wazuh agent v4.14 failed to start in RHEL6
34 views
Skip to first unread message
Veera
Nov 25, 2025, 9:32:34 AM (6 days ago) Nov 25
to Wazuh | Mailing List
Hi,
As per the documentation , we have installed wazuh-4.14.0-1 in a rhel6 system and the agent is installed without any error.
However starting the service is failing.
The system have enough free memory and file ulimits, however when starting the service there is no errors reported, but failing.
Using SysV Init restart method...
Stopping Wazuh: [ OK ]
Starting Wazuh: [FAILED]
[ERROR] Failed to restart Wazuh agent.
[root@myvm]# service wazuh-agent status
wazuh-modulesd not running...
wazuh-logcollector not running...
wazuh-syscheckd not running...
wazuh-agentd not running...
wazuh-execd is running...
There are few traces of errors in syslog (attached)
Is that a known issue in sysV OS?
Message has been deleted
Mauricio Aguilar
Nov 25, 2025, 11:01:09 AM (6 days ago) Nov 25
to Wazuh | Mailing List
Hello, this appears to be a limitation of the operating system: RHEL 6.5 + kernel 4.4.159 (elrepo).
Using a modern kernel on such an old system causes inconsistencies in resource management, especially when creating threads.
Even if you have enough memory, if these values are low, threads cannot be created. Please check these outputs:
ulimit -u
ulimit -a
cat /proc/sys/kernel/threads-max
cat /proc/sys/kernel/pid_max
cat /proc/sys/kernel/thread-max
grep -i oom /var/log/messages
free -m
Also check the ossec user limits:
su - ossec
ulimit -a
This is corrected in:
/etc/security/limits.conf:
ossec soft nproc 4096
ossec hard nproc 4096
Using a modern kernel on such an old system causes inconsistencies in resource management, especially when creating threads.
Even if you have enough memory, if these values are low, threads cannot be created. Please check these outputs:
ulimit -u
ulimit -a
cat /proc/sys/kernel/threads-max
cat /proc/sys/kernel/pid_max
cat /proc/sys/kernel/thread-max
grep -i oom /var/log/messages
free -m
Also check the ossec user limits:
su - ossec
ulimit -a
This is corrected in:
/etc/security/limits.conf:
ossec soft nproc 4096
ossec hard nproc 4096
Veera
Nov 26, 2025, 5:38:58 AM (5 days ago) Nov 26
to Wazuh | Mailing List
Hi ,
There is no ossec user created when installing the Wazuh agent on Linux, correct?
All Wazuh agent processes run either under the wazuh user or as root (for SUID/privileged components), even though the wazuh user itself is created with /sbin/nologin.
All Wazuh agent processes run either under the wazuh user or as root (for SUID/privileged components), even though the wazuh user itself is created with /sbin/nologin.
[root@sample ~]# ps -eo user,pid,cmd | grep wazuh |grep -v grep
wazuh 5090 /var/ossec/bin/wazuh-agentd
root 5689 /var/ossec/bin/wazuh-execd
root 5707 /var/ossec/bin/wazuh-syscheckd
root 5731 /var/ossec/bin/wazuh-logcollector
root 7001 /var/ossec/bin/wazuh-modulesd
[root@sample ~]#
wazuh 5090 /var/ossec/bin/wazuh-agentd
root 5689 /var/ossec/bin/wazuh-execd
root 5707 /var/ossec/bin/wazuh-syscheckd
root 5731 /var/ossec/bin/wazuh-logcollector
root 7001 /var/ossec/bin/wazuh-modulesd
[root@sample ~]#
Will the entries in limits.conf still apply if the username is different?
Or did you mean that the limits should be set for the wazuh user instead of ossec?
Or did you mean that the limits should be set for the wazuh user instead of ossec?
Attached the command logs for your recommendations.
Mauricio Aguilar
Nov 26, 2025, 12:34:30 PM (5 days ago) Nov 26
to Wazuh | Mailing List
Yes, limits must be configured for the wazuh user for new versions.
Add this to:
/etc/security/limits.conf
wazuh soft nproc 4096
wazuh hard nproc 4096
wazuh soft nofile 65535
wazuh hard nofile 65535
Then restart the user session
su - wazuh -s /bin/bash
ulimit -u
It should display something > 0
Add this to:
/etc/security/limits.conf
wazuh soft nproc 4096
wazuh hard nproc 4096
wazuh soft nofile 65535
wazuh hard nofile 65535
Then restart the user session
su - wazuh -s /bin/bash
ulimit -u
It should display something > 0
Veera
Nov 28, 2025, 8:16:42 AM (3 days ago) Nov 28
to Wazuh | Mailing List
Thanks .. it worked
Reply all
Reply to author
Forward
0 new messages