Wazuh is a fork of OSSEC which makes use of ELK stack in order to help you simplify monitoring and management of your distributed infrastructure. I personally have been playing around with it for about a month now in order to evaluate its maturity for a production environment. I would be making a separate post on my findings after I am fully satisfied of having studied all aspects of it. For now, I just wanted to share a solution of one of the most common errors that you might come across while getting your hands dirty with Wazuh.
Newly integrated agents show “never connected” status:
- You first want to ensure that the Wazuh Agent is running fine and is connected to your manager.
– Ensure that your Wazuh Manager’s IP is appropriately added into “/var/ossec/etc/ossec.conf”. It should look something like this. This file is in your agent machine.root@my-agent:/var/ossec/etc# cat ossec.conf <!– Wazuh – Agent – Default configuration for ubuntu 14.04 More info at: https://documentation.wazuh.com Mailing list: https://groups.google.com/forum/#!forum/wazuh –> <ossec_config> <client> <server> <address>126.96.36.199</address> <port>1514</port> <protocol>udp</protocol> </server> …… – If you believe your .conf file to be setup properly, the next step is to check if the wazuh-agent is actually working in the background using following command.nishant@my-agent:~$ sudo netstat -anp | grep 1514 udp 0 0 188.8.131.52:34750 184.108.40.206:1514 ESTABLISHED 12972/ossec-agentd Note that Wazuh uses port 1514 in order to setup remote connections over UDP.
- If both of the steps mentioned above works out then you can be sure that the agent is installed and working fine locally in your agents, however, they are not able to connect to your manager. This could be due to several reasons, however, the most common reason is the firewall blocking the outgoing port.Again, keep in mind that Wazuh uses UDP protocol. Assuming you are using Ubuntu or another Debian based operating system, the best way to enable an outgoing port is to use UFW. Use following commands in order to do so.Note – DO NOT try this if you’ve never used UFW before because you might end up locking yourself out of the server if you do not allow incoming SSH ports while enabling UFW. I am adding the command to enable SSH in the list below just in case.nishant@b0x ~ $ sudo ufw status Status: inactive nishant@b0x ~ $ sudo ufw enable Firewall is active and enabled on system startup nishant@b0x ~ $ sudo ufw allow out 1514/udp Rule added Rule added (v6) nishant@b0x ~ $ sudo ufw status numbered Status: active To Action From — —— —- [ 1] 1514/udp ALLOW OUT Anywhere (out) [ 2] 1514/udp (v6) ALLOW OUT Anywhere (v6) (out) nishant@b0x ~ $
That should fix your problem. Also, its important to ensure that your Wazuh Manager server has allowed incoming traffic on port 1514 over UDP. You can use Google in order to find out more about UFW Commands.