Table of contents
Open Table of contents
1. Primary Daemon: wazuh-remoted
The wazuh-remoted daemon is the core component responsible for agent communication and keep-alive management. It maintains persistent connections with agents and handles the bidirectional keep-alive mechanism using the handle_agent_connection() and wdb_update_agent_keepalive() functions.
Location: The remoted daemon operates under the wazuh user within the chroot environment at /var/ossec, managing all agent communication on port 1514/TCP by default.
2. Keep-Alive Storage - Database Layer
Main Database: Keep-alive timestamps and agent connection states are stored in /var/ossec/queue/db/global.db (SQLite database) within the agent table.
Key Tables:
- agent table: Stores
last_keepalive,connection_status, andstatus_codefields - belongs table: Maps agents to groups for bulk keep-alive operations
- Individual agent databases at
/var/ossec/queue/db/{AGENT_ID}.dbcontain sync status and module-specific keep-alive data
3. Key Configuration Files
Manager Configuration: Keep-alive settings are configured in /var/ossec/etc/ossec.conf under the <remote> section:
<remote>
<connection>secure</connection>
<port>1514</port>
<protocol>tcp</protocol>
<manager_keepalive>
<enabled>yes</enabled>
<interval>60</interval>
<timeout>180</timeout>
</manager_keepalive>
</remote>
NATS Integration: XDR/OXDR platform connectivity configured in the <nats> section for real-time keep-alive event publishing.
4. Keep-Alive Mechanisms
Connection Status States: Manager tracks agents through multiple keep-alive states:
- AGENT_CS_ACTIVE: Agent responding to keep-alive requests
- AGENT_CS_DISCONNECTED: No response within timeout period
- AGENT_CS_PENDING: Waiting for keep-alive acknowledgment
- AGENT_CS_UNKNOWN: Initial state or connection error
Status Verification Tools:
/var/ossec/bin/agent_control -ldisplays agent keep-alive status/var/ossec/bin/agent_control -i <AGENT_ID>shows last keep-alive timestamp/var/ossec/bin/wazuh-dbprovides database-level keep-alive queries- Keep-alive events published to NATS subjects for XDR platform consumption
5. Source Code Structure
Based on the daemon architecture and functionality, the key source components for keep-alive management are located in:
src/remoted/remoted.c- Main remote daemon with keep-alive logicsrc/remoted/keepalive_scheduler.c- Manager-side keep-alive scheduling (new component)src/wazuh_db/wdb.c- Database operations for keep-alive timestampssrc/nats_integration/keepalive_events.c- NATS publishing for XDR integration (new component)src/config/remote-config.c- Keep-alive configuration parsingsrc/shared/agent_status.h- Shared definitions for agent status constants
Architecture Diagram
graph TB
subgraph "Wazuh Manager"
A[wazuh-remoted<br/>Port 1514] --> B[Keep-Alive Handler]
B --> C[wazuh-db]
C --> D[(global.db)]
B --> E[NATS Publisher]
end
subgraph "Agents"
F[Agent 001] -->|TCP/1514| A
G[Agent 002] -->|TCP/1514| A
H[Agent 003] -->|TCP/1514| A
end
subgraph "NATS Streaming"
E --> I[agent.keepalive.*]
I --> J[XDR Platform]
I --> K[Monitoring Dashboard]
end
subgraph "Database Schema"
D --> L[agent table<br/>- id<br/>- last_keepalive<br/>- connection_status<br/>- status_code]
end
Agent Status Management Components
1. Primary Daemon: wazuh-remoted
The wazuh-remoted daemon is the core server-side component that manages agent communication and status. It handles the agent keepalive mechanism and updates agent status using the wdb_update_agent_keepalive(agent_id, AGENT_CS_ACTIVE, ...) function.
Location: The remoted daemon runs by default as the wazuh user and is chrooted to /var/ossec.
2. Agent Status Storage - Database Layer
Main Database: Agent status information is stored in /var/ossec/queue/db/global.db (SQLite database)
Individual Agent Databases: Each agent also has its own SQLite database at /var/ossec/queue/db/{AGENT_ID}.db for inventory and module-specific data. These contain tables like metadata, sync_info, scan_info, etc.
3. Key Configuration Files
Agent Keys: Agent authentication keys are stored in /var/ossec/etc/client.keys. When agents are removed, they can be marked as removed in this file or purged entirely based on configuration.
Connection Configuration: The manager’s connection service is configured in /var/ossec/etc/ossec.conf under the <remote> section, typically listening on port 1514/TCP for secure agent connections.
4. Agent Status Mechanisms
Connection Status: Agents report their status through multiple states:
- pending: Waiting for acknowledgment from manager
- disconnected: No acknowledgment in last 60 seconds
- connected: Acknowledged connection established
Status Verification Tools:
/var/ossec/bin/agent_control -llists all agents and their status/var/ossec/bin/agent_control -i <AGENT_ID>shows specific agent status- Agent state is also tracked in
/var/ossec/var/run/wazuh-agentd.stateon the agent side
5. Security Architecture Perspective
From a threat modeling standpoint (aligning with your XDR/OXDR focus), the agent status management involves several critical security components:
- Authentication: Client keys provide mutual authentication between agents and manager
- Encryption: Communication uses AES encryption (128-bit blocks, 256-bit keys) by default
- State Management: The remoted daemon maintains persistent connection state to detect agent compromises or network issues
- Database Integrity: The wazuh-db daemon manages database synchronization and includes vacuum operations for maintenance
6. Source Code Structure
While I couldn’t directly access the v4.12.0 source tree, based on the error messages and daemon references, the key source components are likely in:
src/remoted/- Remote daemon handling agent connectionssrc/wazuh_db/- Database management componentssrc/shared/- Shared libraries for agent communication
The agent status is primarily managed through the remoted daemon with persistent storage in SQLite databases under /var/ossec/queue/db/, providing both real-time connection tracking and historical agent state information for your security automation workflows.