Skip to main content
Skip table of contents

XDR agent management

Wazuh agent installation was covered under the installation section as it is one of the first steps to be performed when a system is commissioned. Please refer to https://docs.siemonster.com/current/agent-installation for further details.

Agent life cycle

The agent has four different states it can be classified as:

  • Never connected

    • This state means the agent was registered but was never connected

  • Pending

    • Pending means that the agent has not completed the authentication cycle.

  • Active

    • Agent has been registered and is actively communicating with the manager service

  • Disconnected

    • Agent is not running, end point may be off or there may be connectivity issues.

Agents are never automatically removed. They have to be manually removed.

⚠️ NOTE: Even though agents are never automatically removed they may still be overwritten by a new registration that uses the same hostname. Care needs to be taken in cases where hostname duplication may be present.

Listing agents

To perform this activity, it is required that you connect to the shell of the primary Wazuh pod. Please see the Kubernetes section for administration and access of the cluster.

  1. Connect to the central Wazuh pod

  2. Type the following command and Press [ENTER]

    BASH 
    /var/ossec/bin/manage_agents -l

The above will produce a complete listing of all registered agents. Please note that bash command line operators like pipe ( | ) can be used to redirect the output to other cli tools like grep etc.

Removing agents

Removing agents by CLI

Using the “listing agents” section instructions, you can filter the output to get the agent id’s of the agent you wish to remove. To remove the agent simply run the following command with the example id of 002

BASH 
/var/ossec/bin/manage_agents -r 002

The output will look like below

BASH 
****************************************
* Wazuh v4.3.10 Agent manager.          *
* The following options are available: *
****************************************
   (A)dd an agent (A).
   (E)xtract key for an agent (E).
   (L)ist already added agents (L).
   (R)emove an agent (R).
   (Q)uit.
Choose your action: A,E,L,R or Q:
Available agents:
   ID: 001, Name: new, IP: any
Provide the ID of the agent to be removed (or '\q' to quit): 002
Confirm deleting it?(y/n): y
Agent '002' removed.

manage_agents: Exiting.


Removing agents by API

In the Wazuh dashboard, you can Navigate to “>_ Tools” and then Click on “API Console”

Removing a single agent:

The following example can be used to delete sample agent id 004

BASH 
DELETE agents?pretty=true&older_than=0s&agents_list=004&status=all

Removing multiple agents:

The following example can be used to delete sample agent id’s 004 to 006

BASH 
DELETE agents?pretty=true&older_than=0s&agents_list=004,005,006&status=all

The above allows for faster removal of large numbers of agents

Removing disconnected agents:

BASH 
DELETE agents?pretty=true&older_than=21d&agents_list=all&status=never_connected,disconnected

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close