Agent life cycle

Registered agent

Once an agent is installed on a machine to be monitored, it must be registered with the Wazuh server in order to establish communication. Take a look at The registration process.

A registered agent will remain in the manager until it is removed by the user. There are four different states that an agent may be in at any given time, as shown in the image below:

Agent status

  • Never connected: The agent has been registered but has not yet connected to the manager.

  • Pending. The authentication process is pending: The manager has received a request for connection from the agent but has not received anything else. This may indicate a firewall issue. The agent will be in this state one time in its life cycle.

  • Active: The agent has successfully connected and can now communicate with the manager.

  • Disconnected: The manager will consider the agent disconnected if it does not receive any keep alive messages from the agent within 30 minutes.

Removed agent

The life cycle comes to an end when the agent is removed from the manager. This can be done through the Wazuh API, command line, or Authd (if the force option is enabled).