which IP it is actually using to communicate with the manager

[Ricardo Barros]

Hello everyone,

I have a Wazuh environment with around 10,000 agents and the manager is behind a Load Balancer.

Over time, some agents were mistakenly configured to connect directly to the Wazuh manager IP instead of the Load Balancer address.
Now I need to generate a report that shows, for each agent, which IP it is actually using to communicate with the manager.

My goal is to have something like:

Agent ID

Agent name

IP address used to connect (Load Balancer vs direct manager IP)

What is the recommended way to extract this information at scale?

Is there any built-in or documented method to generate this kind of report?

Any best practices or official documentation references would be very helpful.

Thank you in advance.

[Md. Nazmur Sakib]

Hello,

I did some tests and found out that it is not going to be easy to get the information as you are expecting.


By default, when the manager authenticates the agent, it records the source IP(endpoint IP) because of this configuration. <use_source_ip>no</use_source_ip>

<auth>

  <disabled>no</disabled>

  <port>1515</port>

  <use_source_ip>no</use_source_ip>

As the manger do not have the record of the load balancer IP, you will not be able to get the information you are looking for from the manager.

One option is to check from the agent side,

For this, you need to restart the agent/manager to reset the connection and check the agent’s ossec.log

cat /var/ossec/logs/ossec.log | grep "Connected to the server"

You will see something like this.
2026/02/10 07:03:53 wazuh-agentd: INFO: (4102): Connected to the server ([192.168.159.130]:1514/tcp).

You will find the IP address that the agent is pointing to( directly to the manager or the load balancer).

Another option can be checking the load balancer log.

I have tested in the nginx load balancer.

I have added this configuration in the load balancer configuration to store steam access log.

stream {

   # --- ADDED: Define a log format for TCP traffic ---

   log_format basic '$remote_addr [$time_local] '

                    '$protocol $status $bytes_sent $bytes_received '

                    '$session_time "$upstream_addr"';

   # --- ADDED: Specify where the stream IPs will be logged ---

   access_log /var/log/nginx/stream_access.log basic;

   upstream master {

After adding this, I have restarted the manager service to reset the connection and I can see the agents connecting over the load balancer.


tail /var/log/nginx/stream_access.log 

192.168.159.129 [10/Feb/2026:07:03:43 +0000] TCP 502 0 0 0.001 "192.168.159.130:1514"

192.168.159.1 [10/Feb/2026:07:03:43 +0000] TCP 502 0 0 0.001 "192.168.159.130:1514"

Now you can compare these IPs from the agent's Dashboard to find out the agent name and agent ID.

Let me know if this works for you.