VM instances

Fred Claus · Nov 20, 2023

Has anyone used Wazuh? I was thinking about setting up a virtual machine to host the Wazuh server, and test it out on a few endpoints. Does the VM need to be running 24/7 in order for the agents on the endpoints to be working? If I were to turn off the server say at night or when I'm traveling, will the endpoint still capture things, that I can view when I turn the VM back on and look at the dashboard, or would the agents on the endpoints stop working as well?

I don't use VM's much so I'm not sure if they constantly need to be running.

phaZed · Nov 20, 2023

You can think of a VM as a physical computer. If it's off, it's off.. and won't be doing anything you may need it to be doing.

Fred Claus · Nov 20, 2023

I understand that when the VM is off, it's not gathering data from the computers, but are the agents on the individual computers still collecting data, and the VM will receive all that collected data as soon as it turns back on?

phaZed · Nov 20, 2023

Gotcha, Sorry I misunderstood.

It looks like, from the interwebs, that Logs and data will be lost if the Agent machine is rebooted before it has a chance to connect. It also looks like the agent goes into a low-volume, slow-polling mode while disconnected - so as to not dump a large cache on re-connection.

Not sure though, I've never used it.

Fred Claus · Nov 20, 2023

ya, I might have to rethink this one. Really all I wanted was the ability to monitor the software on a computer against the CVE Database, and let me know what vulnerabilities there are.

VM instances

Fred Claus

Well-Known Member

phaZed

Well-Known Member

Fred Claus

Well-Known Member

phaZed

Well-Known Member

Agent life cycle - Agent management · Wazuh documentation

global - Local configuration (ossec.conf) · Wazuh documentation

Logs lost if agents is disconnected and system rebooted before connection is restored · Issue #11217 · wazuh/wazuh

Fred Claus

Well-Known Member

Similar threads