Wazuh can't see the agent installed on my virtual Ubuntu 22.04 on Virtual Box

[Sat Slamkhan]

Hello, I have a problem. I installed the wazuh agent on my virtual Ubuntu 22.04, started it, however it didn't appear in the agents list on Wazuh web-interface. What can be the problem, and how to solve that?

[Md. Nazmur Sakib]

Hi Sat Slamkhan,

I hope you are doing well. Thank you for using Wazuh.

It is mostly because of the network connectivity issue or authentication issue. You can find the related logs on your agent’s side.

cat /var/ossec/logs/ossec.log | grep -i -E "error|warn"

There can be many reasons for agents to disconnect from the Wazuh manager.

The most common is the network issue.

• Check the status of your agent if is active and running.

Linux: systemctl status wazuh-agent

Windows: open the Wazuh agent app and check the status.

• Test if your agent can communicate with the manager.

On Linux and macOS systems (with netcat installed), open a terminal and run the following command:

nc -zv <MANAGER_IP> 1514 1515 55000

If there is connectivity, the output should be a connection success message

If you see a connection error check if those IP and ports are allowed in the firewall.

• Go to the ossec.conf file and check if your agent has the right manager address inside the client block. vi /var/ossec/etc/ossec.conf

<address>Manager's_IP</address>

Ex:

<client>

    <server>

      <address>192.168.44.134</address>

      <port>1514</port>

      <protocol>tcp</protocol>

    </server>

    ……………….

  </client>

• Check if there is any error log in the agent’s ossec.log and manager’s ossec.log

For Linux-based systems, the log file is located at /var/ossec/logs/ossec.log

Share the output of this command from both the agent and the manager.

cat /var/ossec/logs/ossec.log | grep -i -E "error|warn"

Make sure to restart the agent after making changes.

Please let me know the update on your issue. Also if you still face the issue, please share the above findings so that I can guide you further.

Regards

Md. Nazmur Sakib

[Sat Slamkhan]

output of this command from both the agent and the manager is in the attachments.

cat /var/ossec/logs/ossec.log | grep -i -E "error|warn"

I checked the status - it's active and running

my agent can communicate with the manager successfully through all ports.

also it has a right manager adress in /var/ossec/etc/ossec.conf  

can you check my logs?

[Sat Slamkhan]

excuse me?

[Sat Slamkhan]

can you help me?

[Md. Nazmur Sakib]

Hi  Sat Slamkhan,

Sorry for the late response. I am looking at your issue. I will get back to you as soon as possible.

Regards

Md. Nazmur Sakib

[Md. Nazmur Sakib]

Hi  Sat Slamkhan,

Sorry for the late response. 

Can you share the output of this command from your agent?

cat /var/ossec/logs/ossec.log | grep -i -E "error|warn"

And 

tail /var/ossec/logs/ossec.log

As I can see the vulnerability scan log is in the agent’s log. I believe the log is also from the manager's side.

Looking forward to your response.

Regards

Md. Namzur Sakib 

[Sat Slamkhan]

in the attached files, the 1 means screens of first command, and 2 - of second.

[Md. Nazmur Sakib]

Hi Sat Slamkhan,

Hope you are doing well.

In the log from 2023/10/04 I can see the manager IP was different. So the agent was unable to connect. From the recent log 2023/10/13, I can see the agent is unable to connect over 1515 ports for enrollment.

Can you check the auth part of your manager ossec.conf configuration?

If the configuration is similar specially check the enrollment port 1515.

  

<auth>

    <disabled>no</disabled>

    <port>1515</port>

    <use_source_ip>no</use_source_ip>

    <purge>yes</purge>

    <use_password>no</use_password>

    <ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>

    <!-- <ssl_agent_ca></ssl_agent_ca> -->

    <ssl_verify_host>no</ssl_verify_host>

    <ssl_manager_cert>etc/sslmanager.cert</ssl_manager_cert>

    <ssl_manager_key>etc/sslmanager.key</ssl_manager_key>

    <ssl_auto_negotiate>no</ssl_auto_negotiate>

  </auth>

Also, can you check the manager side ossec.log log if there is any error or warning?

There was a bug related to this in an older version. But it was fixed later. I believe this is happening for some network-related issues.

https://github.com/wazuh/wazuh/pull/8789

I hope this helps. Please let me know the update on the issue.

Regards

Md. Nazmur Sakib

[Sat Slamkhan]

here is my auth part from manager's ossec.conf:

  <!-- Configuration for wazuh-authd -->

  <auth>
    <disabled>no</disabled>
    <port>1515</port>
    <use_source_ip>no</use_source_ip>
    <purge>yes</purge>
    <use_password>no</use_password>
    <ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
    <!-- <ssl_agent_ca></ssl_agent_ca> -->
    <ssl_verify_host>no</ssl_verify_host>
    <ssl_manager_cert>etc/sslmanager.cert</ssl_manager_cert>
    <ssl_manager_key>etc/sslmanager.key</ssl_manager_key>
    <ssl_auto_negotiate>no</ssl_auto_negotiate>
  </auth>

I also attached the screens of my manager's ossec.log 

[Sat Slamkhan]

can you help me?

[Md. Nazmur Sakib]

Hi Sat Slamkhan,

Hope you are doing well. Sorry for the late response.

Your manager’s configuration seems okay to me. At least with the correct configuration it shouldn’t have any error with agent’s enrollment. The issue is somewhere with the network.

You can check a similar thread for example:

https://groups.google.com/g/wazuh/c/hob6yZQVsA4

Can you install agent on another server and test if it also faces the similar issue. Allow 1514 1515 514 ports on the OS firewall and restart the firewall.

Let me know the update on the issue.

Regards

Md. Nazmur Sakib