Skip to content

Instantly share code, notes, and snippets.

@anubhavg-icpl

anubhavg-icpl/agent-manager-communication.md

Last active July 31, 2025 10:22
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save anubhavg-icpl/a713ed4e3bd001e89bdf9883b70d2826 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save anubhavg-icpl/a713ed4e3bd001e89bdf9883b70d2826 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
agent-manager-communication.md

Agent Status Management Components

1. Primary Daemon: wazuh-remoted

The wazuh-remoted daemon is the core server-side component that manages agent communication and status. It handles the agent keepalive mechanism and updates agent status using the wdb_update_agent_keepalive(agent_id, AGENT_CS_ACTIVE, ...) function.

Location: The remoted daemon runs by default as the wazuh user and is chrooted to /var/ossec.

2. Agent Status Storage - Database Layer

Main Database: Agent status information is stored in /var/ossec/queue/db/global.db (SQLite database)

Individual Agent Databases: Each agent also has its own SQLite database at /var/ossec/queue/db/{AGENT_ID}.db for inventory and module-specific data. These contain tables like metadata, sync_info, scan_info, etc.

3. Key Configuration Files

Agent Keys: Agent authentication keys are stored in /var/ossec/etc/client.keys. When agents are removed, they can be marked as removed in this file or purged entirely based on configuration.

Connection Configuration: The manager's connection service is configured in /var/ossec/etc/ossec.conf under the <remote> section, typically listening on port 1514/TCP for secure agent connections.

4. Agent Status Mechanisms

Connection Status: Agents report their status through multiple states:

  • pending: Waiting for acknowledgment from manager
  • disconnected: No acknowledgment in last 60 seconds
  • connected: Acknowledged connection established

Status Verification Tools:

  • /var/ossec/bin/agent_control -l lists all agents and their status
  • /var/ossec/bin/agent_control -i <AGENT_ID> shows specific agent status
  • Agent state is also tracked in /var/ossec/var/run/wazuh-agentd.state on the agent side

5. Security Architecture Perspective

From a threat modeling standpoint (aligning with your XDR/OXDR focus), the agent status management involves several critical security components:

  • Authentication: Client keys provide mutual authentication between agents and manager
  • Encryption: Communication uses AES encryption (128-bit blocks, 256-bit keys) by default
  • State Management: The remoted daemon maintains persistent connection state to detect agent compromises or network issues
  • Database Integrity: The wazuh-db daemon manages database synchronization and includes vacuum operations for maintenance

6. Source Code Structure

While I couldn't directly access the v4.12.0 source tree, based on the error messages and daemon references, the key source components are likely in:

  • src/remoted/ - Remote daemon handling agent connections
  • src/wazuh_db/ - Database management components
  • src/shared/ - Shared libraries for agent communication

The agent status is primarily managed through the remoted daemon with persistent storage in SQLite databases under /var/ossec/queue/db/, providing both real-time connection tracking and historical agent state information for your security automation workflows.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment