Wazuh agent with real IP.
274 views
Skip to first unread message
Adam Sobieraj
Apr 24, 2024, 5:05:47 AM4/24/24
to Wazuh | Mailing List
Hi
We have many agents installed on hosts that are mobile.
If there is a way to get IP address of that agents, but not IP on agent interface.
We want IP of connection if mobile agent have NAT.
Best regards
Adam Sobieraj
Rafael Bailon Robles
Apr 24, 2024, 7:39:30 AM4/24/24
to Wazuh | Mailing List
Hello! If I understand correctly, you have agents that change their IP and you want to generate a rule that only allows the connection if the IP is within the NAT.
If it is correct, what you need is to configure the "allowed-ips" in the "remote" tag. This is the documentation. The "allowed-ips" tag is the IP address or network range of the endpoints forwarding events to the Wazuh server.
If it is correct, what you need is to configure the "allowed-ips" in the "remote" tag. This is the documentation. The "allowed-ips" tag is the IP address or network range of the endpoints forwarding events to the Wazuh server.
If this is not what you need, could you please provide me with more information?
I hope I've helped
Rafael Bailon Robles
Apr 24, 2024, 8:43:18 AM4/24/24
to Wazuh | Mailing List
From the information you have given me, what you need is the NAT IP of the Agent but what you receive is the IP of the computer interface where the agent is installed.
Wazuh does not receive this information. As an idea, if you can monitor the NAT information on the agent machine, you can add the logs to Wazuh and allow it to monitor them. Although this is not exactly what I think you want.
I hope I've helped.
Wazuh does not receive this information. As an idea, if you can monitor the NAT information on the agent machine, you can add the logs to Wazuh and allow it to monitor them. Although this is not exactly what I think you want.
I hope I've helped.
Rafael Bailon Robles
Apr 24, 2024, 12:03:48 PM4/24/24
to Wazuh | Mailing List
I have reviewed the information that you have sent me privately.
The "wazuh-remoted" daemon connects to the agents at regular intervals. This is the documentation with all the available configuration options Remoted
You can run "wazuh-remoted" using the following options wazuh-remoted
When "wazuh-remoted" connects to the agent, it updates the information it has about it (if anything has changed). If the Agent's IP changes (the one recognized by the Manager), the Agent will connect to the Manager, since the Manager's IP has not changed but the manager will not recognize the agent. That is, it will recognize the Agent as new since it registers its IP the first time it connects to the Manager.
These cases can be handled with client-keys and restarting the Manager. In this way we can update the Agent's IP manually but it would have to be done whenever said IP changes.
Another option is to use agent-auth with the "-I any" option. It's important to include the 'any' keyword since it allows the agent to change its IP. In this case, the new IP would be reflected in the Manager on each new connection.
If the IP that you have been able to see in the logs (with active debug) is not the IP of the Agent that appears in the Manager, it could be part of the data that it receives from the Agent when connecting. I would need to see the logs to be able to say specifically what the situation is.
Hope it helps. Regards.
The "wazuh-remoted" daemon connects to the agents at regular intervals. This is the documentation with all the available configuration options Remoted
You can run "wazuh-remoted" using the following options wazuh-remoted
When "wazuh-remoted" connects to the agent, it updates the information it has about it (if anything has changed). If the Agent's IP changes (the one recognized by the Manager), the Agent will connect to the Manager, since the Manager's IP has not changed but the manager will not recognize the agent. That is, it will recognize the Agent as new since it registers its IP the first time it connects to the Manager.
These cases can be handled with client-keys and restarting the Manager. In this way we can update the Agent's IP manually but it would have to be done whenever said IP changes.
Another option is to use agent-auth with the "-I any" option. It's important to include the 'any' keyword since it allows the agent to change its IP. In this case, the new IP would be reflected in the Manager on each new connection.
If the IP that you have been able to see in the logs (with active debug) is not the IP of the Agent that appears in the Manager, it could be part of the data that it receives from the Agent when connecting. I would need to see the logs to be able to say specifically what the situation is.
Hope it helps. Regards.
Adam Sobieraj
Apr 25, 2024, 5:51:33 AM4/25/24
to Rafael Bailon Robles, Wazuh | Mailing List
Hi
I do not want to change allowed-ips, i need to know what is NAT IP of agent, if hi is behind router.
Wazuh on agent.ip give only IP of the computer interface where agent is installed.
We have agent(IP:192.168.1.1) -> router (NAT IP:100.100.100.100) -> wazuh
I want find NAT IP in wazuh, maybe increase log in wazuh-remoted do something with this.
Best regards
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/ca_3HagPbCk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/d9cc3281-93c2-4c6a-acd4-51e21a45c960n%40googlegroups.com.
Adam Sobieraj
Apr 25, 2024, 5:51:49 AM4/25/24
to Rafael Bailon Robles, Wazuh | Mailing List
Analizing NAT, and network flows is not a good option.
I have found that wazuh-remoted with option debug=1 is logging when agent is connecting and give me IP that I need.
Now I must check how often he do this, for now i see only when connection is started. Another question is if wazuh-remoted have status table with connections?
Best regards
Adam Sobieraj
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh | Mailing List" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/ca_3HagPbCk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/0a0823a9-2902-4ad5-8c94-f8be57a83332n%40googlegroups.com.
Rafael Bailon Robles
May 6, 2024, 3:32:18 AM5/6/24
to Wazuh | Mailing List
It seems that the answer was not published, sorry for the inconvenience.
All registered agent information is stored in "/var/ossec/queue/db". Here you have all the information that is stored and that you can consult https://documentation.wazuh.com/current/user-manual/capabilities/system-inventory/available-inventory-fields.html You can access the content using "sqlite3".
Each agent has its own ".db" file. When changing the IP of an agent, it is taken as a new connection, which would generate a new ".db" file.
I hope this has helped you.
Reply all
Reply to author
Forward
0 new messages