Error "Fetch configuration. Wazuh API error: 1701 - Agent does not exist: 000"

[Carlos Lopez]

Hi all,

After updating to 3.7 I am seeing this error in Kibana's app under Management/Configuration section. Any idea?

Regards,
C. L. Martinez

[Carlos Lopez]

Please, any idea? It is not possible to access to any section under Management/Configuration..

Regards,
C. L. Martinez
________________________________________
From: wa...@googlegroups.com <wa...@googlegroups.com> on behalf of Carlos Lopez <clo...@outlook.com>
Sent: 13 November 2018 15:28
To: wa...@googlegroups.com
Subject: Error "Fetch configuration. Wazuh API error: 1701 - Agent does not exist: 000"

Hi all,

Regards,
C. L. Martinez

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CWLP265MB1571F95A71B8ACA6ACF224F3DBC20%40CWLP265MB1571.GBRP265.PROD.OUTLOOK.COM.
For more options, visit https://groups.google.com/d/optout.
</clo...@outlook.com></wa...@googlegroups.com>

[Carlos Lopez]

Resolving error with FIM as you can see here: https://groups.google.com/forum/#!topic/wazuh/JeaWof7Bb3I, this error doesn't appears. But a new error appears:

Fetch configuration. Wazuh API error: 1013 - Unable to connect with socket: The component might be disabled

But my cluster is working:

-----------------------------------------------
Name Address Type Version
-----------------------------------------------
wazuh-001 10.2.1.33 master 3.7.0
wazuh-002 10.2.1.34 worker 3.7.0
-----------------------------------------------

Regards,
C. L. Martinez
________________________________________
From: wa...@googlegroups.com <wa...@googlegroups.com> on behalf of Carlos Lopez <clo...@outlook.com>

Sent: 14 November 2018 08:23
To: wa...@googlegroups.com
Subject: Re: Error "Fetch configuration. Wazuh API error: 1701 - Agent does not exist: 000"

Hi all,

Regards,
C. L. Martinez

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CWLP265MB15710EA450AB5212A7260200DBC30%40CWLP265MB1571.GBRP265.PROD.OUTLOOK.COM.

[Miguel Ruiz]

Hi Carlos,

Can you check the API log and the Ossec.log to check if we can extract more information about the error from there?

The log file are located at /var/ossec/logs/ossec.log and /var/ossec/logs/api.log

I see you created the dir /var/ossec/var/db/agents, can you check the permissions of the directory are correct?

ls -l /var/ossec/var/db/

And the permission should be 770 and the owner root:ossec.

If they are not, give it the correct permissions with

chown root:ossec /var/ossec/var/db/agents
chmod 770 /var/ossec/var/db/agents

Let me know if you find more information in the log file, so I can give you better assistance.

Best regards,

Miguel

[Carlos Lopez]

Hi Miguel,

I don't see any error in ossec.log or api.log ... About dir permissions, are correct:

root@wazuh-001:/var/ossec/logs# ls -la /var/ossec/var/db/
total 860
drwxrwx---. 3 root ossec 99 Nov 19 07:16 .
drwxr-x---. 9 root ossec 106 Nov 19 07:16 ..
drwxrwx---. 2 root ossec 121 Nov 19 07:21 agents

... and error continues ...

Regards,
C. L. Martinez
________________________________________

From: wa...@googlegroups.com <wa...@googlegroups.com> on behalf of Miguel Ruiz <migue...@wazuh.com>
Sent: 16 November 2018 17:40
To: Wazuh mailing list

Subject: Re: Error "Fetch configuration. Wazuh API error: 1701 - Agent does not exist: 000"

Hi Carlos,

ls -l /var/ossec/var/db/

Best regards,
Miguel

Regards,
C. L. Martinez

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com<mailto:wazuh+un...@googlegroups.com>.
To post to this group, send email to wa...@googlegroups.com<mailto:wa...@googlegroups.com>.

Visit this group at https://groups.google.com/group/wazuh.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/ab6a79a2-679c-4826-88ac-6b9b00669132%40googlegroups.com<https: groups.google.com="" d="" msgid="" wazuh="" ab6a79a2-679c-4826-88ac-6b9b00669132%40googlegroups.com?utm_medium="email&amp;utm_source=footer">.

For more options, visit https://groups.google.com/d/optout.

</https:></mailto:wa...@googlegroups.com></mailto:wazuh+un...@googlegroups.com></migue...@wazuh.com></wa...@googlegroups.com>

[Carlos Lopez]

Sorry, there is a error in api.log:

WazuhAPI 2018-11-19 07:50:06 wazuh: [::ffff:10.0.84.85] GET /agents/000/config/com/cluster? - 200 - error: '1013'.

Regards,
C. L. Martinez
________________________________________

From: wa...@googlegroups.com <wa...@googlegroups.com> on behalf of Carlos Lopez <clo...@outlook.com>
Sent: 19 November 2018 08:32
To: Miguel Ruiz; Wazuh mailing list

Hi Miguel,

Hi Carlos,

ls -l /var/ossec/var/db/

Best regards,
Miguel

Regards,
C. L. Martinez

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.

Visit this group at https://groups.google.com/group/wazuh.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CWLP265MB1571363100C8EA2D9C26BCF7DBD80%40CWLP265MB1571.GBRP265.PROD.OUTLOOK.COM.

For more options, visit https://groups.google.com/d/optout.

</clo...@outlook.com></wa...@googlegroups.com>

[Miguel Ruiz]

Hi Carlos,

That error message may help us limit the problem.

Let's verify the content of the directory /var/ossec/queue/ossec and the running processes:

ls -l /var/ossec/queue/ossec/

ps aux | grep ossec

Can you confirm the API is only running in the wazuh-001 instance?

Please send me the results of the previous commands.

Kind regards,

Miguel

On Tuesday, November 13, 2018 at 3:28:45 PM UTC+1, Carlos Lopez wrote:

[Carlos Lopez]

Hi Miguel,

Here are the outputs:

ls -l /var/ossec/queue/ossec/
total 0
srw-rw----. 1 ossec ossec 0 Nov 19 07:16 analysis
srw-rw----. 1 root ossec 0 Nov 19 07:16 auth
srw-rw----. 1 root ossec 0 Nov 5 07:27 com
srw-rw----. 1 root ossec 0 Nov 19 07:16 download
srw-rw----. 1 root ossec 0 Nov 19 07:16 logcollector
srw-rw----. 1 ossecm ossec 0 Nov 19 07:16 mail
srw-rw----. 1 ossec ossec 0 Nov 19 07:16 monitor
srw-rw----. 1 ossec ossec 0 Nov 19 07:16 queue
srw-rw----. 1 ossecr ossec 0 Nov 19 07:16 request
srw-rw----. 1 root ossec 0 Nov 19 07:16 syscheck
srw-rw----. 1 root ossec 0 Nov 19 07:16 wmodules

ps aux | grep ossec:
root 7054 0.0 0.0 112704 932 pts/0 S+ 07:00 0:00 grep --color=auto ossec
root 13428 0.0 0.0 111700 3244 ? Sl Nov19 0:06 /var/ossec/bin/ossec-authd
ossec 13432 0.0 0.0 627484 7004 ? Sl Nov19 1:37 /var/ossec/bin/wazuh-db
ossecm 13454 0.0 0.0 33916 1608 ? Sl Nov19 0:01 /var/ossec/bin/ossec-maild
ossec 13459 0.1 1.2 729192 96976 ? Sl Nov19 3:22 /var/ossec/bin/ossec-analysisd
root 13463 0.0 0.0 105220 3980 ? Sl Nov19 1:19 /var/ossec/bin/ossec-syscheckd
ossecr 13471 0.3 0.1 686320 8396 ? Sl Nov19 9:11 /var/ossec/bin/ossec-remoted
ossecr 13472 0.0 0.0 21548 1352 ? S Nov19 0:00 /var/ossec/bin/ossec-remoted
root 13474 0.0 0.0 398288 1752 ? Sl Nov19 1:35 /var/ossec/bin/ossec-logcollector
ossec 13478 0.0 0.0 33880 2104 ? Sl Nov19 0:09 /var/ossec/bin/ossec-monitord
root 13482 0.0 0.2 490668 19412 ? Sl Nov19 0:10 /var/ossec/bin/wazuh-modulesd
ossec 13538 0.1 0.2 697108 23724 ? Sl Nov19 4:46 python /var/ossec/bin/wazuh-clusterd
ossec 14778 0.0 0.5 928156 40840 ? Ssl Nov19 0:02 /bin/node /var/ossec/api/app.js

And yes, this is the only server where API is running ...

Regards,
C. L. Martinez
________________________________________
From: wa...@googlegroups.com <wa...@googlegroups.com> on behalf of Miguel Ruiz <migue...@wazuh.com>

Sent: 20 November 2018 13:18

To: Wazuh mailing list
Subject: Re: Error "Fetch configuration. Wazuh API error: 1701 - Agent does not exist: 000"

Hi Carlos,

Kind regards,
Miguel

Regards,
C. L. Martinez

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com<mailto:wazuh+un...@googlegroups.com>.
To post to this group, send email to wa...@googlegroups.com<mailto:wa...@googlegroups.com>.
Visit this group at https://groups.google.com/group/wazuh.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/6b4865dc-13e9-449e-a4bf-76332b7b3529%40googlegroups.com<https: groups.google.com="" d="" msgid="" wazuh="" 6b4865dc-13e9-449e-a4bf-76332b7b3529%40googlegroups.com?utm_medium="email&amp;utm_source=footer">.

[Miguel Ruiz]

Hi Carlos,

I can see you have 2 processes of remoted running. Probably one of them is hanging and that may be the cause of the error.

Can you please stop the Wazuh manager executing:

systemctl stop wazuh-manager

Then check if there is any process still running and stop it. Make sure the process is killed executing ps a second time:

ps aux | grep ossec
kill -9 {process-pid} <- the PID of the process is the first number after the user 'ossecr'
ps aux | grep ossec

 
Start the manager again and let me know if the problem persists.

Best regards,

Miguel

On Tuesday, November 13, 2018 at 3:28:45 PM UTC+1, Carlos Lopez wrote:

[Carlos Lopez]

Hi MIguel,

It is correct due to I need two remote services up:

<remote>
<connection>secure</connection>
<port>2255</port>
<protocol>tcp</protocol>
<queue_size>131072</queue_size>
</remote>

<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>udp</protocol>
<allowed-ips>10.0.84.89</allowed-ips>
<local_ip>10.0.84.83</local_ip>
</remote>

Port 2255 is agents and port 514 is to receive syslog messages from third party devices ...

Regards,
C. L. Martinez
________________________________________
From: wa...@googlegroups.com <wa...@googlegroups.com> on behalf of Miguel Ruiz <migue...@wazuh.com>

Sent: 21 November 2018 15:40

To: Wazuh mailing list
Subject: Re: Error "Fetch configuration. Wazuh API error: 1701 - Agent does not exist: 000"

Hi Carlos,

I can see you have 2 processes of remoted running. Probably one of them is hanging and that may be the cause of the error.

Can you please stop the Wazuh manager executing:

systemctl stop wazuh-manager

Then check if there is any process still running and stop it. Make sure the process is killed executing ps a second time:

ps aux | grep ossec
kill -9 {process-pid} &lt;- the PID of the process is the first number after the user 'ossecr'
ps aux | grep ossec

Start the manager again and let me know if the problem persists.

Best regards,
Miguel

On Tuesday, November 13, 2018 at 3:28:45 PM UTC+1, Carlos Lopez wrote:
Hi all,

After updating to 3.7 I am seeing this error in Kibana's app under Management/Configuration section. Any idea?

Regards,
C. L. Martinez

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com<mailto:wazuh+un...@googlegroups.com>.
To post to this group, send email to wa...@googlegroups.com<mailto:wa...@googlegroups.com>.
Visit this group at https://groups.google.com/group/wazuh.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/e599a86c-b617-4ec9-85d1-5e1e9876546e%40googlegroups.com<https: groups.google.com="" d="" msgid="" wazuh="" e599a86c-b617-4ec9-85d1-5e1e9876546e%40googlegroups.com?utm_medium="email&amp;utm_source=footer">.

[Pedro Sánchez]

Hi Carlos,

I think I can help here.

I've been running several tests to recreate your issue, different scenarios I describe below:

Cluster configuration present in ossec.conf, cluster not enable.

{"error":1101,"message":"Error getting configuration: Unable to connect with socket. The component might be disabled"}

Cluster configuration not present in ossec.conf.

{"error":3006,"message":"Error reading cluster configuration: Requested section not present in configuration: cluster"}

Cluster configuration present in ossec.conf, disabled set to no, cluster not started and dependencies not installed

[root@manager-centos7 feeds]# curl -u foo:bar -XGET localhost:55000/agents/000/config/com/cluster
{"error":1000,"message":"Wazuh-Python Internal Error: Could not import cryptography module. Install it using one of the following commands:\n - pip install cryptography\n - yum install python-cryptography python-setuptools\n - apt install python-cryptography"}

Cluster configuration present in ossec.conf, disabled set to no, cluster not started and dependencies installed.

root@manager-centos7 feeds]# curl -u foo:bar -XGET localhost:55000/agents/000/config/com/cluster
{"error":1101,"message":"Error getting configuration: Unable to connect with socket. The component might be disabled"}

Configuration present in ossec.conf, disabled set to no, cluster started, dependencies installed. Works OK.

[root@manager-centos7 feeds]# curl -u foo:bar -XGET localhost:55000/agents/000/config/com/cluster
{"error":0,"data":{"disabled":"no","name":"wazuh","node_name":"node01","bind_addr":"0.0.0.0","node_type":"master","nodes":["10.0.0.5"],"key":"ugdtAnd7Pi9myP7CVts4qZaZQEQcRYZa","hidden":"no","port":1516}}

Cluster up and running but ossec-execd daemon not running, probably due to <active-response><disabled>yes</disabled></active-response>

[root@manager-centos7 feeds]# curl -u foo:bar -XGET localhost:55000/agents/000/config/com/cluster
{"error":1013,"message":"Unable to connect with socket: The component might be disabled"}

As you can notice, the last error is the one you have, I can see on the output of your commands you do not have ossec-execd running and that is the reason you are having those errors.

Could you check your ossec.conf file? I think you have active-response disabled, as follows:

<active-response>
<disabled>yes</disabled>
</active-response>

Unfortunately, as we speak, it is required to have ossec-exed running / active-response enable to use the configuration on demand feature. We will change this behavior on further releases, active-response and configuration on demand are not even close related so.. it does not make sense one prevents the other to work properly.

I hope it helps, best regards,

Pedro.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.

Visit this group at https://groups.google.com/group/wazuh.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CWLP265MB1571EB324957336B7FDE82E2DBDA0%40CWLP265MB1571.GBRP265.PROD.OUTLOOK.COM.

[Carlos Lopez]

Perfect!! ... Many thanks Pedro. That was the problem. But I have a question: I'm not interested in having the active response functionality activated. How is this change going to affect?

Regards,
C. L. Martinez
________________________________________

From: Pedro Sánchez <pe...@wazuh.com>
Sent: 22 November 2018 03:50
To: clo...@outlook.com
Cc: Miguel Ruiz; wa...@googlegroups.com

Subject: Re: Error "Fetch configuration. Wazuh API error: 1701 - Agent does not exist: 000"

Hi Carlos,

I think I can help here.

On Wed, Nov 21, 2018 at 8:22 AM Carlos Lopez <clo...@outlook.com<mailto:clo...@outlook.com>&gt; wrote:
Hi MIguel,

It is correct due to I need two remote services up:

<remote>
<connection>secure</connection>
<port>2255</port>
<protocol>tcp</protocol>
<queue_size>131072</queue_size>
</remote>

<remote>
<connection>syslog</connection>
<port>514</port>
<protocol>udp</protocol>
<allowed-ips>10.0.84.89</allowed-ips>
<local_ip>10.0.84.83</local_ip>
</remote>

Port 2255 is agents and port 514 is to receive syslog messages from third party devices ...

Regards,
C. L. Martinez
________________________________________

From: wa...@googlegroups.com<mailto:wa...@googlegroups.com> <wa...@googlegroups.com<mailto:wa...@googlegroups.com>&gt; on behalf of Miguel Ruiz <migue...@wazuh.com<mailto:migue...@wazuh.com>&gt;

Sent: 21 November 2018 15:40
To: Wazuh mailing list
Subject: Re: Error "Fetch configuration. Wazuh API error: 1701 - Agent does not exist: 000"

Hi Carlos,

I can see you have 2 processes of remoted running. Probably one of them is hanging and that may be the cause of the error.

Can you please stop the Wazuh manager executing:

systemctl stop wazuh-manager

Then check if there is any process still running and stop it. Make sure the process is killed executing ps a second time:

ps aux | grep ossec
kill -9 {process-pid} &lt;- the PID of the process is the first number after the user 'ossecr'
ps aux | grep ossec

Start the manager again and let me know if the problem persists.

Best regards,
Miguel

On Tuesday, November 13, 2018 at 3:28:45 PM UTC+1, Carlos Lopez wrote:
Hi all,

After updating to 3.7 I am seeing this error in Kibana's app under Management/Configuration section. Any idea?

Regards,
C. L. Martinez

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com<mailto:wazuh%2bunsu...@googlegroups.com><mailto:wazuh+un...@googlegroups.com<mailto:wazuh%2bunsu...@googlegroups.com>&gt;.
To post to this group, send email to wa...@googlegroups.com<mailto:wa...@googlegroups.com><mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com>&gt;.

Visit this group at https://groups.google.com/group/wazuh.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/e599a86c-b617-4ec9-85d1-5e1e9876546e%40googlegroups.com<https: groups.google.com<http:="" groups.google.com="">="" d="" msgid="" wazuh="" e599a86c-b617-4ec9-85d1-5e1e9876546e%40googlegroups.com?utm_medium=<http: 40googlegroups.com?utm_medium="">"email&amp;utm_source=footer"&gt;.

For more options, visit https://groups.google.com/d/optout.

</http:></https:></mailto:wa...@googlegroups.com<mailto:wa...@googlegroups.com>&gt;</mailto:wa...@googlegroups.com></mailto:wazuh+un...@googlegroups.com<mailto:wazuh%2bunsu...@googlegroups.com>&gt;</mailto:wazuh%2bunsu...@googlegroups.com></migue...@wazuh.com<mailto:migue...@wazuh.com>&gt;</wa...@googlegroups.com<mailto:wa...@googlegroups.com>&gt;

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com<mailto:wazuh%2bunsu...@googlegroups.com>.

To post to this group, send email to wa...@googlegroups.com<mailto:wa...@googlegroups.com>.
Visit this group at https://groups.google.com/group/wazuh.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CWLP265MB1571EB324957336B7FDE82E2DBDA0%40CWLP265MB1571.GBRP265.PROD.OUTLOOK.COM.
For more options, visit https://groups.google.com/d/optout.

</mailto:wa...@googlegroups.com></mailto:wazuh%2bunsu...@googlegroups.com></mailto:wa...@googlegroups.com></clo...@outlook.com<mailto:clo...@outlook.com></pe...@wazuh.com>

[Pedro Sánchez]

Hi Carlos,

Just do not add any active-response configuration apart of "disabled" tag, if you do not specify any AR block with the triggers, commands etc.. no AR will be executed.

It is like you have AR enable (so ossec-execd can start) but no AR defined, so it won't trigger anything.

We are working on improving this kind if messy-tricks the product has, sorry about that.

Regards,

Pedro.