Restart Agents from Manager

[bhanuprasad]

Hi Team,

Trying to restart Agents from Wazuh-Manager but it seems to be, its not restarting agents.

Tried below command:

/var/ossec/bin/.agent_control -R -a

Is there port needs to be allowed on Agent side for this task? 

And how we can verify that agents were restarted successfully? 

Is it possible to restart Agents for which  status has "Disconnected"?

Thanks in advance. 

[elw...@wazuh.com]

Hello Bhanuprasad,


The Wazuh manager leverage the use of the reporting port 1514 in order to trigger an active response in the agents to restart them, thus the agents must be Active to be able to perform any action against them.

You can use both the Wazuh API  (recommended) and the Binary to restart the agents and verify that from the active response logs of the agent as below :

• Using the Wazuh API : PUT /agents/restart?agents_list=009
  
  
  
  
  [root@Agent2 vagrant]# tail -f /var/ossec/logs/active-responses.log
  Wed Aug 18 09:44:03 UTC 2021 /var/ossec/active-response/bin/restart-ossec.sh add - null (from_the_server) (no_rule_id)
  
   
  
• Using the binary: /var/ossec/bin/agent_control -R -u 009 or /var/ossec/bin/agent_control -R -a
  
  
  
  

You can find more about the Wazuh API reference here: https://documentation.wazuh.com/current/user-manual/api/reference.html#operation/api.controllers.agent_controller.restart_agent


Hope this helps.

Regards,
Wali

[bhanuprasad]

Hi,

Thank you for detailed response. 

Is it possible to restart all agents (Active) in one shot instead of single agent ? 

[elw...@wazuh.com]

Hello,

To restart all the agents via the API, you can use PUT /agents/restart or using the binary with /var/ossec/bin/agent_control -R -a

Hope this helps.

Regards.
Wali