Wazuh 3.7 agent upgrades questions

[Nicholai Tailor]

Hello,

So after we upgraded our wazuh manager to 3.7.

Does this mean we now have to upgrade all the clients to 3.7...over 300 clients? 

I guess my question is there is no built in system that wazuh-manager will tell the agents to update automatically?

Cheers

[juancarl...@wazuh.com]

Hi Nicholai,

No, you do not need to upgrade the clients to 3.7. Wazuh managers are until now always backward-compatible with older Wazuh agents.

If you do wish to, yes, you can upgrade from the wazuh-manager with the agent_upgrade tool, you can read about it here: ( https://documentation.wazuh.com/current/user-manual/reference/tools/agent_upgrade.html )

Cheers,

Juan Carlos

[Nicholai Tailor]

Hi Juan,

Hmmz, are you sure?

Since the upgrade we get this error now.

 Fetch configuration. Wazuh API error: 1735 - Agent version is not compatible with this feature: Minimum required version is 3.7.0?

Cheers 

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/a129b396-abbe-45eb-b0cc-6551f26df9e0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[juancarl...@wazuh.com]

Hi Nicholai,

Yes, sure. There's no need to upgrade to have a functioning system.

If you wish to benefit from the features that come from a specific version, depending on the feature, you may have to upgrade the agents as well.

In this specific case, fetching agent configuration is a feature that works only for those that have version 3.7.0 or above.

Cheers,

Juan Carlos

On Thursday, November 22, 2018 at 5:20:27 PM UTC+1, Nicholai Tailor wrote:

Hi Juan,

Hmmz, are you sure?

Since the upgrade we get this error now.

 Fetch configuration. Wazuh API error: 1735 - Agent version is not compatible with this feature: Minimum required version is 3.7.0?

Cheers 

[Nicholai Tailor]

Hi Juancarlos,

Thank you for the help and answers to my questions.

Your recent reply is rather contradictory to your previous reply. Stating that all agents are backwards compatible and then the following reply, states some features will not work backwards

This generally means they are not backwards compatible as things do not work. This kind of information should be included in the upgrade documentation, as it does not appears to in the

steps for upgrading. Reason I bring this up is people reading the documentation would assume that upgrading the manager is all you need to do and everything will work perfectly as is. 

However, if I had read that I had to upgrade the manager and the agents. Then it would of been part of the my whole technical strategy when planning the upgrade.  I feel

this kind of information is crucial for upgrades....no?

Just my suggestion :)

Thank you again.

Cheers

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/94bdb354-a64e-4399-8951-d82a26020940%40googlegroups.com.

[juancarl...@wazuh.com]

Hello Nicholai,

There may be some confusion about what backward compatibility entails.

In this case, having a manager of version 3.7 allows you to continue using all the features previously available with agents that have an older version.

When possible, new features that reside completely in the manager's code will be available even when interacting with agents of previous versions. This is favored but not guaranteed.

If Wazuh didn't provide backward compatibility you would not be able to use a new manager to benefit of all the features previously available with older agents.

You do not need to upgrade all of your agents if you're not interested in this particular feature.

I hope this answer helps,

Best Regards,

Juan Carlos

On Thursday, November 22, 2018 at 9:01:46 PM UTC+1, Nicholai Tailor wrote:

Hi Juancarlos,

Thank you for the help and answers to my questions.

Your recent reply is rather contradictory to your previous reply. Stating that all agents are backwards compatible and then the following reply, states some features will not work backwards

This generally means they are not backwards compatible as things do not work. This kind of information should be included in the upgrade documentation, as it does not appears to in the

steps for upgrading. Reason I bring this up is people reading the documentation would assume that upgrading the manager is all you need to do and everything will work perfectly as is. 

However, if I had read that I had to upgrade the manager and the agents. Then it would of been part of the my whole technical strategy when planning the upgrade.  I feel

this kind of information is crucial for upgrades....no?

Just my suggestion :)

Thank you again.

Cheers

[Nicholai Tailor]

Hi Juancarlos,

Thank your reply.

Your statement clearly states you do need to upgrade all the agents if you want everything to work.

I was just suggesting you may want to include upgrading the agents in the upgrade documentation as all the features do not work after an upgrade to 3.7.

Cheers

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/2715face-e6cc-4a3c-b0d5-d9ce56d0efb2%40googlegroups.com.

[Nicholai Tailor]

Hello,

After reviewing the agent upgrade tool documentation.

It seems a bit unclear to me.

We have windows, centos and ubuntu.

Do you have to use a internal repository and does it have to be in wpk file?

agent_upgrade -a 002 -dF -v v3.0.0 -r http://mycompany.wpkrepo.com/ -t 500

agent_upgrade -a 002 -dF -v v3.7.0 -r http://mycompany.reponotwpk.com/ -t 500 <--can it be like this? 
Can we not use deb and rpm files provided by you and how does it work on on windows?
Cheers

[Nicholai Tailor]

Hello,

Still waiting for a response on this?

Could someone please chime in :)

Cheers

[juancarl...@wazuh.com]

Hello Nicholai,

The internal repository is optional and only necessary if you have network restrictions that don't allow your manager to connect to our repositories or if you wish to maintain a repository with a custom WPK.

This feature only works with WPK files indeed. If you wish you may also download these files (from here) and use the -f modifier to specify the location to which you have downloaded the file.

Let us know if there's a particular reason you wish to use .deb or .rpm files for this process.

This feature has been tested to work correctly on both Windows and Linux systems.

The commands you suggest are correct (provided you set up a private WPK repository at the specified URL). Although when upgrading the -F modifier is unnecessary.

Regards,

Juan Carlos

On Wednesday, November 28, 2018 at 6:10:38 PM UTC+1, Nicholai Tailor wrote:

Hello,

Still waiting for a response on this?

Could someone please chime in :)

Cheers

[Nicholai Tailor]

Hello Juancarlos,

Perfect, thats what i wanted to know. 

I was kinda hoping we could just  use the command to use your repos? is that possible?

Also the linux wpk will work on any distro?

Cheers

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/210791a1-793f-4502-8567-f320c05438a4%40googlegroups.com.

[juancarl...@wazuh.com]

Hi,

Yes, by default the agent_upgrade utility uses our repositories, to upgrade agent 001 like that just run:

/var/ossec/bin/agent_upgrade -a 001

The current version WPK for linux works for all supported distros. This was not the case in previous versions which would have specific WPKs for Debian, CentOS, Fedora, Ubuntu, etc.)

Regards,

Juan Carlos

On Wednesday, November 28, 2018 at 7:16:27 PM UTC+1, Nicholai Tailor wrote:

Hello Juancarlos,

Perfect, thats what i wanted to know. 

I was kinda hoping we could just  use the command to use your repos? is that possible?

Also the linux wpk will work on any distro?

Cheers

[Nicholai Tailor]

---------- Forwarded message ---------
From: Nicholai Tailor <nichola...@gmail.com>
Date: Wed, Nov 28, 2018 at 6:44 PM
Subject: Re: Wazuh 3.7 agent upgrades questions
To: <juancarl...@wazuh.com>

Hi Juancarlos,

Also does the agent-upgrade command also restart the agent after the upgrade?

Or is that a separate step?

Cheers

On Wed, Nov 28, 2018 at 6:39 PM Nicholai Tailor <nichola...@gmail.com> wrote:

Hi Juancarlos,

Sweet,

Is there a command that i can that will cycle through all the agent and upgrade instead of having to do them one by one?

Cheers

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/89c16bb8-08cd-496d-9a57-9574cef3b94b%40googlegroups.com.

[Nicholai Tailor]

Hi Juancarolos

Its okay i just wrote a bash for loop to cycle through and logging it to file.

It would be nice to have a flag that does upgrade all though.

Cheers

[juancarl...@wazuh.com]

Hello Nicholai,

Is there a command that i can that will cycle through all the agent and upgrade instead of having to do them one by one?

Not currently, if you wish you may craft a script to do so. Bear in mind when crafting said script that it should first verify that the agent version is v3.0.0 or higher and that the agent is active, otherwise it will fail and take some time.

I agree that it would be an interesting feature to add to Wazuh, so I invite you to contribute to the project by opening an issue to that effect on github.

Also does the agent-upgrade command also restart the agent after the upgrade?

Yes it does.

Regards,

Juan Carlos

On Wednesday, November 28, 2018 at 7:44:37 PM UTC+1, Nicholai Tailor wrote:

---------- Forwarded message ---------
From: Nicholai Tailor
Date: Wed, Nov 28, 2018 at 6:44 PM
Subject: Re: Wazuh 3.7 agent upgrades questions
To:

Hi Juancarlos,

Also does the agent-upgrade command also restart the agent after the upgrade?

Or is that a separate step?

Cheers

On Wed, Nov 28, 2018 at 6:39 PM Nicholai Tailor wrote:

Hi Juancarlos,

Sweet,

Is there a command that i can that will cycle through all the agent and upgrade instead of having to do them one by one?

Cheers

[Nicholai Tailor]

Hi Juan,

Sure,  It was super easy to craft

In case anyone else wants to use it.

all I did was run  '/var/ossec/bin/agent_upgrade -l' which lists out all the outstanding agents

copied all the agents numbers to a file called 'agentupgrade.txt' single column.

303

214

606

etc  

then simply run a for loop like below. I opened up a screen session so i could tail the log file, if you dont use the log file it will show the output. Keep in mind if you use this without error fail.

If you want to kill the command you have to kill all every agent process as it will cycle through the list every time you try and exit. 

But its working.

for name in `cat agentupgrade.txt`; do /var/ossec/bin/agent_upgrade -a $name; done > logupgrade.txt

My only question is does the agent_upgrade restart the agent after the upgrade or do i need to do that separately?

Cheers

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/bb793337-e416-4538-892b-92b574d579ea%40googlegroups.com.

[Nicholai Tailor]

If the agent_upgrade fails to push the wpk file.

We can simply use apt or yum on linux to manually update yes?

Cheers

[juancarl...@wazuh.com]

Hello,

Yes, if the agent_upgrade fails it will leave the agent's system in the same state as it was prior to the upgrade attempt.

 

In which case you may decide to upgrade from within the agent either using the repositories or deb/rpm packages.

Cheers,

Juan Carlos

[Nicholai Tailor]

HI Juancarlos,

Okay cool,

And lastly does the agent_upgade restart the agent upon completing the upgrade? 

Or do i need to restart them manually after?

Cheers

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/84d9aa69-61b3-4349-b161-47383c7f76b2%40googlegroups.com.

[juancarl...@wazuh.com]

Hello Nicholai,

Yes, the agent_upgrade utility will instruct the agent to restart upon finishing.

There is no need to do it manually.

Regards,

Juan Carlos

On Wednesday, November 28, 2018 at 8:30:32 PM UTC+1, Nicholai Tailor wrote:

HI Juancarlos,

Okay cool,

And lastly does the agent_upgade restart the agent upon completing the upgrade? 

Or do i need to restart them manually after?

Cheers

[Nicholai Tailor]

HI Juancarlos,

How is the agent_upgarde sending the file to the agents which port is it using?

I am getting a lot these errors below, which could be due to firewall?

Error 1716: Error upgrading agent: Timeout waiting for agent reconnection.

Error 1715: Error sending WPK file: Maximum attempts exceeded

Error 1715: Error sending WPK file: Maximum attempts exceeded

Error 1715: Error sending WPK file: Maximum attempts exceeded

Cheers

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/ad6cb59d-b5e6-4cdd-9a6d-e225d1ad5d8e%40googlegroups.com.

[Nicholai Tailor]

When i try to upgrade I keep getting this failure windows or linux.

I have a feeling it could be due to proxy. If i need to setup a proxy where do can i do that? 

# /var/ossec/bin/agent_upgrade -d -a 312

Manager version: v3.7.0

Agent version: v3.3.1

Agent new version: v3.7.0

WPK file already downloaded: /var/ossec/var/upgrade/wazuh_agent_v3.7.0_windows.wpk - SHA1SUM: 79678fd4ab800879aacd4451a64e799c62688b64

Upgrade PKG: wazuh_agent_v3.7.0_windows.wpk (2108 KB)

MSG SENT: 312 com open wb wazuh_agent_v3.7.0_windows.wpk

RESPONSE: ok

MSG SENT: 312 com lock_restart -1

RESPONSE: ok

Chunk size: 512 bytes

Sending: /var/ossec/var/upgrade/wazuh_agent_v3.7.0_windows.wpk

MSG SENT: 312 com close wazuh_agent_v3.7.0_windows.wpk

RESPONSE: ok

MSG SENT: 312 com sha1 wazuh_agent_v3.7.0_windows.wpk

RESPONSE: ok 79678fd4ab800879aacd4451a64e799c62688b64

WPK file sent

MSG SENT: 312 com upgrade wazuh_agent_v3.7.0_windows.wpk upgrade.bat

RESPONSE: ok 0 

Upgrade procedure started

MSG SENT: 312 com upgrade_result

RESPONSE: err Maximum attempts exceeded

MSG SENT: 312 com upgrade_result

RESPONSE: err Maximum attempts exceeded

MSG SENT: 312 com upgrade_result

RESPONSE: err Maximum attempts exceeded

MSG SENT: 312 com upgrade_result

RESPONSE: err Maximum attempts exceeded

MSG SENT: 312 com upgrade_result

RESPONSE: err Maximum attempts exceeded

MSG SENT: 312 com upgrade_result

RESPONSE: err Maximum attempts exceeded

MSG SENT: 312 com upgrade_result

RESPONSE: err Maximum attempts exceeded

MSG SENT: 312 com upgrade_result

RESPONSE: err Maximum attempts exceeded

MSG SENT: 312 com upgrade_result

Cheers

[Nicholai Tailor]

Hello,

Upon further investigation it look like I have a whole bunch of agents that are suddenly disconnected and my script was failing on the disconnect.

It would be probably a good idea for agent_upgrade to also list out which agents are active for future scripting purposes.

Cheers

[Nicholai Tailor]

Hello,

Just so everyone knows.

If you use my for loop one liner to upgrade all your agents.

1. make sure that all the agents are active in kibana before you run it

2. once the script starts dont stop it, if you do. It will delete the agent key and then you have to manually readd the key.

Cheers

[Nicholai Tailor]

Hello,

The agent_upgrade seems to timeout after awhile.

It will upload the agent but when it trys to re-enter the key and ip it fails and times out.

I believe this could be a bug? It worked for most of my agents but theres about 30 it wont work on.

Any ideas?

Cheers

[Nicholai Tailor]

Hello,

Is there any thing i can do to solve this?

Its happening to about 40 machines....

# /var/ossec/bin/agent_upgrade -d -a 104

Manager version: v3.7.0

Agent version: v3.3.1

Agent new version: v3.7.0

WPK file already downloaded: /var/ossec/var/upgrade/wazuh_agent_v3.7.0_windows.wpk - SHA1SUM: 79678fd4ab800879aacd4451a64e799c62688b64

Upgrade PKG: wazuh_agent_v3.7.0_windows.wpk (2108 KB)

MSG SENT: 104 com open wb wazuh_agent_v3.7.0_windows.wpk

RESPONSE: ok

MSG SENT: 104 com lock_restart -1

RESPONSE: ok

Chunk size: 512 bytes

Sending: /var/ossec/var/upgrade/wazuh_agent_v3.7.0_windows.wpk

MSG SENT: 104 com close wazuh_agent_v3.7.0_windows.wpk

RESPONSE: ok

MSG SENT: 104 com sha1 wazuh_agent_v3.7.0_windows.wpk

RESPONSE: ok 79678fd4ab800879aacd4451a64e799c62688b64

WPK file sent

MSG SENT: 104 com upgrade wazuh_agent_v3.7.0_windows.wpk upgrade.bat

RESPONSE: ok 0 

Upgrade procedure started

MSG SENT: 104 com upgrade_result

RESPONSE: err Maximum attempts exceeded

MSG SENT: 104 com upgrade_result

RESPONSE: err Maximum attempts exceeded

MSG SENT: 104 com upgrade_result

RESPONSE: err Maximum attempts exceeded

MSG SENT: 104 com upgrade_result

Cheers

[Nicholai Tailor]

Hello,

I have confirmed that the new agent get updated however as soon as its updated its unable to readd the key and manager ip to the new agent.

Not sure why. Something to do with.

MSG SENT: 103 com upgrade_result

RESPONSE: err Maximum attempts exceeded

MSG SENT: 103 com upgrade_result

RESPONSE: err Maximum attempts exceeded

MSG SENT: 103 com upgrade_result

RESPONSE: err Maximum attempts exceeded

MSG SENT: 103 com upgrade_result

RESPONSE: err Maximum attempts exceeded

MSG SENT: 103 com upgrade_result

RESPONSE: err Maximum attempts exceeded

MSG SENT: 103 com upgrade_result

RESPONSE: err Cannot read upgrade_result file.

MSG SENT: 103 com upgrade_result

RESPONSE: err Cannot read upgrade_result file.

MSG SENT: 103 com upgrade_result

RESPONSE: err Cannot read upgrade_result file

Cheers

[Nicholai Tailor]

Hello,

It appears to be happening to all windows 7 machines....

Cheers

[Nicholai Tailor]

Hello,

I have confirmed if it is newer than windows 7 the upgrade works fine.

There appears to be a bug in the agent_upgrade that does not work with windows 7

Cheers

[Nicholai Tailor]

Hello,

Okay, I was wrong it appears to be sporadic. 

This is a bit concerning. Im assuming if I used ansible to simply update the agents, the manager ip's and keys would of been wiped on all the agents if i didnt use the upgrade tool?

Cheers

[Nicholai Tailor]

Hello,

Here is some more debug

Upgrade procedure started

MSG SENT: 288 com upgrade_result

RESPONSE: err Maximum attempts exceeded

MSG SENT: 288 com upgrade_result

RESPONSE: err Maximum attempts exceeded

MSG SENT: 288 com upgrade_result

^C

Error 1014: Error communicating with socket: /var/ossec/queue/ossec/request

Traceback (most recent call last):

  File "/var/ossec/bin/agent_upgrade", line 165, in <module>

    main()

  File "/var/ossec/bin/agent_upgrade", line 137, in main

    upgrade_result = agent.upgrade_result(debug=args.debug)

  File "/var/ossec/bin/../framework/wazuh/agent.py", line 2270, in upgrade_result

    data = s.receive().decode()

  File "/var/ossec/bin/../framework/wazuh/ossec_socket.py", line 52, in receive

    raise WazuhException(1014, self.path)

wazuh.exception.WazuhException: Error 1014 - Error communicating with socket: /var/ossec/queue/ossec/request

Something very wrong with the tool.

[Nicholai Tailor]

Hello,

I recommend people avoid upgrading to 3.7 until they solve the problem with the agent_upgrade tool

Or you will be left with agents that not all the features will work. If you have lots of agents this will be very problematic.

# /var/ossec/bin/agent_upgrade -d -a 294

Manager version: v3.7.0

Agent version: v3.3.1

Agent new version: v3.7.0

WPK file already downloaded: /var/ossec/var/upgrade/wazuh_agent_v3.7.0_windows.wpk - SHA1SUM: 79678fd4ab800879aacd4451a64e799c62688b64

Upgrade PKG: wazuh_agent_v3.7.0_windows.wpk (2108 KB)

MSG SENT: 294 com open wb wazuh_agent_v3.7.0_windows.wpk

RESPONSE: ok

MSG SENT: 294 com lock_restart -1

RESPONSE: ok

Chunk size: 512 bytes

Sending: /var/ossec/var/upgrade/wazuh_agent_v3.7.0_windows.wpk

MSG SENT: 294 com close wazuh_agent_v3.7.0_windows.wpk

RESPONSE: ok

MSG SENT: 294 com sha1 wazuh_agent_v3.7.0_windows.wpk

RESPONSE: ok 79678fd4ab800879aacd4451a64e799c62688b64

WPK file sent

MSG SENT: 294 com upgrade wazuh_agent_v3.7.0_windows.wpk upgrade.bat

RESPONSE: ok 0 

Upgrade procedure started

MSG SENT: 294 com upgrade_result

RESPONSE: err Maximum attempts exceeded

MSG SENT: 294 com upgrade_result

RESPONSE: err Maximum attempts exceeded

Cheers

[Pedro Sánchez]

Hi Nicholai,

I have been testing the agent upgrade tool, upgrading agents from 3.3.1 to 3.7.0, Windows 7 and Windows 2012.

I can not see any keys lost from either manager or agents, I did not use Ansible playbooks or standard upgrade (yum/MSI).

Check below the result of upgrading the agent (Manager: v3.7.0 CentOS7 / Agent: v3.3.0 Windows2012):

[root@manager-centos7 vagrant]# /var/ossec/bin/agent_upgrade -l
ID    Name                                Version
001   vagrant-2012-r2                     Wazuh v3.3.0
Total outdated agents: 1
[root@manager-centos7 vagrant]# /var/ossec/bin/agent_upgrade -a 001 -d
Manager version: v3.7.0
Agent version: v3.3.0
Agent new version: v3.7.0
Downloading WPK file from: https://packages.wazuh.com/wpk/windows/wazuh_agent_v3.7.0_windows.wpk
WPK file downloaded: /var/ossec/var/upgrade/wazuh_agent_v3.7.0_windows.wpk - SHA1SUM: 79678fd4ab800879aacd4451a64e799c62688b64

Upgrade PKG: wazuh_agent_v3.7.0_windows.wpk (2108 KB)

MSG SENT: 001 com open wb wazuh_agent_v3.7.0_windows.wpk
RESPONSE: ok
MSG SENT: 001 com lock_restart -1

RESPONSE: ok
Chunk size: 512 bytes
Sending: /var/ossec/var/upgrade/wazuh_agent_v3.7.0_windows.wpk

MSG SENT: 001 com close wazuh_agent_v3.7.0_windows.wpk
RESPONSE: ok
MSG SENT: 001 com sha1 wazuh_agent_v3.7.0_windows.wpk

RESPONSE: ok 79678fd4ab800879aacd4451a64e799c62688b64
WPK file sent

MSG SENT: 001 com upgrade wazuh_agent_v3.7.0_windows.wpk upgrade.bat

RESPONSE: ok 0
Upgrade procedure started

MSG SENT: 001 com upgrade_result
RESPONSE: ok 0
Agent upgraded successfully

 If I uninstall the agent, it is actually saving critical files just in case the user wants to preserve them:

I hope you can give us more details about what is the agent status after the upgrade attempt, you mention it is losing the keys, does it means after the upgrade the agent can not reconnect?

How client.keys and ossec.conf look like after the upgrade attempt?

I think you mention it was failing only on Windows 7, but you realized is happening to other Windows host in your environment, have the Linux hosts the same issues?

My agents are on UDP.

Some that may help is if you could send us the ossec.log (from agent side), debug mode enable is always good for troubleshooting. Check below some logs from my environment as an example:

2018/11/29 19:43:43 ossec-agent: DEBUG: Received message: '#!-req f3a1a601 com open wb wazuh_agent_v3.7.0_windows.wpk'
2018/11/29 19:43:43 ossec-agent: DEBUG: Received message: '#!-req f3a1a601 ack'
2018/11/29 19:43:43 ossec-agent: DEBUG: Received message: '#!-req f3a1a602 com lock_restart -1'
2018/11/29 19:43:43 ossec-agent: DEBUG: req_receiver(): sending '#!-req f3a1a602 ok' to server

..

2018/11/29 19:52:26 ossec-agent: DEBUG: Received message: '#!-req f3a1c52b ack'
2018/11/29 19:52:26 ossec-agent: DEBUG: Received message: '#!-req f3a1c52c com upgrade wazuh_agent_v3.7.0_windows.wpk upgrade.bat'

2018/11/29 19:52:27 ossec-agent: DEBUG: req_receiver(): sending '#!-req f3a1c52c ok 0 ' to server

..

2018/11/29 19:52:32 ossec-agent: INFO: Received exit signal.
2018/11/29 19:52:32 ossec-agent: INFO: Exiting...

...

2018/11/29 19:52:40 ossec-agent: DEBUG: Received message: '#!-req f3a1c52d com upgrade_result'
2018/11/29 19:52:40 ossec-agent: DEBUG: At WCOM upgrade_result: Cannot read file 'upgrade\upgrade_result'.
2018/11/29 19:52:40 ossec-agent: DEBUG: req_receiver(): sending '#!-req f3a1c52d err Cannot read upgrade_result file.' to server
2018/11/29 19:52:45 ossec-agent: DEBUG: Received message: '#!-req f3a1c52e com upgrade_result'
2018/11/29 19:52:45 ossec-agent: DEBUG: req_push(): Sending ack (f3a1c52e).
2018/11/29 19:52:45 ossec-agent: DEBUG: req_receiver(): sending '#!-req f3a1c52e ok 0

I hope it helps, best regards,

Pedro. 

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CAOABaY8L_S3_7N-t0SonYEZK6QgD0_emoWu6LJqSwsnqZTiBDg%40mail.gmail.com.

[Nicholai Tailor]

Hi Pedro,

No Linux was fine seems like only windows machines. I thought it was windows 7, but it appears to windows 2016 as well.

]# /var/ossec/bin/agent_upgrade -d -a 293

Manager version: v3.7.0

Agent version: v3.3.1

Agent new version: v3.7.0

WPK file already downloaded: /var/ossec/var/upgrade/wazuh_agent_v3.7.0_windows.wpk - SHA1SUM: 79678fd4ab800879aacd4451a64e799c62688b64

Upgrade PKG: wazuh_agent_v3.7.0_windows.wpk (2108 KB)

MSG SENT: 293 com open wb wazuh_agent_v3.7.0_windows.wpk

RESPONSE: ok

MSG SENT: 293 com lock_restart -1

RESPONSE: ok

Chunk size: 512 bytes

Sending: /var/ossec/var/upgrade/wazuh_agent_v3.7.0_windows.wpk

MSG SENT: 293 com close wazuh_agent_v3.7.0_windows.wpk

RESPONSE: ok

MSG SENT: 293 com sha1 wazuh_agent_v3.7.0_windows.wpk

RESPONSE: ok 79678fd4ab800879aacd4451a64e799c62688b64

WPK file sent

MSG SENT: 293 com upgrade wazuh_agent_v3.7.0_windows.wpk upgrade.bat

RESPONSE: ok 0 

Upgrade procedure started

MSG SENT: 293 com upgrade_result

RESPONSE: err Maximum attempts exceeded

MSG SENT: 293 com upgrade_result

RESPONSE: err Maximum attempts exceeded

MSG SENT: 293 com upgrade_result

RESPONSE: err Maximum attempts exceeded

MSG SENT: 293 com upgrade_result

RESPONSE: err Maximum attempts exceeded

MSG SENT: 293 com upgrade_result

RESPONSE: err Maximum attempts exceeded

MSG SENT: 293 com upgrade_result

RESPONSE: err Maximum attempts exceeded

MSG SENT: 293 com upgrade_result

RESPONSE: err Maximum attempts exceeded

MSG SENT: 293 com upgrade_result

RESPONSE: err Maximum attempts exceeded

MSG SENT: 293 com upgrade_result

RESPONSE: err Maximum attempts exceeded

MSG SENT: 293 com upgrade_result

RESPONSE: err Maximum attempts exceeded

MSG SENT: 293 com upgrade_result

RESPONSE: err Maximum attempts exceeded

MSG SENT: 293 com upgrade_result

RESPONSE: err Maximum attempts exceeded

MSG SENT: 293 com upgrade_result

RESPONSE: err Maximum attempts exceeded

MSG SENT: 293 com upgrade_result

RESPONSE: err Maximum attempts exceeded

MSG SENT: 293 com upgrade_result

RESPONSE: err Maximum attempts exceeded

MSG SENT: 293 com upgrade_result

RESPONSE: err Maximum attempts exceeded

MSG SENT: 293 com upgrade_result

RESPONSE: err Maximum attempts exceeded

MSG SENT: 293 com upgrade_result

RESPONSE: err Maximum attempts exceeded

MSG SENT: 293 com upgrade_result

RESPONSE: err Maximum attempts exceeded

MSG SENT: 293 com upgrade_result

RESPONSE: err Maximum attempts exceeded

MSG SENT: 293 com upgrade_result

RESPONSE: err Maximum attempts exceeded

As you can see the manager ip and the key are now gone.

The message above just keep repeating.

Ossec.conf

============

<!--

  Wazuh - Agent - Default configuration for Windows

  More info at: https://documentation.wazuh.com

  Mailing list: https://groups.google.com/forum/#!forum/wazuh

-->

<ossec_config>

  <client>

    <server>

      <address>0.0.0.0</address>

      <port>1514</port>

      <protocol>udp</protocol>

    </server>

    <crypto_method>aes</crypto_method>

    <notify_time>10</notify_time>

    <time-reconnect>60</time-reconnect>

    <auto_restart>yes</auto_restart>

  </client>

  <!-- Agent buffer options -->

  <client_buffer>

    <disabled>no</disabled>

    <queue_size>5000</queue_size>

    <events_per_second>500</events_per_second>

  </client_buffer>

  <!-- Log analysis -->

  <localfile>

    <location>Application</location>

    <log_format>eventlog</log_format>

  </localfile>

  <localfile>

    <location>Security</location>

    <log_format>eventchannel</log_format>

    <query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and

      EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and

      EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907]</query>

  </localfile>

  <localfile>

    <location>System</location>

    <log_format>eventlog</log_format>

  </localfile>

  <localfile>

    <location>active-response\active-responses.log</location>

    <log_format>syslog</log_format>

  </localfile>

  <!-- Policy monitoring -->

  <rootcheck>

    <disabled>no</disabled>

    <windows_audit>./shared/win_audit_rcl.txt</windows_audit>

    <windows_apps>./shared/win_applications_rcl.txt</windows_apps>

    <windows_malware>./shared/win_malware_rcl.txt</windows_malware>

  </rootcheck>

  <!-- File integrity monitoring -->

  <syscheck>

    

    <disabled>no</disabled>

    <!-- Frequency that syscheck is executed default every 12 hours -->

    <frequency>43200</frequency>

    <!-- Default files to be monitored. -->

    <directories check_all="yes">%WINDIR%\regedit.exe</directories>

    <directories check_all="yes">%WINDIR%\system.ini</directories>

    <directories check_all="yes">%WINDIR%\win.ini</directories>

    <directories check_all="yes">%WINDIR%\SysNative\at.exe</directories>

    <directories check_all="yes">%WINDIR%\SysNative\attrib.exe</directories>

    <directories check_all="yes">%WINDIR%\SysNative\cacls.exe</directories>

    <directories check_all="yes">%WINDIR%\SysNative\cmd.exe</directories>

    <directories check_all="yes">%WINDIR%\SysNative\drivers\etc</directories>

    <directories check_all="yes">%WINDIR%\SysNative\eventcreate.exe</directories>

    <directories check_all="yes">%WINDIR%\SysNative\ftp.exe</directories>

    <directories check_all="yes">%WINDIR%\SysNative\lsass.exe</directories>

    <directories check_all="yes">%WINDIR%\SysNative\net.exe</directories>

    <directories check_all="yes">%WINDIR%\SysNative\net1.exe</directories>

    <directories check_all="yes">%WINDIR%\SysNative\netsh.exe</directories>

    <directories check_all="yes">%WINDIR%\SysNative\reg.exe</directories>

    <directories check_all="yes">%WINDIR%\SysNative\regedt32.exe</directories>

    <directories check_all="yes">%WINDIR%\SysNative\regsvr32.exe</directories>

    <directories check_all="yes">%WINDIR%\SysNative\runas.exe</directories>

    <directories check_all="yes">%WINDIR%\SysNative\sc.exe</directories>

    <directories check_all="yes">%WINDIR%\SysNative\schtasks.exe</directories>

    <directories check_all="yes">%WINDIR%\SysNative\sethc.exe</directories>

    <directories check_all="yes">%WINDIR%\SysNative\subst.exe</directories>

    <directories check_all="yes">%WINDIR%\SysNative\wbem\WMIC.exe</directories>

    <directories check_all="yes">%WINDIR%\SysNative\WindowsPowerShell\v1.0\powershell.exe</directories>

    <directories check_all="yes">%WINDIR%\SysNative\winrm.vbs</directories>

    <!-- 32-bit programs. -->

    <directories check_all="yes">%WINDIR%\System32\at.exe</directories>

    <directories check_all="yes">%WINDIR%\System32\attrib.exe</directories>

    <directories check_all="yes">%WINDIR%\System32\cacls.exe</directories>

    <directories check_all="yes">%WINDIR%\System32\cmd.exe</directories>

    <directories check_all="yes">%WINDIR%\System32\drivers\etc</directories>

    <directories check_all="yes">%WINDIR%\System32\eventcreate.exe</directories>

    <directories check_all="yes">%WINDIR%\System32\ftp.exe</directories>

    <directories check_all="yes">%WINDIR%\System32\net.exe</directories>

    <directories check_all="yes">%WINDIR%\System32\net1.exe</directories>

    <directories check_all="yes">%WINDIR%\System32\netsh.exe</directories>

    <directories check_all="yes">%WINDIR%\System32\reg.exe</directories>

    <directories check_all="yes">%WINDIR%\System32\regedit.exe</directories>

    <directories check_all="yes">%WINDIR%\System32\regedt32.exe</directories>

    <directories check_all="yes">%WINDIR%\System32\regsvr32.exe</directories>

    <directories check_all="yes">%WINDIR%\System32\runas.exe</directories>

    <directories check_all="yes">%WINDIR%\System32\sc.exe</directories>

    <directories check_all="yes">%WINDIR%\System32\schtasks.exe</directories>

    <directories check_all="yes">%WINDIR%\System32\sethc.exe</directories>

    <directories check_all="yes">%WINDIR%\System32\subst.exe</directories>

    <directories check_all="yes">%WINDIR%\System32\wbem\WMIC.exe</directories>

    <directories check_all="yes">%WINDIR%\System32\WindowsPowerShell\v1.0\powershell.exe</directories>

    <directories check_all="yes">%WINDIR%\System32\winrm.vbs</directories>

    <directories check_all="yes" realtime="yes">%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup</directories>

    <ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ignore>

    <!-- Windows registry entries to monitor. -->

    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</windows_registry>

    <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Classes\Protocols</windows_registry>

    <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Policies</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>

    <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg</windows_registry>

    <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</windows_registry>

    <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</windows_registry>

    <windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</windows_registry>

    <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL</windows_registry>

    <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies</windows_registry>

    <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows</windows_registry>

    <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon</windows_registry>

    <windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components</windows_registry>

    <!-- Windows registry entries to ignore. -->

    <registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore>

    <registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users</registry_ignore>

    <registry_ignore type="sregex">\Enum$</registry_ignore>

    <!-- Remove not monitored files -->

    <remove_old_diff>yes</remove_old_diff>

    <!-- Frequency for ACL checking (seconds) -->

    <windows_audit_interval>300</windows_audit_interval>

  </syscheck>

  <!-- System inventory -->

  <wodle name="syscollector">

    <disabled>no</disabled>

    <interval>1h</interval>

    <scan_on_start>yes</scan_on_start>

    <hardware>yes</hardware>

    <os>yes</os>

    <network>yes</network>

    <packages>yes</packages>

    <ports all="no">yes</ports>

    <processes>yes</processes>

  </wodle>

  <!-- CIS policies evaluation -->

  <wodle name="cis-cat">

    <disabled>yes</disabled>

    <timeout>1800</timeout>

    <interval>1d</interval>

    <scan-on-start>yes</scan-on-start>

    <java_path>\\server\jre\bin\java.exe</java_path>

    <ciscat_path>C:\cis-cat</ciscat_path>

  </wodle>

  <!-- Osquery integration -->

  <wodle name="osquery">

    <disabled>yes</disabled>

    <run_daemon>yes</run_daemon>

    <bin_path>C:\ProgramData\osquery\osqueryd</bin_path>

    <log_path>C:\ProgramData\osquery\log\osqueryd.results.log</log_path>

    <config_path>C:\ProgramData\osquery\osquery.conf</config_path>

    <add_labels>yes</add_labels>

  </wodle>

  <!-- Active response -->

  <active-response>

    <disabled>no</disabled>

    <ca_store>wpk_root.pem</ca_store>

    <ca_verification>yes</ca_verification>

  </active-response>

  <!-- Choose between plain or json format (or both) for internal logs -->

  <logging>

    <log_format>plain</log_format>

  </logging>

</ossec_config>

<!-- END of Default Configuration. -->

[Nicholai Tailor]

Hi Pedro,

I even have a machine that upgraded successfully and kibana and agent_upgrade -l still show it as 3.3.1, even thought on the machine itself its 3.7

Cheers

[Nicholai Tailor]

Hello Pedro,

Here is another machine, same issue. 

I am able to replicate this issue on over 50 machines. So there is definitely a problem with the tool.

these all are 2016 windows machines.

# /var/ossec/bin/agent_upgrade -d -a 297

Manager version: v3.7.0

Agent version: v3.3.1

Agent new version: v3.7.0

WPK file already downloaded: /var/ossec/var/upgrade/wazuh_agent_v3.7.0_windows.wpk - SHA1SUM: 79678fd4ab800879aacd4451a64e799c62688b64

Upgrade PKG: wazuh_agent_v3.7.0_windows.wpk (2108 KB)

MSG SENT: 297 com open wb wazuh_agent_v3.7.0_windows.wpk

RESPONSE: ok

MSG SENT: 297 com lock_restart -1

RESPONSE: ok

Chunk size: 512 bytes

Sending: /var/ossec/var/upgrade/wazuh_agent_v3.7.0_windows.wpk

MSG SENT: 297 com close wazuh_agent_v3.7.0_windows.wpk

RESPONSE: ok

MSG SENT: 297 com sha1 wazuh_agent_v3.7.0_windows.wpk

RESPONSE: ok 79678fd4ab800879aacd4451a64e799c62688b64

WPK file sent

MSG SENT: 297 com upgrade wazuh_agent_v3.7.0_windows.wpk upgrade.bat

RESPONSE: ok 0 

Upgrade procedure started

MSG SENT: 297 com upgrade_result

RESPONSE: err Maximum attempts exceeded

MSG SENT: 297 com upgrade_result

RESPONSE: err Maximum attempts exceeded

MSG SENT: 297 com upgrade_result

RESPONSE: err Maximum attempts exceeded

MSG SENT: 297 com upgrade_result

RESPONSE: err Maximum attempts exceeded

MSG SENT: 297 com upgrade_result

RESPONSE: err Maximum attempts exceeded

MSG SENT: 297 com upgrade_result

RESPONSE: err Maximum attempts exceeded

MSG SENT: 297 com upgrade_result

RESPONSE: err Maximum attempts exceeded

MSG SENT: 297 com upgrade_result

RESPONSE: err Maximum attempts exceeded

MSG SENT: 297 com upgrade_result

RESPONSE: err Maximum attempts exceeded

MSG SENT: 297 com upgrade_result

RESPONSE: err Maximum attempts exceeded

MSG SENT: 297 com upgrade_result

RESPONSE: err Maximum attempts exceeded

MSG SENT: 297 com upgrade_result

RESPONSE: err Maximum attempts exceeded

Ossec log after it fails

====================

2018/12/04 01:21:22 ossec-agent: INFO: Using notify time: 10 and max time to reconnect: 60

2018/12/04 01:21:22 ossec-agent: ERROR: (1402): Authentication key file 'client.keys' not found.

2018/12/04 01:21:22 ossec-agent: ERROR: (1751): File client.keys not found or empty.

2018/12/04 01:21:22 ossec-agent: INFO: Received exit signal.

2018/12/04 01:21:22 ossec-agent: INFO: Exiting...

2018/12/04 01:21:22 ossec-agent: CRITICAL: (4109): Unable to start without auth keys. Exiting.

Ossec.conf

==================

Cheers

[Nicholai Tailor]

Hello,

Here is another upgrade failure more logs for you.

# /var/ossec/bin/agent_upgrade -d -a 298

Manager version: v3.7.0

Agent version: v3.3.1

Agent new version: v3.7.0

WPK file already downloaded: /var/ossec/var/upgrade/wazuh_agent_v3.7.0_windows.wpk - SHA1SUM: 79678fd4ab800879aacd4451a64e799c62688b64

Upgrade PKG: wazuh_agent_v3.7.0_windows.wpk (2108 KB)

MSG SENT: 298 com open wb wazuh_agent_v3.7.0_windows.wpk

RESPONSE: err Maximum attempts exceeded

MSG SENT: 298 com open wb wazuh_agent_v3.7.0_windows.wpk

RESPONSE: err Maximum attempts exceeded

MSG SENT: 298 com open wb wazuh_agent_v3.7.0_windows.wpk

RESPONSE: err Maximum attempts exceeded

MSG SENT: 298 com open wb wazuh_agent_v3.7.0_windows.wpk

RESPONSE: err Maximum attempts exceeded

MSG SENT: 298 com open wb wazuh_agent_v3.7.0_windows.wpk

RESPONSE: err Maximum attempts exceeded

MSG SENT: 298 com open wb wazuh_agent_v3.7.0_windows.wpk

RESPONSE: err Maximum attempts exceeded

MSG SENT: 298 com open wb wazuh_agent_v3.7.0_windows.wpk

RESPONSE: err Maximum attempts exceeded

MSG SENT: 298 com open wb wazuh_agent_v3.7.0_windows.wpk

RESPONSE: err Maximum attempts exceeded

MSG SENT: 298 com open wb wazuh_agent_v3.7.0_windows.wpk

RESPONSE: err Maximum attempts exceeded

MSG SENT: 298 com open wb wazuh_agent_v3.7.0_windows.wpk

RESPONSE: err Maximum attempts exceeded

MSG SENT: 298 com open wb wazuh_agent_v3.7.0_windows.wpk

RESPONSE: err Maximum attempts exceeded

Error 1715: Error sending WPK file: Maximum attempts exceeded

Traceback (most recent call last):

  File "/var/ossec/bin/agent_upgrade", line 165, in <module>

    main()

  File "/var/ossec/bin/agent_upgrade", line 119, in main

    rl_timeout=-1 if args.timeout == None else args.timeout, use_http=use_http)

  File "/var/ossec/bin/../framework/wazuh/agent.py", line 2206, in upgrade

    show_progress=show_progress, chunk_size=chunk_size, rl_timeout=rl_timeout, use_http=use_http)

  File "/var/ossec/bin/../framework/wazuh/agent.py", line 2102, in _send_wpk_file

    raise WazuhException(1715, data.replace("err ",""))

wazuh.exception.WazuhException: Error 1715 - Error sending WPK file: Maximum attempts exceeded

Cheers

[Nicholai Tailor]

Hello,

Any word on this issue?

Cheers

[Victor Fernandez]

Hi Nicholai,

This issue seems to be due to a network timeout. Windows is quite prone to losing packages in UDP mode because it uses a very small network buffer.

If this is the case, I suggest you try a couple of things:

a) Tune the WPK delivery options. You will find these internal options for Remoted:

# Retransmission timeout seconds [0..60]
remoted.request_rto_sec=1

# Retransmission timeout milliseconds [0..999]
remoted.request_rto_msec=0

# Max. number of sending attempts [1..16]
remoted.max_attempts=4

These options are documented at https://documentation.wazuh.com/current/user-manual/reference/internal-options.html#remoted

Copy these options in /var/ossec/etc/local_internal_options.conf, and modify them according to your needs.

For instance, since I think that the cause of this problem is packet loss, you may want to increase the number of attempts:

remoted.max_attempts=16

If this solves the problem, maybe decreasing the timeout speeds up the WPK installer delivery:

# Retransmission timeout seconds [0..60]
remoted.request_rto_sec=0
# Retransmission timeout milliseconds [0..999]
remoted.request_rto_msec=500

b) Decrease the WPK file chunk size, this is the number of bytes that the manager sends to the agent per each attempt. The default value is 512 bytes, but you can modify this parameter directly in the agent_upgrade tool:

# /var/ossec/bin/agent_upgrade -d -a 298 -c 128

We have knowledge of this kind of issues in agents connected in UDP. I recommend you connect your agents in TCP mode when possible. In fact, we can increase the WPK chunk size up to 5120 bytes in TCP mode, and you will note that the manager sends the file pretty fast.

Hope it helps.

Best regards,

Victor Manuel Fernandez-Castro 
Core Engineering | vic...@wazuh.com

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CAOABaY-_ewTxcY%2BYWO74PZTZJ_Gq5%3D2dcz3_qe-hautoJNhobw%40mail.gmail.com.

[Nicholai Tailor]

Hi Victor,

Thank you very much for getting back to me.

I ended up manually updating all 40 machines as this was imperative to get completed.

I will definitely give this a test in my lab.

Thank you very much, hope this helps others as well. I will updated my blog notes on this as well.

Cheers

[Pedro Sánchez]

Hi Nicholai,

I would like to check on your current deployment status and if you had the chance to test the parameters that Victor sent some days ago.

We are preparing for 3.8.0 release coming later this week and I would like to help you with the WPK upgrade, I hope this time we can make WPK remote upgrade works for you.

Best regards,

Pedro.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CAOABaY9S-FK0q5NE0fLfNf2K0Hw%3DtWQ9bGrQ3F-eZkgdeW_oow%40mail.gmail.com.