How to troubleshoot a Disconnected Wazuh Agent in a Docker Single-Node Environment?

In this blog post, we'll walk through the steps to troubleshoot and resolve a disconnected Wazuh agent when using a Docker single-node setup. Wazuh is a powerful security monitoring tool, and it's essential to ensure that all agents are properly connected to the Wazuh manager for effective monitoring. We'll cover checking logs, verifying configurations, and ensuring network connectivity. Step 1: Verify Docker Container Status First, ensure that all relevant Docker containers are running. Use the following command to list all running containers: docker ps Check for the Wazuh manager, indexer, and dashboard containers. Example output: CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 22825f91974b wazuh/wazuh-dashboard:4.10.0 "/entrypoint.sh" 7 weeks ago Up 9 days 443/tcp, 0.0.0.0:443->5601/tcp, [::]:443->5601/tcp single-node-wazuh.dashboard-1 e951f7c6be71 wazuh/wazuh-manager:4.10.0 "/init" 7 weeks ago Up 9 days 0.0.0.0:1514-1515->1514-1515/tcp, [::]:1514-1515->1514-1515/tcp, 0.0.0.0:514->514/udp, [::]:514->514/udp, 0.0.0.0:55000->55000/tcp, [::]:55000->55000/tcp, 1516/tcp single-node-wazuh.manager-1 1a20bb195d5b wazuh/wazuh-indexer:4.10.0 "/entrypoint.sh open…" 7 weeks ago Up 9 days 0.0.0.0:9200->9200/tcp, [::]:9200->9200/tcp single-node-wazuh.indexer-1 Step 2: Check Wazuh Manager Logs Check the logs of the Wazuh manager container for any errors or warnings. This can provide insights into why the agent might be disconnected: docker logs e951f7c6be71 Step 3: Verify Agent Configuration Ensure that the Wazuh agent configuration file (/var/ossec/etc/ossec.conf) on the agent machine is correctly configured with the manager's IP address. Open the agent configuration file: sudo nano /var/ossec/etc/ossec.conf Verify the section has the correct manager IP address: xxx.xx.x.x 1514 Step 4: Re-register the Agent If the agent is listed as disconnected, re-register it with the Wazuh manager. First, remove the existing agent registration from the Wazuh manager: docker exec -it e951f7c6be71 /var/ossec/bin/manage_agents -r 001 Re-register the agent using the following command on the agent machine: sudo /var/ossec/bin/agent-auth -m xxx.xx.x.x -A kali Step 5: Restart Wazuh Agent After updating the configuration and re-registering the agent, restart the Wazuh agent service: sudo systemctl restart wazuh-agent Step 6: Check Network Connectivity Ensure that the agent machine can communicate with the Wazuh manager. Use ping and telnet to test connectivity: ping xxx.xx.x.x telnet xxx.xx.x.x 1514 telnet xxx.xx.x.x 1515 Step 7: Verify Agent Status Check the status of the agent from the Wazuh manager container: docker exec -it e951f7c6be71 /var/ossec/bin/agent_control -l Verify over Wazuh Dashboard UI Thanks for reading, Keep troubleshooting!

Mar 6, 2025 - 07:11

How to troubleshoot a Disconnected Wazuh Agent in a Docker Single-Node Environment?

In this blog post, we'll walk through the steps to troubleshoot and resolve a disconnected Wazuh agent when using a Docker single-node setup. Wazuh is a powerful security monitoring tool, and it's essential to ensure that all agents are properly connected to the Wazuh manager for effective monitoring. We'll cover checking logs, verifying configurations, and ensuring network connectivity.

Step 1: Verify Docker Container Status

First, ensure that all relevant Docker containers are running. Use the following command to list all running containers:

docker ps

Check for the Wazuh manager, indexer, and dashboard containers. Example output:

CONTAINER ID   IMAGE                           COMMAND                  CREATED         STATUS                      PORTS                                                                                                                                                                 NAMES
22825f91974b   wazuh/wazuh-dashboard:4.10.0    "/entrypoint.sh"         7 weeks ago     Up 9 days                   443/tcp, 0.0.0.0:443->5601/tcp, [::]:443->5601/tcp                                                                                                                    single-node-wazuh.dashboard-1
e951f7c6be71   wazuh/wazuh-manager:4.10.0      "/init"                  7 weeks ago     Up 9 days                   0.0.0.0:1514-1515->1514-1515/tcp, [::]:1514-1515->1514-1515/tcp, 0.0.0.0:514->514/udp, [::]:514->514/udp, 0.0.0.0:55000->55000/tcp, [::]:55000->55000/tcp, 1516/tcp   single-node-wazuh.manager-1
1a20bb195d5b   wazuh/wazuh-indexer:4.10.0      "/entrypoint.sh open…"   7 weeks ago     Up 9 days                   0.0.0.0:9200->9200/tcp, [::]:9200->9200/tcp                                                                                                                           single-node-wazuh.indexer-1

Step 2: Check Wazuh Manager Logs

Check the logs of the Wazuh manager container for any errors or warnings. This can provide insights into why the agent might be disconnected:

docker logs e951f7c6be71

Step 3: Verify Agent Configuration

Ensure that the Wazuh agent configuration file (/var/ossec/etc/ossec.conf) on the agent machine is correctly configured with the manager's IP address.

Open the agent configuration file:

sudo nano /var/ossec/etc/ossec.conf

Verify the section has the correct manager IP address:


    
        xxx.xx.x.x
        1514

Step 4: Re-register the Agent

If the agent is listed as disconnected, re-register it with the Wazuh manager. First, remove the existing agent registration from the Wazuh manager:

docker exec -it e951f7c6be71 /var/ossec/bin/manage_agents -r 001

Re-register the agent using the following command on the agent machine:

sudo /var/ossec/bin/agent-auth -m xxx.xx.x.x -A kali

Step 5: Restart Wazuh Agent

After updating the configuration and re-registering the agent, restart the Wazuh agent service:

sudo systemctl restart wazuh-agent

Step 6: Check Network Connectivity

Ensure that the agent machine can communicate with the Wazuh manager. Use ping and telnet to test connectivity:

ping xxx.xx.x.x
telnet xxx.xx.x.x 1514
telnet xxx.xx.x.x 1515

Step 7: Verify Agent Status

Check the status of the agent from the Wazuh manager container:

docker exec -it e951f7c6be71 /var/ossec/bin/agent_control -l

Verify over Wazuh Dashboard UI

Thanks for reading, Keep troubleshooting!