Wazuh Client not Sending Data to Manager #2218

rdemars-zcorum · 2020-12-04T19:18:46Z

rdemars-zcorum
Dec 4, 2020

There seems to be an issue with the Wazuh on SO Manager getting data from the clients.

On the SO manager:
so-wazuh-agent-manage -l
Available agents:
ID: 001, Name: so-manager, IP: 10.75.236.225
ID: 002, Name: ansible, IP: 172.16.7.4
ID: 003, Name: repos, IP: 10.75.236.245
ID: 004, Name: freeipa, IP: 172.16.10.10
ID: 005, Name: ticketing, IP: 10.75.236.109
ID: 006, Name: bluesky-map, IP: 10.75.236.3
ID: 007, Name: ctbacula, IP: 10.75.236.122

iptables -nvL |grep 1514
0 0 ACCEPT tcp 0 0 ACCEPT udp 135 14405 ACCEPT udp -- * 2 88 ACCEPT tcp -- * * 197 22261 ACCEPT udp -- * 0 0 ACCEPT tcp -- * * 393 44409 ACCEPT udp -- * 0 0 ACCEPT tcp -- * * 0 0 ACCEPT udp -- * * 0 0 ACCEPT tcp -- * * 404 45142 ACCEPT udp -- * 4 176 ACCEPT tcp -- * * 0 0 ACCEPT udp -- * * 0 0 ACCEPT tcp -- * * 0 0 ACCEPT udp -- * * 0 0 ACCEPT tcp -- * * 0 0 ACCEPT udp -- * * 0 0 ACCEPT tcp -- * * 0 0 ACCEPT udp -- * * 0 0 ACCEPT tcp -- * * 0 0 ACCEPT udp -- * * 0 0 ACCEPT tcp -- * * 0 0 ACCEPT udp -- * * 0 0 ACCEPT tcp -- * * -- !docker0 docker0 0.0.0.0/0 172.17.0.11 tcp dpt:1514
-- !docker0 docker0 0.0.0.0/0 172.17.0.11 udp dpt:1514
* 10.75.236.122 0.0.0.0/0 udp dpt:1514
10.75.236.122 0.0.0.0/0 tcp dpt:1514
* 10.75.236.3 0.0.0.0/0 udp dpt:1514
10.75.236.3 0.0.0.0/0 tcp dpt:1514
* 172.16.0.0/16 0.0.0.0/0 udp dpt:1514
172.16.0.0/16 0.0.0.0/0 tcp dpt:1514
10.75.235.0/24 0.0.0.0/0 udp dpt:1514
10.75.235.0/24 0.0.0.0/0 tcp dpt:1514
* 10.75.236.0/24 0.0.0.0/0 udp dpt:1514
10.75.236.0/24 0.0.0.0/0 tcp dpt:1514
10.75.236.109 0.0.0.0/0 udp dpt:1514
10.75.236.109 0.0.0.0/0 tcp dpt:1514
172.16.10.10 0.0.0.0/0 udp dpt:1514
172.16.10.10 0.0.0.0/0 tcp dpt:1514
10.75.236.245 0.0.0.0/0 udp dpt:1514
10.75.236.245 0.0.0.0/0 tcp dpt:1514
172.16.7.4 0.0.0.0/0 udp dpt:1514
172.16.7.4 0.0.0.0/0 tcp dpt:1514
10.75.236.225 0.0.0.0/0 udp dpt:1514
10.75.236.225 0.0.0.0/0 tcp dpt:1514
127.0.0.1 0.0.0.0/0 udp dpt:1514
127.0.0.1 0.0.0.0/0 tcp dpt:1514

On a client:
cat /var/ossec/log/ossec.log
2020/12/04 12:22:24 ossec-agentd: WARNING: Unable to connect to any server.
2020/12/04 12:22:24 ossec-agentd: INFO: Closing connection to server (10.75.236.225:1514/udp).
2020/12/04 12:22:24 ossec-agentd: INFO: Trying to connect to server (10.75.236.225:1514/udp).
2020/12/04 12:23:29 ossec-agentd: INFO: Closing connection to server (10.75.236.225:1514/udp).
2020/12/04 12:23:29 ossec-agentd: INFO: Trying to connect to server (10.75.236.225:1514/udp).
2020/12/04 12:24:34 ossec-agentd: INFO: Closing connection to server (10.75.236.225:1514/udp).

nmap -P0 -p1514 -sU 10.75.236.225
Starting Nmap 6.40 ( http://nmap.org ) at 2020-12-04 13:29 EST
Nmap scan report for av-ossim.zcorum.com (10.75.236.225)
Host is up (0.00048s latency).
PORT STATE SERVICE
1514/udp open|filtered fujitsu-dtcns
MAC Address: 00:50:56:90:20:8E (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.50 seconds

juliourena · 2021-01-29T12:26:47Z

juliourena
Jan 29, 2021

Did you solve the issue? I'm having the same problem on Windows.

0 replies

KrisjonHanson · 2021-01-30T06:58:10Z

KrisjonHanson
Jan 30, 2021

Did you also open TCP/1515?

https://documentation.wazuh.com/3.13/user-manual/registering/index.html

1 reply

juliourena Jan 30, 2021

Yes both.

[root@securityonion automation]# so-wazuh-agent-manage -l

Available agents:
   ID: 001, Name: securityonion, IP: 192.168.6.199
   ID: 002, Name: WKSTN-01, IP: any
   
[root@securityonion automation]# iptables -nL | grep '1514\|1515'
ACCEPT     tcp  --  0.0.0.0/0            172.17.0.10          tcp dpt:1515
ACCEPT     tcp  --  0.0.0.0/0            172.17.0.10          tcp dpt:1514
ACCEPT     udp  --  0.0.0.0/0            172.17.0.10          udp dpt:1514
ACCEPT     tcp  --  192.168.6.0/24       0.0.0.0/0            tcp dpt:1515
ACCEPT     udp  --  192.168.6.0/24       0.0.0.0/0            udp dpt:1514
ACCEPT     tcp  --  192.168.6.0/24       0.0.0.0/0            tcp dpt:1514
ACCEPT     tcp  --  192.168.6.199        0.0.0.0/0            tcp dpt:1515
ACCEPT     udp  --  192.168.6.199        0.0.0.0/0            udp dpt:1514
ACCEPT     tcp  --  192.168.6.199        0.0.0.0/0            tcp dpt:1514
ACCEPT     tcp  --  127.0.0.1            0.0.0.0/0            tcp dpt:1515
ACCEPT     udp  --  127.0.0.1            0.0.0.0/0            udp dpt:1514
ACCEPT     tcp  --  127.0.0.1            0.0.0.0/0            tcp dpt:1514

[root@securityonion automation]# cat /opt/so/saltstack/local/salt/firewall/hostgroups.local.yaml
firewall:
  hostgroups:
    analyst:
      ips:
        delete: []
        insert: [127.0.0.1, 192.168.6.0/24]
    beats_endpoint:
      ips:
        delete: []
        insert: [127.0.0.1]
    beats_endpoint_ssl:
      ips: {delete: null, insert: null}
    elasticsearch_rest:
      ips: {delete: null, insert: null}
    fleet:
      ips: {delete: null, insert: null}
    heavy_node:
      ips: {delete: null, insert: null}
    manager:
      ips:
        delete: []
        insert: [127.0.0.1, 192.168.6.199]
    minion:
      ips:
        delete: []
        insert: [127.0.0.1, 192.168.6.199]
    node:
      ips: {delete: null, insert: null}
    osquery_endpoint:
      ips:
        delete: []
        insert: [127.0.0.1, 192.168.6.0/24]
    search_node:
      ips:
        delete: []
        insert: [127.0.0.1, 192.168.6.199]
    sensor:
      ips:
        delete: []
        insert: [127.0.0.1, 192.168.6.199]
    strelka_frontend:
      ips: {delete: null, insert: null}
    syslog:
      ips:
        delete: []
        insert: [192.168.6.0/24]
    wazuh_agent:
      ips:
        delete: []
        insert: [192.168.6.0/24]
    wazuh_api:
      ips:
        delete: []
        insert: [192.168.6.0/24]
    wazuh_authd:
      ips:
        delete: []
        insert: [192.168.6.0/24]

weslambert · 2021-02-01T12:38:00Z

weslambert
Feb 1, 2021

If you look in /nsm/wazuh/etc/ossec.conf and compare what the manager is expecting (tcp/udp), does it match that of the client?

0 replies

jozb09 · 2022-12-05T09:16:04Z

jozb09
Dec 5, 2022

Hello @rdemars-zcorum

Did you manage to resolve.? Am having the same issue

1 reply

dougburks Dec 6, 2022
Maintainer

@jozb09 You've already created a new discussion for this. No need to reply to somebody else's discussion asking the same question.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Wazuh Client not Sending Data to Manager #2218

Uh oh!

{{title}}

Uh oh!

Replies: 4 comments 2 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Wazuh Client not Sending Data to Manager #2218

Uh oh!

rdemars-zcorum Dec 4, 2020

Replies: 4 comments · 2 replies

Uh oh!

juliourena Jan 29, 2021

Uh oh!

KrisjonHanson Jan 30, 2021

Uh oh!

Uh oh!

juliourena Jan 30, 2021

Uh oh!

weslambert Feb 1, 2021

Uh oh!

jozb09 Dec 5, 2022

Uh oh!

dougburks Dec 6, 2022 Maintainer

rdemars-zcorum
Dec 4, 2020

Replies: 4 comments 2 replies

juliourena
Jan 29, 2021

KrisjonHanson
Jan 30, 2021

weslambert
Feb 1, 2021

jozb09
Dec 5, 2022

dougburks Dec 6, 2022
Maintainer