Troubleshooting
We recommend checking the logs on the Wazuh manager and Wazuh agent for errors when a Wazuh agent fails to enroll. The location of the Wazuh manager log file is /var/ossec/logs/ossec.log
. The location of the Wazuh agent log file is dependent on the operating system:
Operating system |
Wazuh agent log file |
---|---|
Linux/Unix |
|
macOS |
|
Windows 64-bit |
|
Windows 32-bit |
|
In the list below, you can access the different cases included in this troubleshooting section:
Verifying communication with the Wazuh manager
In some scenarios, the Wazuh agent may be unable to enroll or establish a connection with the Wazuh manager because the necessary ports on the Wazuh manager are unreachable.
The following default ports on the Wazuh manager should be opened:
1514/TCP for agent communication.
1515/TCP for enrollment via agent configuration.
55000/TCP for enrollment via Wazuh server API.
On Linux and macOS systems (with netcat installed), open a terminal and run the following command. Replace <WAZUH_MANAGER_IP>
with your Wazuh manager IP address or FQDN (Fully Qualified Domain Name).
# nc -zv <WAZUH_MANAGER_IP> 1514 1515 55000
If there is connectivity, the output should be a connection success message:
Connection to <WAZUH_MANAGER_IP> port 1514 [tcp] succeeded!
Connection to <WAZUH_MANAGER_IP> port 1515 [tcp] succeeded!
Connection to <WAZUH_MANAGER_IP> port 55000 [tcp] succeeded!
On Windows, open a PowerShell terminal and run the following command:
# (new-object Net.Sockets.TcpClient).Connect("<WAZUH_MANAGER_IP>", 1514)
# (new-object Net.Sockets.TcpClient).Connect("<WAZUH_MANAGER_IP>", 1515)
# (new-object Net.Sockets.TcpClient).Connect("<WAZUH_MANAGER_IP>", 55000)
If there is connectivity, there is no output. Otherwise, an error is shown:
A connection attempt failed because the connected party did not properly respond after a period of time (...)
Authentication error
The client.keys
file stores the data used to authenticate the Wazuh agent and the Wazuh manager. The Wazuh agent may be unable to authenticate with the Wazuh manager if the client.keys
on the Wazuh manager and the Wazuh agent are different.
Location: Wazuh manager log file at /var/ossec/logs/ossec.log
.
Error log:
2022/02/03 10:07:32 wazuh-remoted: WARNING: (1404): Authentication error. Wrong key or corrupt payload. Message received from agent '001' at 'any'.
Resolution: Ensure that the client key on the Wazuh agent matches the key in the Wazuh manager client.keys
file. You can find the client.keys
key file at the following locations:
Endpoint |
Location |
---|---|
Wazuh manager |
|
Linux/Unix |
|
macOS |
|
Windows |
|
Also, verify that each agent has a unique agent key stored in the Wazuh manager /var/ossec/etc/client.keys
file. Duplicate keys can arise if you previously deleted agents with the highest IDs or copied the client.keys
file between agents.
Invalid agent name for enrollment
Each Wazuh agent must have a unique name before successfully enrolling in the Wazuh manager. If you do not specify a Wazuh agent name during the deployment process, Wazuh will use the endpoint's hostname. If two or more endpoints have the same hostname, the Wazuh agent enrollment will not be successful.
Location: Wazuh agent log file
Refer to the table in the Troubleshooting section for the Wazuh agent log file location.
Error log:
2022/01/26 08:59:10 wazuh-agentd: INFO: Using agent name as: localhost.localdomain
2022/01/26 08:59:10 wazuh-agentd: INFO: Waiting for server reply
2022/01/26 08:59:10 wazuh-agentd: ERROR: Invalid agent name: localhost.localdomain (from manager)
2022/01/26 08:59:10 wazuh-agentd: ERROR: Unable to add agent (from manager)
Resolution: Ensure the Wazuh agent hostname is unique and does not match an already enrolled agent. Alternatively, specify a unique agent name in the <client><enrollment><agent_name>
section of the Wazuh agent ossec.conf
file. You can find the ossec.conf
file at the following locations:
Linux/Unix endpoints -
/var/ossec/etc/ossec.conf
macOS endpoint -
/Library/Ossec/etc/ossec.conf
Windows endpoints -
C:\Program Files (x86)\ossec-agent\ossec.conf
<client>
...
<enrollment>
<agent_name>EXAMPLE_NAME</agent_name>
...
</enrollment>
</client>
Unable to read CA certificate file
The Wazuh agent may not be able to authenticate with the Wazuh manager if the root certificate authority is missing on either the Wazuh manager or the Wazuh agent. This applies when additional security options such as Wazuh manager identity verification and Wazuh agent identity verification are used.
Location: Wazuh manager log file at /var/ossec/logs/ossec.log
.
Error log:
2022/01/26 08:25:01 wazuh-authd: ERROR: Unable to read CA certificate file "/var/ossec/etc/rootCA.pem"
2022/01/26 08:25:01 wazuh-authd: ERROR: SSL error. Exiting.
Resolution: Ensure the certificate authority file is in the location specified in the <ssl_agent_ca>
section of the Wazuh manager /var/ossec/etc/ossec.conf
file.
Location: Wazuh agent log file
Refer to the table in the Troubleshooting section for the Wazuh agent log file location.
Error log:
2022/01/26 08:25:01 wazuh-authd: ERROR: Unable to read CA certificate file "/var/ossec/etc/rootCA.pem"
2022/01/26 08:25:01 wazuh-authd: ERROR: SSL error. Exiting.
Resolution: Ensure the certificate authority file is in the location specified in the <server_ca_path>
section of the Wazuh agent configuration file (ossec.conf
). You can find the ossec.conf
file at the following locations:
Linux/Unix endpoints -
/var/ossec/etc/ossec.conf
macOS endpoint -
/Library/Ossec/etc/ossec.conf
Windows endpoints -
C:\Program Files (x86)\ossec-agent\ossec.conf
Unable to read private key file
The Wazuh agent may not be able to authenticate with the Wazuh manager if the private key file is missing on the Wazuh agent. This applies when Wazuh agent identity verification is used for the Wazuh agent enrollment.
Location: Wazuh agent log file
Refer to the table in the Troubleshooting section for the Wazuh agent log file location.
Error log:
2022/01/26 08:57:18 wazuh-agentd: ERROR: Unable to read private key file: /var/ossec/etc/sslagent.key
2022/01/26 08:57:18 wazuh-agentd: ERROR: Could not set up SSL connection! Check certification configuration.
Resolution: Ensure the agent private key file is in the location specified in the <agent_key_path>
section of the Wazuh agent ossec.conf
file. You can find the ossec.conf file at the following locations:
Linux/Unix endpoints -
/var/ossec/etc/ossec.conf
macOS endpoint -
/Library/Ossec/etc/ossec.conf
Windows endpoints -
C:\Program Files (x86)\ossec-agent\ossec.conf
Unable to read certificate file
The Wazuh agent may not be able to authenticate with the Wazuh manager if the signed SSL certificate is missing on the Wazuh agent. This applies when Wazuh agent identity verification is used for the Wazuh agent enrollment.
Location: Wazuh agent log file
Refer to the table in the Troubleshooting section for the Wazuh agent log file location.
Error log:
2022/01/26 08:54:55 wazuh-agentd: ERROR: Unable to read certificate file (not found): /var/ossec/etc/sslagent.cert
2022/01/26 08:54:55 wazuh-agentd: ERROR: Could not set up SSL connection! Check certification configuration.
Resolution: Ensure the agent certificate file is in the location specified in the <agent_certificate_path>
section of the Wazuh agent ossec.conf
file. You can find the ossec.conf
file at the following locations:
Linux/Unix endpoints -
/var/ossec/etc/ossec.conf
macOS endpoint -
/Library/Ossec/etc/ossec.conf
Windows endpoints -
C:\Program Files (x86)\ossec-agent\ossec.conf
Invalid password
If you enable password authentication for agent enrollment, the Wazuh agent may not be able to authenticate with the Wazuh manager if there's an invalid or missing password.
Location: Wazuh agent log file
Refer to the table in the Troubleshooting section for the Wazuh agent log file location.
Error log:
2022/01/26 12:28:10 wazuh-agentd: INFO: Requesting a key from server: X.X.X.X
2022/01/26 12:28:10 wazuh-agentd: INFO: No authentication password provided
2022/01/26 12:28:10 wazuh-agentd: INFO: Using agent name as: random
2022/01/26 12:28:10 wazuh-agentd: INFO: Waiting for server reply
2022/01/26 12:28:10 wazuh-agentd: ERROR: Invalid password (from manager)
2022/01/26 12:28:10 wazuh-agentd: ERROR: Unable to add agent (from manager)
Resolution:
Ensure the same password is used by the Wazuh manager and the Wazuh agent
Ensure that the
authd.pass
password file is in the/var/ossec/etc/
directory and has the right permission. The file permissions should be set to 640, and the owner should beroot
.If password authentication is not needed, it should be disabled in the
<auth>
section of the Wazuh manager/var/ossec/etc/ossec.conf
file. You can find theossec.conf
file at the following locations:Linux/Unix endpoints -
/var/ossec/etc/ossec.conf
macOS endpoint -
/Library/Ossec/etc/ossec.conf
Windows endpoints -
C:\Program Files (x86)\ossec-agent\ossec.conf