Windows Agent Restarts every hour ±15 minutes round the clock - is it "normal" behavior?

[InfoSec]

Every hour ±15 minutes, round the clock I can see rule id: 503 triggering from a Windows agent. No agent disconnected rule id: 504 is triggered preceding the agent start, and the flow of events to the Wazuh server seems unaffected.

Is this behavior "normal"?

If yes, what criteria/conditions trigger an unattended restart of the Wazuh agent? There were no configuration changes in agent.conf to trigger an unattended agent restart after their application.

If not, where do I need to look for the root cause?

[francisco...@wazuh.com]

Hello,

I'm afraid to tell you that behavior is not normal. 

Probably your agent is restarting periodically due to something unknown, hence the 503 rules triggered. The lack of 504 rules is normal; this rule will be triggered when the manager detects that the agent is not sending keepalive messages in the last 30 minutes (https://documentation.wazuh.com/3.x/user-manual/agents/agent-life-cycle.html), and if you're having quick restarts, no 504 alert will be triggered.

The first thing to check is the ossec.log file in the Windows agent. For having even more information, you can set the windows.debug field to 2 in the internal_options config file. Don't forget to manually restart the agent after that.

Another thing to check would be the usage of active responses, which are disabled by default. Have you configured any <active-response> in the /var/ossec/etc/ossec.conf file in the manager?

Please keep us updated with the information of the ossec.log file so we can have more clues on what's going on.

Best regards,

Fran G.

[InfoSec]

I can share the agent log file privately, not on list.

Can you please provide me with your public PGP key. I will encrypt the log file with it, and can then share it on-list.

[francisco...@wazuh.com]

Hello,

Here you have. 

Also, if you could share the ossec.conf and the internal_options.conf files (of course, sanitize whatever you may need to sanitize), we can search for a possible misconfiguration, to start discarding causes.

Best regards,

Fran G.

[InfoSec]

Hello Francisco,

Attached are the files you requested, 7zipped and encrypted with your PGP key.

I presume you meant ossec.conf and internal_agent.conf on the agent. I am also attaching default-ossec.conf, ossec.log, and agent.conf as they may be relevant to identifying potential configuration issues.

[Georges Jahchan]

Francisco,

Have you had a chance to have a look at the uploaded files?

The problem is getting worse, with more frequent random restarts, and occasionally the agent just dies without restarting.

The frequency of restarts somehow seems to be tied to how busy the system is. The busier, the higher the frequency.

[Georges Jahchan]

I have made a startling discovery.

I moved the agent config from: /var/ossec/etc/default/agent.conf on Wazuh server to <agent_install_dir>\ossec.conf on agent as: <agent_install_dir\shared\agent.conf was being wiped at random.

In a couple of hours since the change, I have not seen a single agent restart event.