How to troubleshoot a Disconnected Wazuh Agent in a Docker Single-Node Environment?

In this blog post, we'll walk through the steps to troubleshoot and resolve a disconnected Wazuh agent when using a Docker single-node setup. Wazuh is a powerful security monitoring tool, and it's essential to ensure that all agents are properly connected to the Wazuh manager for effective monitoring. We'll cover checking logs, verifying configurations, and ensuring network connectivity.

Step 1: Verify Docker Container Status

First, ensure that all relevant Docker containers are running. Use the following command to list all running containers:

docker ps

Check for the Wazuh manager, indexer, and dashboard containers. Example output:

CONTAINER ID   IMAGE                           COMMAND                  CREATED         STATUS                      PORTS                                                                                                                                                                 NAMES
22825f91974b   wazuh/wazuh-dashboard:4.10.0    "/entrypoint.sh"         7 weeks ago     Up 9 days                   443/tcp, 0.0.0.0:443->5601/tcp, [::]:443->5601/tcp                                                                                                                    single-node-wazuh.dashboard-1
e951f7c6be71   wazuh/wazuh-manager:4.10.0      "/init"                  7 weeks ago     Up 9 days                   0.0.0.0:1514-1515->1514-1515/tcp, [::]:1514-1515->1514-1515/tcp, 0.0.0.0:514->514/udp, [::]:514->514/udp, 0.0.0.0:55000->55000/tcp, [::]:55000->55000/tcp, 1516/tcp   single-node-wazuh.manager-1
1a20bb195d5b   wazuh/wazuh-indexer:4.10.0      "/entrypoint.sh open…"   7 weeks ago     Up 9 days                   0.0.0.0:9200->9200/tcp, [::]:9200->9200/tcp                                                                                                                           single-node-wazuh.indexer-1

Step 2: Check Wazuh Manager Logs

Check the logs of the Wazuh manager container for any errors or warnings. This can provide insights into why the agent might be disconnected:

docker logs e951f7c6be71

Step 3: Verify Agent Configuration

Ensure that the Wazuh agent configuration file (/var/ossec/etc/ossec.conf) on the agent machine is correctly configured with the manager's IP address.

1. Open the agent configuration file:

sudo nano /var/ossec/etc/ossec.conf

1. Verify the section has the correct manager IP address:

<client>
    <server>
        <address>xxx.xx.x.x</address>
        <port>1514</port>
    </server>
</client>

Step 4: Re-register the Agent

If the agent is listed as disconnected, re-register it with the Wazuh manager. First, remove the existing agent registration from the Wazuh manager:

docker exec -it e951f7c6be71 /var/ossec/bin/manage_agents -r 001

Re-register the agent using the following command on the agent machine:

sudo /var/ossec/bin/agent-auth -m xxx.xx.x.x -A kali

Step 5: Restart Wazuh Agent

After updating the configuration and re-registering the agent, restart the Wazuh agent service:

sudo systemctl restart wazuh-agent

Step 6: Check Network Connectivity

Ensure that the agent machine can communicate with the Wazuh manager. Use ping and telnet to test connectivity:

ping xxx.xx.x.x
telnet xxx.xx.x.x 1514
telnet xxx.xx.x.x 1515

Step 7: Verify Agent Status

Check the status of the agent from the Wazuh manager container:

docker exec -it e951f7c6be71 /var/ossec/bin/agent_control -l

Verify over Wazuh Dashboard UI

Thanks for reading, Keep troubleshooting!