Wazuh Agent Error
444 views
Skip to first unread message
Bongani Buthelezi
Sep 11, 2023, 2:48:57 AM9/11/23
to Wazuh | Mailing List
Hi Team,
Please can you assist with the logcollector error below from my agent logs. I can't seem to collect any files from my agent with a specified path in Linux, but it was working previously. I'm currently on version 4.5.0.
wazuh-agentd: ERROR: At req_push(): Target 'logcollector' refused connection. The component might be disabled.
Portal error:
Miguel Verdaguer Velazquez
Sep 11, 2023, 3:29:32 AM9/11/23
to Wazuh | Mailing List
Hi Bongani,
From the dashboard error, it is a problem reading the configuration. I understand the rest of the agent starts correctly. Has there been any changes in configuration or the operating system since it worked? Please send me all the configurations you have in the internal configuration for the Logcollector, you can see them here. You may also enable the log collector to debug using that same documentation to check if we can get more info on the problem.
Best regards from Wazuh,
Miguel
Bongani Buthelezi
Sep 11, 2023, 3:47:00 AM9/11/23
to Miguel Verdaguer Velazquez, Wazuh | Mailing List
Hi Miguel,
There has not been any changes as yet on the os or configuration file. I have enabled the debugging now to investuigate further. Attached is the internal configuration file as requested.
My current config on agent.config:
<agent_config>
<localfile>
<log_format>multi-line-regex</log_format>
<location>/home/gef/test_bb/gef-r-TEST-FILE-SCAN-1.0.log</location>
<multiline_regex replace="wspace" match="start">^\[GEF DEBUG\]|\[GEF CRITICAL\]|\[GEF INFO\]|\[GEF ERROR\]|\[GEF WARNING\]|\[GEF DATA\]</multiline_regex>
</localfile>
</agent_config>
<agent_config>
<localfile>
<log_format>multi-line-regex</log_format>
<location>/home/gef/test_bb/gef-r-TEST-FILE-SCAN-1.0.log</location>
<multiline_regex replace="wspace" match="start">^\[GEF DEBUG\]|\[GEF CRITICAL\]|\[GEF INFO\]|\[GEF ERROR\]|\[GEF WARNING\]|\[GEF DATA\]</multiline_regex>
</localfile>
</agent_config>
Thanks for your assistance.
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/arA_XcLO998/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/623b0eda-c26a-4dcb-b51c-4823bb824e9bn%40googlegroups.com.
Bongani Buthelezi
Sep 11, 2023, 4:07:47 AM9/11/23
to Wazuh | Mailing List
Errors after enabling debugging can be seen below.
2023/09/11 10:02:04 wazuh-logcollector[8590] debug_op.c:70 at _log(): DEBUG: Logging module auto-initialized
2023/09/11 10:02:04 wazuh-logcollector[8590] main.c:126 at main(): DEBUG: Wazuh home directory: /var/ossec
2023/09/11 10:02:04 wazuh-logcollector[8590] agent_op.c:219 at os_read_agent_profile(): DEBUG: Calling os_read_agent_profile().
2023/09/11 10:02:04 wazuh-logcollector[8590] agent_op.c:238 at os_read_agent_profile(): DEBUG: os_read_agent_profile() = [centos, centos7, centos7.8]
2023/09/11 10:02:04 wazuh-logcollector[8590] config.c:424 at ReadConfig(): DEBUG: agent_config element does not have any attributes.
2023/09/11 10:02:04 wazuh-logcollector[8590] agent_op.c:219 at os_read_agent_profile(): DEBUG: Calling os_read_agent_profile().
2023/09/11 10:02:04 wazuh-logcollector[8590] agent_op.c:238 at os_read_agent_profile(): DEBUG: os_read_agent_profile() = [centos, centos7, centos7.8]
2023/09/11 10:02:04 wazuh-logcollector[8590] config.c:424 at ReadConfig(): DEBUG: agent_config element does not have any attributes.
2023/09/11 10:02:04 wazuh-logcollector[8590] mq_op.c:52 at StartMQWithSpecificOwnerAndPerms(): DEBUG: Connected succesfully to 'queue/sockets/queue' after 0 attempts
2023/09/11 10:02:04 wazuh-logcollector[8590] mq_op.c:53 at StartMQWithSpecificOwnerAndPerms(): DEBUG: (unix_domain) Maximum send buffer set to: '212992'
2023/09/11 10:02:04 wazuh-logcollector[8590] debug_op.c:70 at _log(): DEBUG: Logging module auto-initialized
2023/09/11 10:02:04 wazuh-logcollector[8590] main.c:126 at main(): DEBUG: Wazuh home directory: /var/ossec
2023/09/11 10:02:04 wazuh-logcollector[8590] agent_op.c:219 at os_read_agent_profile(): DEBUG: Calling os_read_agent_profile().
2023/09/11 10:02:04 wazuh-logcollector[8590] agent_op.c:238 at os_read_agent_profile(): DEBUG: os_read_agent_profile() = [centos, centos7, centos7.8]
2023/09/11 10:02:04 wazuh-logcollector[8590] config.c:424 at ReadConfig(): DEBUG: agent_config element does not have any attributes.
2023/09/11 10:02:04 wazuh-logcollector[8590] agent_op.c:219 at os_read_agent_profile(): DEBUG: Calling os_read_agent_profile().
2023/09/11 10:02:04 wazuh-logcollector[8590] agent_op.c:238 at os_read_agent_profile(): DEBUG: os_read_agent_profile() = [centos, centos7, centos7.8]
2023/09/11 10:02:04 wazuh-logcollector[8590] config.c:424 at ReadConfig(): DEBUG: agent_config element does not have any attributes.
2023/09/11 10:02:04 wazuh-logcollector[8590] mq_op.c:52 at StartMQWithSpecificOwnerAndPerms(): DEBUG: Connected succesfully to 'queue/sockets/queue' after 0 attempts
2023/09/11 10:02:04 wazuh-logcollector[8590] mq_op.c:53 at StartMQWithSpecificOwnerAndPerms(): DEBUG: (unix_domain) Maximum send buffer set to: '212992'
Miguel Verdaguer Velazquez
Sep 11, 2023, 4:31:16 AM9/11/23
to Wazuh | Mailing List
Hi Bongani,
It seems now clear the problem is with the shared configuration you have defined in `agent.conf`, for which the documentation is this. To check it you can run `/var/ossec/bin/verify-agent-conf`. Send me the output of this command and tell me the path on which you have placed the file, I am not seeing the exact error in the file, `agent_config` is supposed to work even if you don't specify name, os or profile.
Bongani Buthelezi
Sep 11, 2023, 4:45:51 AM9/11/23
to Miguel Verdaguer Velazquez, Wazuh | Mailing List
The results from after running '' is per below.
2023/09/11 10:39:01 verify-agent-conf: WARNING: The 'hotfixes' option is only available on Windows systems. Ignoring it.
verify-agent-conf: OK
verify-agent-conf: Verifying [etc/shared/Linux/agent.conf]
verify-agent-conf: OK
verify-agent-conf: Verifying [etc/shared/Windows/agent.conf]
verify-agent-conf: OK
verify-agent-conf: Verifying [etc/shared/MacOS/agent.conf]
verify-agent-conf: OK
verify-agent-conf: Verifying [etc/shared/OPNSense/agent.conf]
verify-agent-conf: OK
verify-agent-conf: Verifying [etc/shared/Apache-Servers/agent.conf]
verify-agent-conf: OK
verify-agent-conf: Verifying [etc/shared/Orcha/agent.conf]
verify-agent-conf: OK
2023/09/11 10:39:01 verify-agent-conf: WARNING: The 'hotfixes' option is only available on Windows systems. Ignoring it.
verify-agent-conf: OK
verify-agent-conf: Verifying [etc/shared/Linux/agent.conf]
verify-agent-conf: OK
verify-agent-conf: Verifying [etc/shared/Windows/agent.conf]
verify-agent-conf: OK
verify-agent-conf: Verifying [etc/shared/MacOS/agent.conf]
verify-agent-conf: OK
verify-agent-conf: Verifying [etc/shared/OPNSense/agent.conf]
verify-agent-conf: OK
verify-agent-conf: Verifying [etc/shared/Apache-Servers/agent.conf]
verify-agent-conf: OK
verify-agent-conf: Verifying [etc/shared/Orcha/agent.conf]
verify-agent-conf: OK
The file path for agent.config is '/var/ossec/etc/shared/agent.conf'
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/121b5e13-29ee-4f85-95df-98a021f2c813n%40googlegroups.com.
Miguel Verdaguer Velazquez
Sep 11, 2023, 5:35:05 AM9/11/23
to Wazuh | Mailing List
With this new information, it seems the configuration is correct, so the problem may be the agent is not receiving it correctly. Please restart both agent and manager to force the pushing of the configuration to the agent and let's see if it changes something.
Best regards,
Miguel
Bongani Buthelezi
Sep 11, 2023, 6:16:58 AM9/11/23
to Miguel Verdaguer Velazquez, Wazuh | Mailing List
No luck after restart the manager and agent. Still getting the same error. I will contine investiagting and update if I get lucky.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/6da49a11-7b19-4b62-a3d2-12527f85003bn%40googlegroups.com.
Miguel Verdaguer Velazquez
Sep 13, 2023, 3:43:45 AM9/13/23
to Wazuh | Mailing List
Hi Bongani,
I have been investigating and apparently, the agent configuration element `agent_config` must have an attribute, as per the documentation https://documentation.wazuh.com/current/user-manual/reference/centralized-configuration.html#agent-conf.
An example of attributes could be:
<agent_config name = ”agent01”>
...
<agent_config os = "Linux">
...
<agent_config profile = "UnixHost">
...
Best regards, I hope it helps,
Miguel
Bongani Buthelezi
Sep 13, 2023, 4:13:26 AM9/13/23
to Wazuh | Mailing List
I ended up re-deploying the agent and everything started to work again not quite sure what was causing the issue to be honest.
Miguel Verdaguer Velazquez
Sep 14, 2023, 2:53:51 AM9/14/23
to Wazuh | Mailing List
Hi Bongani,
Sorry I couldn't help more, but we're happy you finally got it to work, any other problem feel free to ask on the Google group or on the Slack channel.
Best regards from Wazuh
Reply all
Reply to author
Forward
0 new messages