Agent life cycle

Registered agent

Once an agent is installed on a machine to be monitored, it must be registered with the Wazuh manager in order to establish communication. This can be done via the command line, Authd, or the RESTful API.

A registered agent will remain in the manager until it is removed by the user. There are four different states that an agent may be in at any given time, as shown in the image below:

Agent status

  • Never conected: The agent has been registered but has not yet connected to the manager.
  • Pending. The authentication process is pending: The manager has received a request for connection from the agent but has not received anything else. This may indicate a firewall issue. The agent will be in this state one time in its life cycle.
  • Active: The agent has successfully connected and can now communicate with the manager.
  • Disconnected:
    • If the connection is made through UDP, the manager will consider the agent disconnected if it does not receive any keep alive messages from the agent within a half an hour.
    • If the connection is made through TCP, the manager will consider the agent disconnected immediately after the connection is lost.

Removed agent

The life cycle comes to an end when the agent is removed from the manager. This can be done through the RESTful API, command line, or Authd (if the force option is enabled).