2867878024__reconnect-wazuh-agent-to-fleet
Reconnect Wazuh Agent to Fleet
Resolving Wazuh Agent Version Incompatibility Issues for SIEM Problem Description Wazuh agents may become disconnected when their version is incompatible with the Wazuh manager version. This typically occurs when the agent is running a newer version than the manager, resulting in error messages like "Agent version must be lower or equal to manager version" in the agent logs. Symptoms Wazuh agent shows as "disconnected" in the Wazuh dashboard Agent logs contain error messages about version incompatibility Communication between agent and manager fails Error messages in logs referring to "Agent version must be lower or equal to manager version" Root Cause Wazuh requires the manager version to be equal to or higher than the agent version. This compatibility model ensures proper communication between components. When an agent is upgraded independently or is newer than the manager, communication fails. Detailed Resolution Steps Phase 1: Accessing the Server For AWS EC2 Instances: Log in to your AWS Management Console Navigate to EC2 → Instances Select the instance with the Wazuh agent Click "Connect" Choose "Session Manager" or "EC2 Instance Connect" Click "Connect" to open a browser-based terminal For SSH Access: Open your terminal (macOS/Linux) or PuTTY (Windows) For macOS/Linux: ssh username@server_ip -i /path/to/your-key.pem Replace username with your server username (often ec2-user , ubuntu , or admin ), server_ip with your server's IP address, and path to your key file For Windows using PuTTY: Enter the server IP in the "Host Name" field Navigate to Connection → SSH → Auth → Credentials Browse and select your private key file (.ppk format) Click "Open" to connect Accept any security prompts if this is your first time connecting Phase 2: Diagnosing the Problem Switch to root user for administrative access: sudo su - Check the Wazuh agent service status: systemctl status wazuh-agent Examine the agent logs for specific errors: tail -n 50 /var/ossec/logs/ossec.log Look for version incompatibility messages like "Agent version must be lower or equal to manager version" Check the agent version: /var/ossec/bin/wazuh-control info Note the version number displayed (e.g., "v4.11.2") If you have access to the Wazuh manager, check its version:
Run this on the manager server:
/var/ossec/bin/wazuh-control info Note the manager version number (e.g., "v4.7.2") Phase 3: Downgrading the Agent to Match Manager Version Stop the Wazuh agent service: systemctl stop wazuh-agent Uninstall the current Wazuh agent:
For Debian/Ubuntu:
apt remove wazuh-agent -y
For RHEL/CentOS/Amazon Linux:
yum remove wazuh-agent -y Navigate to a directory where you have write permissions: cd /tmp Download the specific version that matches your manager:
For Debian/Ubuntu (assuming 4.7.2 as the target version):
wget https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.7.2-1_amd64.deb
For RHEL/CentOS/Amazon Linux (assuming 4.7.2 as the target version):
wget https://packages.wazuh.com/4.x/yum/wazuh-agent-4.7.2-1.x86_64.rpm Replace 4.7.2 with your manager's exact version number Install the downloaded package with the manager IP specified:
For Debian/Ubuntu:
WAZUH_MANAGER='your_manager_ip' dpkg -i ./wazuh-agent_4.7.2-1_amd64.deb
For RHEL/CentOS/Amazon Linux:
WAZUH_MANAGER='your_manager_ip' rpm -i ./wazuh-agent-4.7.2-1.x86_64.rpm Replace 'your_manager_ip' with your actual Wazuh manager IP address Verify the configuration file has the correct manager IP: cat /var/ossec/etc/ossec.conf | grep -A5 -B5 "
" If the address shows "MANAGER_IP" or an incorrect IP, edit the configuration file: sed -i 's/.*</address>/your_manager_ip</address>/' /var/ossec/etc/ossec.conf Replace 'your_manager_ip' with your actual Wazuh manager IP address Alternatively, you can edit the configuration file manually: nano /var/ossec/etc/ossec.conf Find the section Locate the subsection Update thevalue to your manager's IP Save the file (Ctrl+O, then Enter) and exit (Ctrl+X) Start the Wazuh agent service: systemctl start wazuh-agent Check the service status to confirm it's running: systemctl status wazuh-agent Verify the agent is running the correct version: /var/ossec/bin/wazuh-control info Check the agent logs to confirm it's connecting to the manager: tail -f /var/ossec/logs/ossec.log Look for messages indicating successful connection If the agent is still not connecting, try to re-register it with the manager: /var/ossec/bin/agent-auth -m your_manager_ip -p 1515 Replace 'your_manager_ip' with your actual Wazuh manager IP address Restart the agent after re-registration: systemctl restart wazuh-agent Phase 4: Verification and Cleanup Verify the agent appears as connected in the Wazuh dashboard Check for any remaining error messages in the logs: tail -n 100 /var/ossec/logs/ossec.log Clean up the downloaded package file if desired: rm -f /tmp/wazuh-agent_* Enable the agent to start automatically on system boot: systemctl enable wazuh-agent Troubleshooting Common Issues Issue : "Permission denied" errors when downloading or installing packages Solution : Ensure you're running commands with sudo or as root Issue : Agent fails to start with "Invalid server address found: 'MANAGER_IP'" Solution : The environment variable didn't replace the placeholder. Follow steps 6-8 in Phase 3 to manually edit the configuration file Issue : Agent installation fails due to dependency issues Solution : Install required dependencies first: # For Debian/Ubuntu: apt update && apt install -y libc6 libssl1.1 # For RHEL/CentOS: yum install -y openssl Issue : Cannot communicate with the manager after successful installation Solution : Check if firewalls are allowing traffic on ports 1514 and 1515: # Test connection to manager on required ports: telnet your_manager_ip 1514 telnet your_manager_ip 1515
Last updated
Was this helpful?