Windows wazuh agent never connected
1,299 views
Skip to first unread message
Oink_oink
May 24, 2022, 7:18:43 AM5/24/22
to Wazuh mailing list
Hello everyone, I installed wazuh on an ubuntu vm using the all-in-one unattended installation for version 4.2.6. So I went on to deploy2 wazuh agents, one on an azure windows vm(for personal test) which is working fine and the other on a test server I was given by my company. On doing so I get "never connected" on my wazuh API. I spoke to the Sys Admin about it he said the server is behind a firewall and he would have to add/change the ports to connection and registration ports 1514 and 1515. Meanwhile, I also told him it's possible I change the default ports to the open ports allowed on the server by the firewall which I changed from port 1514 to port 80 and yet I have a never connected agent.
I have tried the troubleshooting page
I have tried the troubleshooting page
and checking connection with manager page https://documentation.wazuh.com/current/user-manual/agents/agent-connection.html
Yet, I still the test server is never connected still.
Running some commands like below isn't running
netstat -vatunp|grep wazuh-agentd
while
/var/ossec/bin/agent_control -lc
lists only an azure windows vm as the only active agents.
while
/var/ossec/bin/agent_control -lc
lists only an azure windows vm as the only active agents.
So, is meeting my sysadmin to add the necessary ports the way to go or there is another way to all this please? and what else can I communicate with the sysadmin that I haven't talked about here?
Damian Nicastro
May 24, 2022, 3:05:55 PM5/24/22
to Wazuh mailing list
Hi @
iamfuntosam:
I hope you are fine.
If you are not able to use the default ports 1515 (for agent auth) and 1514 (for agent communication with the manager), you can change this in the <auth> section and <remote> section of the Wazuh manager config respectively:
# vi /var/ossec/etc/ossec.conf
...
<remote>
<connection>secure</connection>
<port>1514</port>
<protocol>tcp</protocol>
<queue_size>131072</queue_size>
</remote>
<connection>secure</connection>
<port>1514</port>
<protocol>tcp</protocol>
<queue_size>131072</queue_size>
</remote>
<auth>
<disabled>no</disabled>
<port>1515</port>
<use_source_ip>no</use_source_ip>
<force_insert>yes</force_insert>
<force_time>0</force_time>
<purge>yes</purge>
<use_password>no</use_password>
<ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
<!-- <ssl_agent_ca></ssl_agent_ca> -->
<ssl_verify_host>no</ssl_verify_host>
<ssl_manager_cert>etc/sslmanager.cert</ssl_manager_cert>
<ssl_manager_key>etc/sslmanager.key</ssl_manager_key>
<ssl_auto_negotiate>no</ssl_auto_negotiate>
</auth>
<disabled>no</disabled>
<port>1515</port>
<use_source_ip>no</use_source_ip>
<force_insert>yes</force_insert>
<force_time>0</force_time>
<purge>yes</purge>
<use_password>no</use_password>
<ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
<!-- <ssl_agent_ca></ssl_agent_ca> -->
<ssl_verify_host>no</ssl_verify_host>
<ssl_manager_cert>etc/sslmanager.cert</ssl_manager_cert>
<ssl_manager_key>etc/sslmanager.key</ssl_manager_key>
<ssl_auto_negotiate>no</ssl_auto_negotiate>
</auth>
You should not use any of the reserved ports for typical services as port 80 (HTTP service) in order to avoid conflicts with them. Typically all ports from 0 to 1023 are reserved for common TCP/IP applications.
Once you have this change, you will need to restart the Wazuh manager:
# systemctl restart wazuh-manager
In all the agents, the configuration of the communication port must be also changed:
# vi /var/ossec/etc/ossec.conf
...
<client>
<server>
<address>192.168.19.129</address>
<port>1514</port>
<protocol>tcp</protocol>
</server>
<server>
<address>192.168.19.129</address>
<port>1514</port>
<protocol>tcp</protocol>
</server>
...
And the agents restarted after that:
# systemctl restart wazuh-agent
Again, be sure that the ports that you have chosen are opened by your Sysadmin and free to be used by agent-manager communication.
I hope this helps.
Thanks
Reply all
Reply to author
Forward
0 new messages