agent - never connected
7,866 views
Skip to first unread message
Joe Beiter
Mar 20, 2019, 3:58:29 PM3/20/19
to Wazuh mailing list
I'm trying to set up a pilot configuration consisting of a
wazuh-manager, wazuh-agent, and wazuh-log, each on a stand alone RH7 server.
Installed the servers as per the wazuh documentation. I couldn't get the
agent registration to work with password or SSL (though I followed the
steps) but was able to manually add it.
They are all on the same subnet, I have the firewall shut down on both
servers. I can telnet to port 1515 from agent->manager but no response
on port 1514 on either system.
Not sure what else to try.
wazuh-manager, wazuh-agent, and wazuh-log, each on a stand alone RH7 server.
Installed the servers as per the wazuh documentation. I couldn't get the
agent registration to work with password or SSL (though I followed the
steps) but was able to manually add it.
They are all on the same subnet, I have the firewall shut down on both
servers. I can telnet to port 1515 from agent->manager but no response
on port 1514 on either system.
Not sure what else to try.
miguel....@wazuh.com
Mar 20, 2019, 5:50:21 PM3/20/19
to Wazuh mailing list
Hello Joe,
2. In the agents, run the agent-authd program, using the manager's IP address:
Did you try the simple method of the registration service? The simple method will use the SSL certificate which is generated during the installation process. The certificate and its key will be available at /var/ossec/etc/. With the simple method, you will not need a password.
To register agents using the simple method, follow these steps:
1. In the manager, start the registration service (if you are using version 3.7.x or higher it will not be necessary since the registration service is already started):
# /var/ossec/bin/ossec-authd
1.1. In the manager, check the registration service:
ps uax | grep authd
2. In the agents, run the agent-authd program, using the manager's IP address:
a) For Linux systems:
# /var/ossec/bin/agent-auth -m <MANAGER_IP_ADDRESS>
b) For Windows systems:
Run the commands with root/administration permissions.
Regarding the telnet questions, if you have configured the port 1514 UDP, telnet command will not work because telnet does not work with UDP. You can try Netcat instead.
The port 1514 is used for the communication of the Agents and the manager and the port 1515 is used during the registration process. More info: Wazuh ports
I hope it helps. Do not hesitate to contact us if you have further questions.
Regards,
Miguel Casares
Joe Beiter
Mar 26, 2019, 9:27:10 AM3/26/19
to Wazuh mailing list
when I list available agents on the manager, should it show itself as
running on the localhost address or should it be it's ethernet
address? Or doesn't matter?
I just added my wazuhtest-log server, it also says "never connected"
under list of available agents.
authd is running on the manager server and when I run the registration
with agent-auth, it seems to work:
INFO: No authentication password provided.
INFO: Connected to 192.168.17.185:1515.
INFO: Send request to manager,. Waiting for reply.
INFO: Received response with agent key.
INFO: Valid key created. Finished.
INFO: Connection closed.
Also tried restarting wazuh-agent but when I look on the manager:
/var/ossec/bin/agen_control -l
Wazuh agent_control. List of available agents:
ID: 000, Name: wazuhtest-server (server), IP: 127.0.0.1, Active/Local
ID: 003, Name: wazuhtest-agent, IP 192.168.17.187, Never connected
> --
> You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
> To post to this group, send email to wa...@googlegroups.com.
> Visit this group at https://groups.google.com/group/wazuh.
> To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/421cc3b4-f622-4de4-86a1-afc18d73d77d%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
running on the localhost address or should it be it's ethernet
address? Or doesn't matter?
I just added my wazuhtest-log server, it also says "never connected"
under list of available agents.
authd is running on the manager server and when I run the registration
with agent-auth, it seems to work:
INFO: No authentication password provided.
INFO: Connected to 192.168.17.185:1515.
INFO: Send request to manager,. Waiting for reply.
INFO: Received response with agent key.
INFO: Valid key created. Finished.
INFO: Connection closed.
Also tried restarting wazuh-agent but when I look on the manager:
/var/ossec/bin/agen_control -l
Wazuh agent_control. List of available agents:
ID: 000, Name: wazuhtest-server (server), IP: 127.0.0.1, Active/Local
ID: 003, Name: wazuhtest-agent, IP 192.168.17.187, Never connected
> You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
> To post to this group, send email to wa...@googlegroups.com.
> Visit this group at https://groups.google.com/group/wazuh.
> To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/421cc3b4-f622-4de4-86a1-afc18d73d77d%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Message has been deleted
Sergio Peral
Mar 26, 2019, 10:46:43 AM3/26/19
to Wazuh mailing list
Hi JoeB,
Have you turned to yes the <use_password> flag? If you haven't:
1) Connect to your manager.
2) Open the ossec.conf file.
3) Look for the following paragraph and make sure you have <use_password> field enabled:
<!-- Configuration for ossec-authd -->
<auth>
<use_password>yes</use_password>
</auth>4) Restart your wazuh-manager:
# systemctl restart wazuh-manager5) Try the registration service again, with password authorization.
Please inform us with your results.
Best regards,
Sergio.
> To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
Joe Beiter
Mar 26, 2019, 11:28:41 AM3/26/19
to Sergio Peral, Wazuh mailing list
Thank you for the reply Sergio. That did not work, but in searching
the internet for that symptom I came across this suggestion:
# /var/ossec/bin/ossec-control stop
# rm -rf /var/ossec/queue/rids/*
# /var/ossec/bin/ossec-control start
run on the server and then the agent systems not connecting, they then connected
>> > To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
the internet for that symptom I came across this suggestion:
# /var/ossec/bin/ossec-control stop
# rm -rf /var/ossec/queue/rids/*
# /var/ossec/bin/ossec-control start
run on the server and then the agent systems not connecting, they then connected
>> > To post to this group, send email to wa...@googlegroups.com.
>> > Visit this group at https://groups.google.com/group/wazuh.
>> > To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/421cc3b4-f622-4de4-86a1-afc18d73d77d%40googlegroups.com.
>> > For more options, visit https://groups.google.com/d/optout.
>
>> > Visit this group at https://groups.google.com/group/wazuh.
>> > To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/421cc3b4-f622-4de4-86a1-afc18d73d77d%40googlegroups.com.
>> > For more options, visit https://groups.google.com/d/optout.
>
> --
> You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
> You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
> To post to this group, send email to wa...@googlegroups.com.
> Visit this group at https://groups.google.com/group/wazuh.
> To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/fb565e1b-d03f-4cbd-8132-95a681dce082%40googlegroups.com.
> Visit this group at https://groups.google.com/group/wazuh.
miguel....@wazuh.com
Apr 3, 2019, 3:11:47 PM4/3/19
to Wazuh mailing list
Hello JoeB,
Without more information or the logs of the manager, we are not able to know what was happened in your environment. If after removing the queue/rids and restart the manager your agents connect again probably was a problem with ossec-remoted, the dameon which is responsible for received data from agents.
Did you find a solution to the issue? Do you have your agents connected now?
Without more information or the logs of the manager, we are not able to know what was happened in your environment. If after removing the queue/rids and restart the manager your agents connect again probably was a problem with ossec-remoted, the dameon which is responsible for received data from agents.
If you have any other question, please do not hesitate to contact us. Likewise, if your problem happens again please let us know and we will investigate the cause.
Regards,
Miguel Casares
>> > To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
>> > To post to this group, send email to wa...@googlegroups.com.
>> > Visit this group at https://groups.google.com/group/wazuh.
>> > To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/421cc3b4-f622-4de4-86a1-afc18d73d77d%40googlegroups.com.
>> > For more options, visit https://groups.google.com/d/optout.
>
> --
> You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.
Miguel Casares
Apr 3, 2019, 3:21:17 PM4/3/19
to Joe Beiter, Wazuh mailing list
Hello Joe,
I am happy to hear your issue was resolved.
Let us know if you have any other question.
Regards,
Miguel Casares
On Wed, Apr 3, 2019 at 12:14 PM Joe Beiter <joe.b...@gmail.com> wrote:
Hi Miguel,
Yes the solution below did resolve it. The test servers have remained connected. Thank you for the follow up.
>> > To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
>> > To post to this group, send email to wa...@googlegroups.com.
>> > Visit this group at https://groups.google.com/group/wazuh.
>> > To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/421cc3b4-f622-4de4-86a1-afc18d73d77d%40googlegroups.com.
>> > For more options, visit https://groups.google.com/d/optout.
>
> --
> You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
> To post to this group, send email to wa...@googlegroups.com.
> Visit this group at https://groups.google.com/group/wazuh.
> To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/fb565e1b-d03f-4cbd-8132-95a681dce082%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/25043c64-bfb4-46fd-8440-8876d9148513%40googlegroups.com.
Gopal Dhapa
Aug 9, 2019, 1:08:58 PM8/9/19
to Wazuh mailing list
After configure wazuh agent in windows 7 when check in kibana > wazuh agent never connected error.
Other linux cleint working okay, but windows client given agent never connected.
Please help thanks in advance.
Thank You
Gopal Dhapa
Javier Escobar
Aug 12, 2019, 2:01:06 PM8/12/19
to Wazuh mailing list
Hi Gopal,
If the manager shows an agent as 'Never connected', it means the registration process was successful but the agent is not reporting. For an agent to report to the manager, it needs to specify the manager IP/DNS in its configuration file.
Windows agent config location: C:\Program Files x86\ossec-agent\ossec.conf
Linux agent config location: /var/ossec/etc/ossec.conf
The config block that specifies the manager IP/DNS looks like this:
<client> <server> <address>MANAGER_IP_OR_DNS</address> </server> ... </client>After that, it is necessary to restart the agent.
To test a connection issue between manager and agent we can use several tools like ping, telnet, tcpdump, etc. For example:
tcpdump -i any src 172.16.1.5 and dst port 1514
In the manager this command shows the packages that the agent is sending to the manager through port 1514.
Also we can make sure that the registered keys are the same in both machines. These keys are crucial for the manager-agent communication.
Windows location: C:\Program Files (x86)\client.keys
Linux location: /var/ossec/etc/client.keys
I hope it helps. Reach us if you need anything.
Regards,
Javier
satash rampersad
Aug 31, 2025, 1:53:47 PMAug 31
to Wazuh | Mailing List
Good day Folks,
I am having the same issue with my wazuh agents
I am using Azure free account, where I set up a virtual ubuntu server to set up my Wazuh server. I also created a windows virtual machine where I installed the agent on. I got the agent to register to the wazuh server and changed firewall rules to allow inbound and outbound port 1514 and 1415 and i am still not able to get my agent to send traffic. i was trying Joe approach but the commands are not found when I entered it into my terminal. Any assistance is greatly appreciated.
I am having the same issue with my wazuh agents
I am using Azure free account, where I set up a virtual ubuntu server to set up my Wazuh server. I also created a windows virtual machine where I installed the agent on. I got the agent to register to the wazuh server and changed firewall rules to allow inbound and outbound port 1514 and 1415 and i am still not able to get my agent to send traffic. i was trying Joe approach but the commands are not found when I entered it into my terminal. Any assistance is greatly appreciated.
Reply all
Reply to author
Forward
0 new messages