Wazuh v4.8.0 - Agent is not being enrolled

[Gangadhar Bharadwaj K]

Hi Team,

I'm using the wazuh all-in-one OVA in VMware Workstation Pro, this acts as my wazuh manager and I've installed agents in my own host machine and test server that is the same network.

For host machine the agent is able to connect and show up in dashboard but when i install it in the test server (Ubuntu Server 24.04) the agent is no where to be found. The agent is healthy and running properly on the server, the firewall is disabled and ports 1514/1515 is allowed. 

The OVA IP is 192.168.72.161 and the agent is on IP: 10.6.128.26, they're able to ping back and forth as per the screenshot

But, the output of nc -zv 192.168.72.161 1514 1515 is comin up as failed connection refused. Finally when i check logs i'm seeing the following error:

2024/07/03 21:14:39 wazuh-agentd: INFO: Requesting a key from server: 192.168.72.161
2024/07/03 21:14:39 wazuh-agentd: ERROR: (1208): Unable to connect to enrollment service at '[192.168.72.161]:1515'

Kindly help out!

[Olusegun Adenrele Oyebo]

Hello Gangadhar,

From the error, the agent is unable to reach the Wazuh manager on enrollment TCP port 1515.

Try to ensure that the agent has network conectivity to the Wazuh server by doing a ping and telnet from the endpoint where the Wazuh agent is installed and also, ensure that there's no firewall restriction between the Wazuh agent and manager e.g.

• ping192.168.72.161

• telnet192.168.72.1611515

Check that the Wazuh manager service is running, and it's listening on port 1515 by running the below command on the Wazuh server (reference):

• ss -tulpn | grep 1515

Also, confirm that you inputted the correct IP address of the Wazuh manager on the agent'sossec.conf file.

You can also check the Wazuh server logs for additional error entries to further troubleshoot the issue: cat /var/ossec/logs/ossec.log | grep -i -E "error|warn"

I also noticed that the Wazuh manager and agent IP seem to be different subnets (192.168.72.x and 10.6.128.x respectively). Kindly verify and ensure that there are no network or routing restrictions between them.

I hope this helps. If you have any other query, do not hesitate to ask.

Best regards.

[Gangadhar Bharadwaj K]

Hi Oyebo,

Thanks a lot for the response, as i mentioned in the earlier mail I'm able to ping the wazuh manager and the manager is able to ping my local server (please check the attachment). But when i perform a telnet on port 1515 it's throwing a connection refused error. There's no firewall on the agent side and on the host machine everything is open, also as test i've installed an agent on the host and it's showing up in the dashboard.

I've checked the ossec.conf file as well and i can see the right manager IP (192.168.72.161) inside the file. 

When performed this command, i can see the port is listening on the wazuh manager  

• ss -tulpn | grep 1515

Regarding the subnets, I'm running OVA in NAT instead of bridged maybe it's the cause of the issue. I've seen configuration videos where they recommended to put the network in bridged but when i do it I'm not seeing the IP at all. 

Kindly respond as soon as possible, we are trying to deploy wazuh in our client environment as early as possible but this issue is hindering us from going forth with the plan.

Regards,

[Olusegun Adenrele Oyebo]

Hello Gangadhar,The issue you're having is with the NAT. When configured in NAT, NAT only translates IP addresses and ports of its internal hosts meaning it does not allow connection if other devices are not on the same physical network and this is the reason why you're not seeing your network config while configured on Bridge.To resolve the issue, you need to configure it on Bridge communication and check the network adapter configuration on the host machine for your VM.For example in my lab which is also running on VMware workstation pro, I use NAT configuration too which I have configured with subnet 192.168.227.0/24 (screenshots attached) and an IP address has to be assigned to my Wazuh VM which is a OVA file within that IP range (i.e. 192.168.227.133) and my test endpoint which has the agent installed is assigned 192.168.227.2 and it's connecting fine and registered on the dashboard (screenshot attached).I hope this helps. If you have any other query, do not hesitate to ask.

Best regards.

[Gangadhar Bharadwaj K]

Hi Oyebo,

Thanks for the suggestion, please check my setup within NAT setting in the attached screenshot. It's also enabled in the similar also i have port forwarding included.

Regards,

[Olusegun Adenrele Oyebo]

Hello Gangadhar,

I assume that your Wazuh node IP is 192.168.72.163, if that is the case, your configuration seems to be okay.

 You can also take a look at the below links which could be helpful too:

• https://www.virten.net/2013/03/how-to-setup-port-forwarding-in-vmware-workstation-9/
  
• https://mahim-firoj.medium.com/how-to-enable-port-forwarding-from-host-machine-to-virtual-machine-so-that-you-can-access-the-nat-cb441bfce9e1
  

Best regards.