Windows Wazuh agent crashing

[Paul Siess]

We are running the Wazuh Windows agent on 8 Windows servers.  Three of them are fileservers with FIM enabled.  The agent service randomly stops on those three servers and the service has to be restarted.  I have logging set to "1" on those three agents and don't see anything in the logs at the time the agent stops.

Has anyone seen this before?

[miguel....@wazuh.com]

Hello Paul,

Is there no log in the ossec.log file of the Agent? 

Could you send the ossec.log file and the ossec.conf of Agent? This way, I can review everything is correct.

In addition, it would be useful if you check if there are errors in the Manager. To do so, you can do the following:

cat /var/ossec/logs/ossec.log | grep -i -E "(error|warning|critical)"

Thank you,

Miguel Casares

[Paul Siess]

Here is the output you requested:

2019/03/21 00:31:31 wazuh-modulesd:syscollector: ERROR: Unable to get list of tcp6 opened ports.

2019/03/21 01:31:31 wazuh-modulesd:syscollector: ERROR: Unable to get list of tcp6 opened ports.

2019/03/21 02:31:31 wazuh-modulesd:syscollector: ERROR: Unable to get list of tcp6 opened ports.

2019/03/21 03:31:31 wazuh-modulesd:syscollector: ERROR: Unable to get list of tcp6 opened ports.

2019/03/21 04:31:31 wazuh-modulesd:syscollector: ERROR: Unable to get list of tcp6 opened ports.

2019/03/21 05:31:31 wazuh-modulesd:syscollector: ERROR: Unable to get list of tcp6 opened ports.

2019/03/21 06:31:31 wazuh-modulesd:syscollector: ERROR: Unable to get list of tcp6 opened ports.

2019/03/21 07:31:31 wazuh-modulesd:syscollector: ERROR: Unable to get list of tcp6 opened ports.

2019/03/21 08:31:31 wazuh-modulesd:syscollector: ERROR: Unable to get list of tcp6 opened ports.

2019/03/21 09:31:31 wazuh-modulesd:syscollector: ERROR: Unable to get list of tcp6 opened ports.

2019/03/21 10:31:31 wazuh-modulesd:syscollector: ERROR: Unable to get list of tcp6 opened ports.

I have also attached the ossec.conf file from one of the fileservers.

Because I have debug logging enabled, the log files are very large, and there is a lot of sensitive information.  I don't want to attach the log files here.

[Borja Arroba]

Hi Paul,

We fixed a bug recently that could be related. You can see it here:

https://github.com/wazuh/wazuh/pull/2871

To check if you are being affected, please, configure the option check_perm=no and change the whodata option to realtime in the directories tag.

So the agent must keep running and monitoring both drives without Whodata. We have also opened another issue to monitor different units of C with Whodata.

https://github.com/wazuh/wazuh/issues/2883

We are working to release the new version ASAP.

In case this solution is not enough, please, could you tell us which version of Wazuh is installed on the Windows servers?

Thank you for the report. Regards.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/6ebf6f1a-b0a9-4be2-ab68-169b56514ecf%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Paul Siess]

Thanks Borja.  I have made the changes and restarted the services.  I'll monitor to see if that solved the problem until the fix is released.

I have also changed the service to run as an admin user.  It was running as local system.  

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.