problems registering agents
44 views
Skip to first unread message
Topper Bowers
May 22, 2017, 5:05:38 AM5/22/17
to ossec-list
Hi,
My client has a highly dynamic environment and we're using OSSEC (wazuh 1.1.1 release, OSSEC v2.8). When a server spins up, it registers itself as an agent to the servers authd and everything was going ok. However, my client.keys file is now 2048 lines long and no new agents can register. They get an "(internal error)" that we see in the /var/ossec/logs/ossec.log
We have a process in place to remove inactive agents using the `/var/ossec/bin/manage_agents -r ${ossec_id}` command. And if you use /var/ossec/bin/manage_agents -l only about 100 agents show up.
I've seen this https://groups.google.com/forum/#!topic/ossec-list/lgFDOlR6zNg and it looks remarkably similar to what we're seeing. However, we don't actually have thousands of active agents. It seems like inactive agents are counting against the limit. Since we have a really dynamic environment with servers going up and down all the time, increasing the limit seems like it's just pushing out the inevitable.
In summary... dynamic environment, can't add new agents, only 100 or so active agents, 2048 lines in client.keys. No other error messages besides "internal error"
Any suggestions?
Thanks!
Topper
Jesus Linares
May 22, 2017, 12:28:39 PM5/22/17
to ossec-list
Hi,
as you mentioned, it seems that inactive agents are counting for the limit (2048 agents). Run the following commands in order to know the size of the client.keys file:
- Total lines: cat /var/ossec/etc/client.keys | wc -l
- Active agents: cat /var/ossec/etc/client.keys | grep -P "^\d+\s*\!" -v | wc -l
- Inactive agents: cat /var/ossec/etc/client.keys | grep -P "^\d+\s*\!" | wc -l
The solution could be clean the client.keys (lines with "!") after removing the agent.
Regards.
Topper Bowers
May 22, 2017, 12:56:10 PM5/22/17
to ossec...@googlegroups.com
I deleted some of the lines starting with bang (!) but that didn't clear up the problem. My client.keys is now smaller than 2048, but I still can't add agents. I was able to duplicate this problem on a fresh install in vagrant. Using the bin/manage_agents command I was able to add over 4k clients (and clients.keys grew without problem). However, when I try to add a new agent through authd... I get the same internal error problem.
Results of commands:
$ cat /var/ossec/etc/client.keys | wc -l
2032
$ cat /var/ossec/etc/client.keys | grep -P "^\d+\s*\!" -v | wc -l
209
$ cat /var/ossec/etc/client.keys | grep -P "^\d+\s*\!" | wc -l
1823
--
---
You received this message because you are subscribed to a topic in the Google Groups "ossec-list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ossec-list/k_MFr5aAjRU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ossec-list+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
| Topper Bowers Engineering M : 646.515.6630 |
Jesus Linares
May 22, 2017, 1:19:44 PM5/22/17
to ossec-list
Hi,
it is a known issue in that version (1.1.1). It is related with the algorithm that assigns an agent ID. This issue is fixed in Wazuh 2.0.
Regards.
To unsubscribe from this group and all its topics, send an email to ossec-list+...@googlegroups.com.
Topper Bowers
May 23, 2017, 3:51:13 AM5/23/17
to ossec...@googlegroups.com
Thank you! This is a huge help. The upgrade to 2.0 locally was painless *and* fixed my authd issues. Now to production.
To unsubscribe from this group and all its topics, send an email to ossec-list+unsubscribe@googlegroups.com.
Jesus Linares
May 23, 2017, 4:41:38 AM5/23/17
to ossec-list
Hi,
I'm glad to hear that. Here some useful links:
Reply all
Reply to author
Forward
0 new messages