Could you please provide the exact step where you’re encountering an issue, as well as a screenshot?
If you don’t have an active agent please go back to the Windows desktop and be sure you can ping the wazuh server by the name in the hosts file. Not the IP, the name. Then be sure to net stop wazuh and net start wazuh and be sure the service starts. As noted by @CalmQuail2332 screenshots of your hosts file, the ping output and the net stop /start output are invaluable.
[redacted] it is the answer of your question
- How many security events remain after filtering out the host-based anomaly detection (rootcheck) events?
I cant solve this problem.Who can help me?
And 3. What is the Rule ID value for the level 5 “sshd: authentication failed” alerts? this questions.What is correct answer?
Hey there - you can get the answer to this question by completing Part 2 of the lab. Both of these values can be found by reviewing one of the level 5 sshd: authentication failed alerts.
where is the host file?
The instructions tell you this, but it is c:\windows\system32\drivers\etc\hosts
i can reach it. But I still get one disconnect agent. no active agent
I’m a bit confused 
This thread is a resolved thread for SIEM Basics. There is no need to make any changes to any host file in this lab. If you are trying to do another lab, please start a new thread for that. If you are doing SIEM Basics, please describe the issue you are having in detail along with screen shots so we can help.
In your screen shot, you show that the ping to wazuh fails. I do not think you are using the correct IP address. Be sure to use the IP address of the Wazuh server.