Checking connection with the ThreatLockDown manager

This guide shows different ways to check the connection status between an agent and the ThreatLockDown manager. This includes navigating the ThreatLockDown dashboard, using the agent control utility, querying the ThreatLockDown API, and reading the agent state file. It also contains instructions to verify the network communication between the endpoint and the server.

To learn more about installing and enrolling the ThreatLockDown agent, see the ThreatLockDown agent installation guide and the Agent enrollment section.

Using the ThreatLockDown dashboard

You can check the connection status of any agent by selecting the Endpoints Summary menu option of the ThreatLockDown dashboard.

ThreatLockDown dashboard Endpoints Summary menu option

This option shows the Endpoints Summary dashboard with a list of all registered agents. The list includes the connection status of each agent. The dashboard also shows a summary with the number of agents found for each possible connection status: Active, Disconnected, Pending, Never connected.

ThreatLockDown Endpoints Summary dashboard

Using the agent_control utility from the server

You can check the status of any agent remotely by using the agent_control utility found with the ThreatLockDown server. To get the status of an agent, run the following command replacing the -i parameter with your agent ID, for example, 001.

# /var/ossec/bin/agent_control -i <YOUR_AGENT_ID> | grep Status
   Status:     Active

To list all the available agents and their status, use /var/ossec/bin/agent_control -l.

Using the ThreatLockDown API

In addition, you can check the status of an agent by requesting to the ThreatLockDown API the statistical information of an agent.

GET /agents/<YOUR_AGENT_ID>/stats/agent
{
  "data": {
    "affected_items": [
      {
        "status": "connected",
        "last_keepalive": "2022-08-16T20:36:27Z",
        "last_ack": "2022-08-16T20:36:30Z",
        "msg_count": 1441,
        "msg_sent": 2326,
        "msg_buffer": 0,
        "buffer_enabled": true
      }
    ],
    "total_affected_items": 1,
    "total_failed_items": 0,
    "failed_items": []
  },
  "message": "Statistical information for each agent was successfully read",
  "error": 0
}

Reading the local wazuh-agentd.state file

You can read the wazuh-agentd.state file found in the endpoint to check the status of the connection. The ThreatLockDown agent keeps reporting its connection status in this file as follows.

  • pending: Waiting for acknowledgment from the ThreatLockDown manager about connection established.

  • disconnected: No acknowledgment signal received during the last 60 seconds or lost connection.

  • connected: Acknowledgment about connection established received from the ThreatLockDown manager.

To check the current status and verify the connection of the agent with the manager, run the following command on the endpoint.

$ sudo grep ^status /var/ossec/var/run/wazuh-agentd.state
status='connected'

Checking network communication

Agent communication with the manager requires outbound connectivity from agent to manager. It uses the port 1514/TCP by default.

Use the following commands to verify if a connection to the ThreatLockDown manager is established. The result should match the agent and manager IP addresses.

# netstat -vatunp|grep wazuh-agentd
tcp        0      0 10.0.2.15:48364      10.0.2.1:1514        ESTABLISHED 796/wazuh-agentd

For troubleshooting purposes, search for error or warnings in the corresponding agent log files.

  • Linux/Unix: /var/ossec/logs/ossec.log

  • Windows: C:\Program Files (x86)\ossec-agent\ossec.log

  • macOS: /Library/Ossec/logs/ossec.log

To learn more, see the Troubleshooting agent enrollment section.