07/01 13:19:31 logger-helper[870959] inventoryHarvesterFacade.cpp:29 at initInventoryDeltasSubscription(): DEBUG: InventoryHarvesterFacade::initInventoryDeltasSubscription: Initializing inventory deltas subscription.
2026/07/01 13:19:31 logger-helper[870959] inventoryHarvesterFacade.cpp:68 at initRsyncSubscription(): DEBUG: InventoryHarvesterFacade::initInventoryRsyncSubscription: Initializing inventory rsync subscription.
2026/07/01 13:19:31 logger-helper[870959] inventoryHarvesterFacade.cpp:210 at initSystemEventDispatcher(): DEBUG: InventoryHarvesterFacade::initSystemEventDispatcher: Initializing system event dispatcher.
2026/07/01 13:19:31 logger-helper[870959] systemInventoryOrchestrator.hpp:80 at SystemInventoryOrchestrator(): DEBUG: SystemInventoryOrchestrator constructor
2026/07/01 13:19:31 monitoring[870959] monitoring.hpp:146 at operator()(): DEBUG: Health check failed for 'https://<indexer-IP-03>:9200' - Unauthorized - Check indexer credentials
2026/07/01 13:19:31 monitoring[870959] monitoring.hpp:146 at operator()(): DEBUG: Health check failed for 'https://<indexer-IP-03>:9200' - Unauthorized - Check indexer credentials
2026/07/01 13:19:31 monitoring[870959] monitoring.hpp:146 at operator()(): DEBUG: Health check failed for 'https://<indexer-IP-02>:9200' - Unauthorized - Check indexer credentials
2026/07/01 13:19:31 monitoring[870959] monitoring.hpp:146 at operator()(): DEBUG: Health check failed for 'https://<indexer-IP-02>:9200' - Unauthorized - Check indexer credentials
2026/07/01 13:19:32 monitoring[870959] monitoring.hpp:146 at operator()(): DEBUG: Health check failed for 'https://<indexer-IP-01>:9200' - Unauthorized - Check indexer credentials
2026/07/01 13:19:32 monitoring[870959] monitoring.hpp:146 at operator()(): DEBUG: Health check failed for 'https://<indexer-IP-01>:9200' - Unauthorized - Check indexer credentials

then This agent is managed by Server-01 (worker) 
cat /var/ossec/var/run/wazuh-remoted.state # State file for wazuh-remoted # THIS FILE WILL BE DEPRECATED IN FUTURE VERSIONS # Updated every 5 seconds. # Queue size queue_size='0' # Total queue size total_queue_size='131072' # TCP sessions tcp_sessions='1' # Events sent to Analysisd evt_count='36953' # Control messages received ctrl_msg_count='517' # Discarded messages discarded_count='0' # Total number of bytes sent sent_bytes='49699' # Total number of bytes received recv_bytes='19937012' and wazuh-server-01:~# tail -f /var/ossec/logs/ossec.log 2026/07/01 12:39:13 indexer-connector: WARNING: Failed to sync agent '001': No available server 2026/07/01 12:39:13 indexer-connector: WARNING: Failed to sync agent '001': No available server 2026/07/01 12:49:07 agent_control: ERROR: Wazuh is running in cluster mode: agent_control is not available in worker nodes. Please, try again in the master node: <master-IP>

I tried to fix any missing certificate from worker Servers until filebeat test output is okay
wazuh-server-01:~# filebeat test output elasticsearch: [https://<indexer01>:9200](https://<Indexer01-IP>:9200)... parse url... OK connection... parse host... OK dns lookup... OK addresses: [<indexer01>] dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.2 dial up... OK talk to server... OK version: 7.10.2 elasticsearch: [https://](https:// <Indexer02-IP>  :9200)]... parse url... OK connection... parse host... OK dns lookup... OK addresses: [<indexer02>] dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.2 dial up... OK talk to server... OK version: 7.10.2 elasticsearch: [https://](https:// <Indexer03-IP>  :9200)] parse url... OK connection... parse host... OK dns lookup... OK addresses: [<indexer03>] dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.2 dial up... OK talk to server... OK version: 7.10.2

when i "tail -f /var/ossec/logs/ossec.log" at Server-01
2026/07/01 12:39:13 indexer-connector: WARNING: Failed to sync agent '001': No available server
2026/07/01 12:39:13 indexer-connector: WARNING: Failed to sync agent '001': No available server
2026/07/01 12:49:07 agent_control: ERROR: Wazuh is running in cluster mode: agent_control is not available in worker nodes. Please, try again in the master node: <master-IP> .
2026/07/01 12:54:14 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2026/07/01 12:54:36 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2026/07/01 13:32:57 agent_control: ERROR: Wazuh is running in cluster mode: agent_control is not available in worker nodes  . Please, try again in the master node: <master-IP> .
2026/07/01 13:54:37 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2026/07/01 13:54:59 wazuh-modulesd:syscollector: INFO: Evaluation finished.
2026/07/01 14:55:01 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2026/07/01 14:55:22 wazuh-modulesd:syscollector: INFO: Evaluation finished.

 
  tail -f /var/ossec/logs/ossec.log | grep -i indexer
root@wazuh-server-01:/var/ossec/etc# tail -f /var/ossec/logs/ossec.log
2026/07/01 15:47:01 wazuh-modulesd: WARNING: Could not connect to socket 'queue/cluster/c-internal.sock': Connection refused (111).
2026/07/01 15:47:02 wazuh-modulesd: WARNING: Could not connect to socket 'queue/cluster/c-internal.sock': Connection refused (111).
2026/07/01 15:47:03 wazuh-modulesd: WARNING: Could not connect to socket 'queue/cluster/c-internal.sock': Connection refused (111).
2026/07/01 15:47:04 wazuh-modulesd: WARNING: Could not connect to socket 'queue/cluster/c-internal.sock': Connection refused (111).
2026/07/01 15:47:05 wazuh-modulesd: WARNING: Could not connect to socket 'queue/cluster/c-internal.sock': Connection refused (111).
2026/07/01 15:47:06 rootcheck: INFO: Ending rootcheck scan.
2026/07/01 15:47:06 wazuh-modulesd: WARNING: Could not connect to socket 'queue/cluster/c-internal.sock': Connection refused (111).
2026/07/01 15:47:07 wazuh-modulesd: WARNING: Cluster error detected
2026/07/01 15:47:07 wazuh-modulesd: ERROR: Could not send message through the cluster after '10' attempts.
2026/07/01 15:47:07 wazuh-modulesd:agent-upgrade: ERROR: (8123): There has been an error executing the request in the tasks manager.
here is the Agent ossec.conf

<!--
  Wazuh - Agent - Default configuration for Windows
  More info at: https://documentation.wazuh.com
  Mailing list: https://groups.google.com/forum/#!forum/wazuh
-->

 

<ossec_config>

   <client>

<server>
<address><LoadBalacer-IP></address>
<port>1514</port>
<protocol>tcp</protocol>
</server>
<config-profile>windows, windows10</config-profile>
<crypto_method>aes</crypto_method>
<notify_time>20</notify_time>
<time-reconnect>60</time-reconnect>
<auto_restart>yes</auto_restart>
<enrollment>
<enabled>yes</enabled>
<groups>Endpoints,Testing,Windows</groups>
</enrollment>
</client>

   <!-- Agent buffer options -->

<client_buffer>
<disabled>no</disabled>
<queue_size>5000</queue_size>
<events_per_second>500</events_per_second>
</client_buffer>

   <!-- Log analysis -->

<localfile>
<location>Application</location>
<log_format>eventchannel</log_format>
</localfile>

   <localfile>

<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
      EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and
      EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
      EventID != 5152 and EventID != 5157]</query>
</localfile>

   <localfile>

<location>System</location>
<log_format>eventchannel</log_format>
</localfile>

   <localfile>

<location>active-response\active-responses.log</location>
<log_format>syslog</log_format>
</localfile>

   <!-- Policy monitoring -->

<rootcheck>
<disabled>no</disabled>
<windows_apps>./shared/win_applications_rcl.txt</windows_apps>
<windows_malware>./shared/win_malware_rcl.txt</windows_malware>
</rootcheck>

   <!-- Security Configuration Assessment -->

<sca>
<enabled>yes</enabled>
<scan_on_start>yes</scan_on_start>
<interval>12h</interval>
<skip_nfs>yes</skip_nfs>
</sca>

   <!-- File integrity monitoring -->

<syscheck>

     <disabled>no</disabled>

 <!-- Frequency that syscheck is executed default every 12 hours -->

<frequency>43200</frequency>

     <!-- Default files to be monitored. -->

<directories recursion_level="0" restrict="regedit.exe$|system.ini$|win.ini$">%WINDIR%</directories>

     <directories recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$|net.exe$|net1.exe$|netsh.exe$|reg.exe$|regedt32.exe|regsvr32.exe|runas.exe|sc.exe|schtasks.exe|sethc.exe|subst.exe$">%WINDIR%\SysNative</directories>

<directories recursion_level="0">%WINDIR%\SysNative\drivers\etc</directories>
<directories recursion_level="0" restrict="WMIC.exe$">%WINDIR%\SysNative\wbem</directories>
<directories recursion_level="0" restrict="powershell.exe$">%WINDIR%\SysNative\WindowsPowerShell\v1.0</directories>
<directories recursion_level="0" restrict="winrm.vbs$">%WINDIR%\SysNative</directories>

     <!-- 32-bit programs. -->

<directories recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$|net.exe$|net1.exe$|netsh.exe$|reg.exe$|regedit.exe$|regedt32.exe$|regsvr32.exe$|runas.exe$|sc.exe$|schtasks.exe$|sethc.exe$|subst.exe$">%WINDIR%\System32</directories>
<directories recursion_level="0">%WINDIR%\System32\drivers\etc</directories>
<directories recursion_level="0" restrict="WMIC.exe$">%WINDIR%\System32\wbem</directories>
<directories recursion_level="0" restrict="powershell.exe$">%WINDIR%\System32\WindowsPowerShell\v1.0</directories>
<directories recursion_level="0" restrict="winrm.vbs$">%WINDIR%\System32</directories>

     <directories realtime="yes">%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup</directories>

     <ignore>%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini</ignore>

     <ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ignore>

     <!-- Windows registry entries to monitor. -->

<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Classes\Protocols</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Policies</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer</windows_registry>

 <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry>

<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg</windows_registry>

     <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</windows_registry>

<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon</windows_registry>

     <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components</windows_registry>

     <!-- Windows registry entries to ignore. -->

<registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users</registry_ignore>
<registry_ignore type="sregex">\Enum$</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSIn</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSOut</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PolicyAgent\Parameters\Cache</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ADOVMPPackage\Final</registry_ignore>

     <!-- Frequency for ACL checking (seconds) -->

<windows_audit_interval>60</windows_audit_interval>

     <!-- Nice value for Syscheck module -->

<process_priority>10</process_priority>

     <!-- Maximum output throughput -->

<max_eps>50</max_eps>

     <!-- Database synchronization settings -->

<synchronization>
<enabled>yes</enabled>
<interval>5m</interval>
<max_eps>10</max_eps>
</synchronization>
</syscheck>

   <!-- System inventory -->

<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="yes">yes</ports>
<processes>yes</processes>
<users>yes</users>
<groups>yes</groups>
<services>yes</services>
<browser_extensions>yes</browser_extensions>

     <!-- Database synchronization settings -->

<synchronization>
<max_eps>10</max_eps>
</synchronization>
</wodle>

   <!-- CIS policies evaluation -->

<wodle name="cis-cat">
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>

     <java_path>\\server\jre\bin\java.exe</java_path>

<ciscat_path>C:\cis-cat</ciscat_path>
</wodle>

   <!-- Osquery integration -->

<wodle name="osquery">
<disabled>yes</disabled>
<run_daemon>yes</run_daemon>
<bin_path>C:\Program Files\osquery\osqueryd</bin_path>
<log_path>C:\Program Files\osquery\log\osqueryd.results.log</log_path>
<config_path>C:\Program Files\osquery\osquery.conf</config_path>
<add_labels>yes</add_labels>
</wodle>

   <!-- Active response -->

<active-response>
<disabled>no</disabled>
<ca_store>wpk_root.pem</ca_store>
<ca_verification>yes</ca_verification>
</active-response>

   <!-- Choose between plain or json format (or both) for internal logs -->

<logging>
<log_format>plain</log_format>
</logging>

 </ossec_config>

 <!-- END of Default Configuration. -->

What i am missing here because, everything was good at the build as the documentation and test but now things mess up.

Md. Nazmur Sakib

unread,
Jul 2, 2026, 7:47:13 AM (19 hours ago) Jul 2
to Wazuh | Mailing List
Hi Ahmed, 

Your Google Group issue went to Google's automated spam filter. We were not able to track it. I have marked it as not spam and am looking into it.

Please allow me some time.

Md. Nazmur Sakib

unread,
Jul 2, 2026, 8:34:44 AM (19 hours ago) Jul 2
to Wazuh | Mailing List

You have the agent connected to your manager and sending keep-alive messages, but you do not have logs from the agent in the archive.
Just to confirm, go to the Wazuh dashboard. Go to Agents management > Summary and check if the agents show as active. Deploy new agent button One more thing to consider. Archives must be enabled on ALL 3 server nodes. The agent could be reporting to any of the 3 workers via HAProxy. If you enabled logall_json on only one node, events landing on the other two never get archived. On every server node:

<ossec_config> <global> <logall>yes</logall> <logall_json>yes</logall_json> </global> </ossec_config>

And restart the manager. I think the issue is related to the communication between the agent - LB- manager.

Can you check your agent’s ossec log to see if you can see any errors or warnings?


Linux/Unix /var/ossec/logs/ossec.log


macOS /Library/Ossec/logs/ossec.log


Windows C:\Program Files (x86)\ossec-agent\ossec.log


Also, for testing, can you point one of the agent’s IP directly to the manager node instead of the LB?

This is just to confirm the issue is related to the LB.

<client>

    <server>

        <address>10.0.0.10</address>

        <port>1514</port>

        <protocol>tcp</protocol>

    </server>

Update the IP, save the configuration and restart the agent.

Now try to generate some logs.

If you still do not get any logs in the archive, check the network connection following this doc:
Verifying communication with the Wazuh manager


If you get logs in after pointing directly to the manager, share the LB configuration so that I can review it from my end.

Hide any sensitive information like public IP.

I look forward to your update.

Reply all
Reply to author
Forward
0 new messages