How to change agent name and/or ip address on wazuh manager

[ajurjevi]

anybody knows?

[Victor Fernandez]

Hi,

you should change the name or the IP at file /var/ossec/etc/client.keys. Each line at this file has the form:

ID Name IP Key

 

Stop Wazuh, change the desired value (name or IP) at client.keys, make the same change on client.keys at agent and rename (on manager) these files:

• /var/ossec/queue/agent-info/name-IP
• /var/ossec/queue/syscheck/(name) IP->syscheck
• /var/ossec/queue/rootcheck(name) IP->rootcheck

Then restart the manager and the agent.

Hope it help.

Best regards.

On Thursday, May 18, 2017 at 11:11:02 AM UTC+2, ajurjevi wrote:

anybody knows?

[ajurjevi]

tnx Victor!

[Leandro Maciel]

Hello,

I needed to change an agent name and tried this, but it is not working.

I changed the name in the client.keys in both the agent and manager, changed the files in the manager, restart both, but when I restart the manager it changes back the name in the client.keys.

My problem is a contractor ran the remote registering three times, with changed the agent name from service-prd-01 to service-prd-012 and finally to service-prd-013, I want to change it back to service-prd-01, but it looks that Wazuh are not allowing me to use a agent-name that was used before, even if I deleted it.

[Leandro Maciel]

Hello,

I was able to change the name, needed to stop both the wazuh-manager and wazuh-agent before editing the client.keys file, but the name did not change in the Wazuh Kibana App and it now shows that the agent id, which have the name changed, is disconnected.

How can I solve this? Already restarted Kibana and the Wazuh API, Wazuh Manager and Wazuh Agent.

Where the Kibana App search for the agent name?

[Jose Luis Ruiz]

Hi Leandro, 

Follow the next steps:

1 - Stop the manager service

2 - Stop de API service

3 - Remove the databases with the following commands:

rm -f /var/ossec/var/db/global.db* 

rm -f /var/ossec/var/db/.profile.db* 

rm -f /var/ossec/var/db/agents/*

And then restart all services again.

Regards

----------------

Jose Luis Ruiz

@jlruizmlg

www.wazuh.com

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/4396ad54-8f62-4261-b306-29ba492e45ae%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Leandro Maciel]

It worked, many thanks!

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

[ahu...@liquidweb.com]

This doesn't work for me. Is there anything else that I need to remove to start adding agents from 001? Thank you.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

[juancarl...@wazuh.com]

Hello Andrew,

I've tried the solution mentioned in this thread and it seems to still be valid for that issue.

For a hostname whose name has changed, you can update the information in the client.keys file of the manager. After restarting both the wazuh services of the manager and the agent it connects.

However, I understand that there could be confusion between the hostname and the agent's ID number. If the agent has been registered several times, or if some agents have been removed, you may find a gap in the ID numbers.

This should not be an issue as it will not affect functionality of the software. However, if you still wish to alter this number, changing the client.keys file in both the agent and manager will allow you to manually fill in those gaps.

Make sure the ossec-authd process is not running in the manager (killing it if necessary) before altering the client.keys file, that way, the next time you register agents it will start at the highest number in the manager's client.keys file +1.

Let me know if this solved the issue,
Regards,
Juan Carlos

On Friday, October 5, 2018 at 11:32:56 PM UTC+2, Andrew Huang wrote:

This doesn't work for me. Is there anything else that I need to remove to start adding agents from 001? Thank you.

On Tuesday, December 19, 2017 at 9:21:56 AM UTC-5, Jose Luis Ruiz wrote:

Hi Leandro, 

Follow the next steps:

1 - Stop the manager service

2 - Stop de API service

3 - Remove the databases with the following commands:

rm -f /var/ossec/var/db/global.db* 

rm -f /var/ossec/var/db/.profile.db* 

rm -f /var/ossec/var/db/agents/*

And then restart all services again.

Regards

----------------

Jose Luis Ruiz

@jlruizmlg

www.wazuh.com

[Andrew Huang]

Yes it works, thank you.

[regis....@gmail.com]

Hello,

after this procedure the agent status remains active even though the agent is disconnected! 

Do you have an idea of the problem?

---

you should change the name or the IP at file /var/ossec/etc/client.keys. Each line at this file has the form:

ID Name IP Key

 

Stop Wazuh, change the desired value (name or IP) at client.keys, make the same change on client.keys at agent and rename (on manager) these files:

• /var/ossec/queue/agent-info/name-IP
• /var/ossec/queue/syscheck/(name) IP->syscheck
• /var/ossec/queue/rootcheck(name) IP->rootcheck

 

Follow the next steps:

1 - Stop the manager service

2 - Stop de API service

3 - Remove the databases with the following commands:

rm -f /var/ossec/var/db/global.db* 

rm -f /var/ossec/var/db/.profile.db* 

rm -f /var/ossec/var/db/agents/*

Thank you

[Alberto Rodriguez]

Hello Regis

  Sorry for the late response. You will see the agent as disconnected after 30 minutes (by default). 

Hope it help.

Best regards,