Troubleshooting

Verifying communication with the Wazuh manager

In some scenarios, the Wazuh agent may be unable to enroll or establish a connection with the Wazuh manager because the necessary ports on the Wazuh manager are unreachable.

The following default ports on the Wazuh manager should be opened:

• 1514/TCP for agent communication.

• 1515/TCP for enrollment via agent configuration.

• 55000/TCP for enrollment via Wazuh manager API.

On Linux and macOS systems (with netcat installed), open a terminal and run the following command. Replace <WAZUH_MANAGER_IP> with your Wazuh manager IP address or fully qualified domain name (FQDN).

# nc -zv <WAZUH_MANAGER_IP> 1514 1515 55000

If there is connectivity, the output should be a connection success message:

Connection to <WAZUH_MANAGER_IP> port 1514 [tcp] succeeded!
Connection to <WAZUH_MANAGER_IP> port 1515 [tcp] succeeded!
Connection to <WAZUH_MANAGER_IP> port 55000 [tcp] succeeded!

On Windows, open a PowerShell terminal and run the following command:

# (new-object Net.Sockets.TcpClient).Connect("<WAZUH_MANAGER_IP>", 1514)
# (new-object Net.Sockets.TcpClient).Connect("<WAZUH_MANAGER_IP>", 1515)
# (new-object Net.Sockets.TcpClient).Connect("<WAZUH_MANAGER_IP>", 55000)

If there is connectivity, there is no output. Otherwise, an error is shown:

A connection attempt failed because the connected party did not properly respond after a period of time (...)

Authentication error

The client.keys file stores the data used to authenticate the Wazuh agent and the Wazuh manager. The Wazuh agent may be unable to authenticate with the Wazuh manager if the client.keys on the Wazuh manager and the Wazuh agent are different.

Location: Wazuh manager log file at /var/wazuh-manager/logs/wazuh-manager.log.

Error log:

2022/02/03 10:07:32 wazuh-remoted: WARNING: (1404): Authentication error. Wrong key or corrupt payload. Message received from agent '001' at 'any'.

Resolution: Ensure that the client key on the Wazuh agent matches the key in the Wazuh manager client.keys file. You can find the client.keys key file at the following locations:

Also, verify that each agent has a unique agent key stored in the Wazuh manager /var/wazuh-manager/etc/client.keys file. Duplicate keys can arise if you previously deleted agents with the highest IDs or copied the client.keys file between agents.

Invalid agent name for enrollment

Each Wazuh agent must have a unique name before successfully enrolling in the Wazuh manager. If you do not specify a Wazuh agent name during the deployment process, Wazuh will use the endpoint's hostname. If two or more endpoints have the same hostname, the Wazuh agent enrollment will not be successful.

Location: Wazuh agent log file

Refer to the table in the Troubleshooting section for the Wazuh agent log file location.

Error log:

2022/01/26 08:59:10 wazuh-agentd: INFO: Using agent name as: localhost.localdomain
2022/01/26 08:59:10 wazuh-agentd: INFO: Waiting for server reply
2022/01/26 08:59:10 wazuh-agentd: ERROR: Invalid agent name: localhost.localdomain (from manager)
2022/01/26 08:59:10 wazuh-agentd: ERROR: Unable to add agent (from manager)

Resolution: Ensure the Wazuh agent hostname is unique and does not match an already enrolled agent. Alternatively, specify a unique agent name in the <client><enrollment><agent_name> section of the Wazuh agent ossec.conf file. You can find the ossec.conf file at the following locations:

• Linux/Unix endpoints - /var/ossec/etc/ossec.conf

• macOS endpoint - /Library/Ossec/etc/ossec.conf

• Windows endpoints - C:\Program Files (x86)\ossec-agent\ossec.conf

<client>
     ...
     <enrollment>
         <agent_name>EXAMPLE_NAME</agent_name>
         ...
     </enrollment>
 </client>