Agent not sending logs
19 views
Skip to first unread message
Sparta Spartan
Apr 24, 2026, 9:58:51 AM (3 days ago) Apr 24
to Wazuh | Mailing List
Hello, I have a question. Let's assume that my agent is active and synchronized but he doesn't send any logs. Is there any options to check which Agent doesn't send logs?
Maybe some query or other way to check this?
Thank you.
Olamilekan Abdullateef Ajani
Apr 24, 2026, 10:29:28 AM (3 days ago) Apr 24
to Wazuh | Mailing List
Hello Spartan,
Best way to do this is to filter from the Discover dashboard using the agent ID and set the time to reflect what you need. You can check the attached for reference.
The second option is to go through the Indexer management DevTools and run the sample queries below to detect the agent's last connected time and agents actively sending logs with the filtered time.
GET /wazuh-alerts-*/_search
{
"size": 0,
"query": {
"range": {
"@timestamp": {
"gte": "now-24h"
}
}
},
"aggs": {
"active_agents": {
"terms": {
"field": "agent.id",
"size": 10000
}
}
}
}
and
{
"size": 0,
"query": {
"range": {
"@timestamp": {
"gte": "now-24h"
}
}
},
"aggs": {
"active_agents": {
"terms": {
"field": "agent.id",
"size": 10000
}
}
}
}
and
GET wazuh-alerts-*/_search
{
"size": 0,
"aggs": {
"agents": {
"terms": {
"field": "agent.name",
"size": 1000
},
"aggs": {
"last_seen": {
"max": {
"field": "@timestamp"
}
}
}
}
}
}
Please check the attached image for references.
{
"size": 0,
"aggs": {
"agents": {
"terms": {
"field": "agent.name",
"size": 1000
},
"aggs": {
"last_seen": {
"max": {
"field": "@timestamp"
}
}
}
}
}
}
Please check the attached image for references.
One key point to also highlight is that
wazuh-alerts-* only contains triggered alerts, agents may be sending logs but are not matching any rule; hence, they are archived, so you may need to check /var/ossec/logs/archives/archives.json if enabled and filter for the agent ID there too.
Please let me know if you require further clarification on this.
Reply all
Reply to author
Forward
0 new messages