PSY IT Runbooks

Wazuh Agent Not Sending Logs

by

GDanu
in

A Wazuh agent can appear installed and running while silently failing to deliver logs to the manager. This runbook focuses on end-to-end validation, from agent service state to manager-side ingestion.

Symptoms

  • Agent shows as installed but no alerts or logs appear

  • Agent intermittently disconnects

  • Manager UI shows agent as never connected

  • No obvious errors in dashboards

Environment

  • Wazuh Manager 4.x

  • Wazuh Agent (Windows or Linux)

  • TCP 1514 / 1515 communication

Common Root Causes

  • Agent not properly registered

  • Connectivity blocked by firewall

  • Agent service running but misconfigured

  • Manager rejecting the agent key

  • Clock drift causing TLS/session issues

Fix Path (SAFE)

Step 1: Verify Agent Service

Linux

systemctl status wazuh-agent

Windows

Get-Service WazuhSvc

Step 2: Validate Agent Configuration

Check manager address:

cat /var/ossec/etc/ossec.conf | grep -A2 "<server>"

Expected:

<address>MANAGER_IP</address>

Step 3: Test Connectivity

nc -vz MANAGER_IP 1514
nc -vz MANAGER_IP 1515

Both ports must be reachable.

Step 4: Re-register Agent (If Needed)

/var/ossec/bin/agent-auth -m MANAGER_IP
systemctl restart wazuh-agent

Verification

  • Agent appears as Active in the Wazuh console

  • New events visible within minutes

  • Agent log shows successful connection

tail -f /var/ossec/logs/ossec.log

Rollback

systemctl stop wazuh-agent
/var/ossec/bin/manage_agents -r <AGENT_ID>

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *