Troubleshooting
As a general rule, it is recommended that the logs on the manager and agent are checked for errors when an agent fails to enroll.
The location of the agent log file is dependent on the operating system:
For Linux-based systems, the log file is located at
/var/ossec/logs/ossec.log
- For Windows endpoints, the location of the log file is dependent on its architecture:
For a 64-bit endpoint, it is located at
C:\Program Files (x86)\ossec-agent\ossec.log
For a 32-bit endpoint, it is located at
C:\Program Files\ossec-agent\ossec.logs
For a macOS endpoint, the log file is located at
/Library/Ossec/logs/ossec.log
In the list below, you can access the different cases included in this troubleshooting section:
Testing communication with the ThreatLockDown manager
There are situations where the agents cannot be enrolled nor connection established to the manager because the necessary ports on the manager are not reachable.
The following default ports on the manager should be opened:
1514/TCP for agent communication.
1515/TCP for enrollment via agent configuration.
55000/TCP for enrollment via manager API.
Replace
<MANAGER_IP>
with your ThreatLockDown Manager IP address or DNS name.On Linux and macOS systems (with netcat installed), open a terminal and run the following command:
# nc -zv <MANAGER_IP> 1514 1515 55000
If there is connectivity, the output should be a connection success message:
Connection to <MANAGER_IP> port 1514 [tcp] succeeded! Connection to <MANAGER_IP> port 1515 [tcp] succeeded! Connection to <MANAGER_IP> port 55000 [tcp] succeeded!
On Windows, open a PowerShell terminal and run the following command:
# (new-object Net.Sockets.TcpClient).Connect("<MANAGER_IP>", 1514) # (new-object Net.Sockets.TcpClient).Connect("<MANAGER_IP>", 1515) # (new-object Net.Sockets.TcpClient).Connect("<MANAGER_IP>", 55000)
If there is connectivity, there is no output, otherwise, an error is shown:
A connection attempt failed because the connected party did not properly respond after a period of time (...)
Authentication error
Location: Manager log.
Error log:
2022/02/03 10:07:32 wazuh-remoted: WARNING: (1404): Authentication error. Wrong key or corrupt payload. Message received from agent '001' at 'any'.
Resolution:
Ensure that the client key on the agent matches the key in the manager client.keys file. The key file can be found at /var/ossec/etc/client.keys
on both the manager and the agent.
Invalid agent name for enrollment
Location: Agent log.
Error log:
2022/01/26 08:59:10 wazuh-agentd: INFO: Using agent name as: localhost.localdomain
2022/01/26 08:59:10 wazuh-agentd: INFO: Waiting for server reply
2022/01/26 08:59:10 wazuh-agentd: ERROR: Invalid agent name: localhost.localdomain (from manager)
2022/01/26 08:59:10 wazuh-agentd: ERROR: Unable to add agent (from manager)
Resolution:
Ensure the agent hostname is unique and does not match an already enrolled agent. Alternatively, specify a unique agent name in the <client><enrollment><agent_name>
section of the agent ossec.conf file.
<client>
...
<enrollment>
<agent_name>EXAMPLE_NAME</agent_name>
...
</enrollment>
</client>
Unable to read CA certificate file
Location: Manager log
Error log:
2022/01/26 08:25:01 wazuh-authd: ERROR: Unable to read CA certificate file "/var/ossec/etc/rootCA.pem"
2022/01/26 08:25:01 wazuh-authd: ERROR: SSL error. Exiting.
Resolution:
Ensure the certificate authority file is in the location specified in the <ssl_agent_ca>
section of the manager ossec.conf file.
Location: Agent log
Error log:
2022/01/26 08:25:01 wazuh-authd: ERROR: Unable to read CA certificate file "/var/ossec/etc/rootCA.pem"
2022/01/26 08:25:01 wazuh-authd: ERROR: SSL error. Exiting.
Location: Agent log
Resolution:
Ensure the certificate authority file is in the location specified in the <server_ca_path>
section of the agent ossec.conf
file.
Unable to read private key file
Location: Agent log
Error log:
2022/01/26 08:57:18 wazuh-agentd: ERROR: Unable to read private key file: /var/ossec/etc/sslagent.key
2022/01/26 08:57:18 wazuh-agentd: ERROR: Could not set up SSL connection! Check certification configuration.
Resolution:
Ensure the agent private key file is in the location specified in the <agent_key_path>
section of the agent ossec.conf
file.
Unable to read certificate file
Location: Agent log
Error log:
2022/01/26 08:54:55 wazuh-agentd: ERROR: Unable to read certificate file (not found): /var/ossec/etc/sslagent.cert
2022/01/26 08:54:55 wazuh-agentd: ERROR: Could not set up SSL connection! Check certification configuration.
Resolution:
Ensure the agent certificate file is in the location specified in the <agent_certificate_path>
section of the agent ossec.conf
file.
Invalid password
Location: Agent log
Error log:
2022/01/26 12:28:10 wazuh-agentd: INFO: Requesting a key from server: X.X.X.X
2022/01/26 12:28:10 wazuh-agentd: INFO: No authentication password provided
2022/01/26 12:28:10 wazuh-agentd: INFO: Using agent name as: random
2022/01/26 12:28:10 wazuh-agentd: INFO: Waiting for server reply
2022/01/26 12:28:10 wazuh-agentd: ERROR: Invalid password (from manager)
2022/01/26 12:28:10 wazuh-agentd: ERROR: Unable to add agent (from manager)
Resolution:
Ensure the same password is used by the manager and the agent
Ensure the
“authd.pass”
password file is in the right location and has the right permissionIf password authentication is not needed, it should be disabled in the
<auth>
section of the managerossec.conf
file.