Troubleshooting Wazuh Agent connectivity
The following is the standard approach that should be followed for troubleshooting Wazuh / XDR agent connectivity issues.
Check Agent Logs
The agent logs are an important step to check when troubleshooting agent connectivity. These logs can usually point the troubleshooter in the correct direction.
An example of the log output on a windows machine is listed below
2025/07/09 14:40:00 wazuh-agent: ERROR: (1216): Unable to connect to '[192.168.4.40]:1514/tcp': 'No connection could be made because the target machine actively refused it.'In the above instance the agent is unable to connect to the target machine. The following potential causes need to be investigated:
Does the endpoint have a functional network connection
Can the endpoint ping the destination address e.g. ping 192.168.4.40
Are the Wazuh manager services running? This can be tested in the Wazuh container on the hydra with the command /var/ossec/bin/wazuh-control status
Is port 1514 on TCP actively listening on the hydra? This can be tested by running the command netstat -plunt in the hydra ssh terminal (not inside any container)
Is the traffic being relayed through a firewall policy that does SSL/TLS interception or inspection? If so an exclusion needs to be created for any traffic flowing to or from the hydra on the following ports.
please see the documentationhttps://docs.siemonster.com/current/universal-hydra-v2-3#UniversalHydraDeployment-NetworkSpecificationsIs the host firewall enabled on the agent or the manager side? If the firewall is active on the agent side, please create and exception for the traffic and ports stipulated in the url from point 5. If the team enabled the local firewall on the hydra this needs to be disabled. You are welcome to control the traffic to the hydra via an appliance firewall but the hydra contains complex routing and the local firewall will interfere with it.