Agent in pending state on Xp
218 views
Skip to first unread message
Damned Damned
Apr 20, 2021, 11:47:09 AM4/20/21
to Wazuh mailing list
Hi, i'm trying to install wazuh on an xp machine without luck.
i'm trying an older version (3.7) because newer versions in my experience have stability problems.
Anyway the agent install is correct, the status is running with correct manager ip and autentication key in the gui.
In kibana the state is pending and in the agent log i see a lot of this error
ossec-agent: INFO: Trying to connect to server (192.168.1.181:1514/tcp).
ossec-agent: INFO: Closing connection to server (192.168.1.181:1514/tcp)
ossec-agent: INFO: Closing connection to server (192.168.1.181:1514/tcp)
but a telnet on 1514 and 1515 works
The only version that goes up correctly is 3.12.2, up and running also in Kibana.
I've the same situation on all the 3 xp that i've tried
any hints?
Javier Balmaceda
Apr 20, 2021, 8:32:13 PM4/20/21
to Wazuh mailing list
Hello Damned,
I think the problem could be in one of these two parts:
<connection>secure</connection>
- Does the network protocol (UDP/TCP) match on the manager and the agent side? To check that, take a look at ossec.conf on the agent side and on the manager side and make sure the <protocol> </protocol> is the same on both sides (UDP or TCP).
For example if you select TCP as protocol.
Check on the server side this configuration section:
<connection>secure</connection>
<port>1514</port>
<protocol>tcp</protocol>
...
<client>
<server>
<server>
...
<port>1514</port>
<protocol>tcp</protocol>
...
</server>
...
</client>
Both configuration sides should have TCP (or UDP).
- Isn't the firewall blocking the connection between manager and agent?
Damned Damned
Apr 21, 2021, 3:08:29 AM4/21/21
to Wazuh mailing list
Unfortunately
no..now i'm testing with a vm, xp without antivirus and firewall..the protocol is always 1514, and the only version that goes up is the 3.12.2
so i think it's not related to the network or also this version wouldn't works..
Damned Damned
Apr 21, 2021, 4:27:02 AM4/21/21
to Wazuh mailing list
i found this on /var/ossec/logs/ossec.log
what does it mean?
i tried also to delete all the keys related to this machine on /var/ossec/etc/client.keys
2021/04/21 10:22:26 ossec-authd: INFO: New connection from
192.168.1.12
2021/04/21 10:22:26 ossec-authd: INFO: Received request for a new agent (costanti-4a6579) from: 192.168.1.12
2021/04/21 10:22:26 ossec-authd: INFO: Agent key generated for 'costanti-4a6579' (requested by any)
2021/04/21 10:22:27 ossec-remoted: WARNING: (1408): Invalid ID 023 for the source ip: ' 192.168.1.12 ' (name 'unknown').
2021/04/21 10:22:28 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2021/04/21 10:22:34 ossec-remoted: WARNING: (1408): Invalid ID 023 for the source ip: ' 192.168.1.12 ' (name 'unknown').
2021/04/21 10:22:34 ossec-remoted: INFO: (1409): Authentication file changed. Updating.
2021/04/21 10:22:34 ossec-remoted: INFO: (1410): Reading authentication keys file.
2021/04/21 10:22:26 ossec-authd: INFO: Received request for a new agent (costanti-4a6579) from: 192.168.1.12
2021/04/21 10:22:26 ossec-authd: INFO: Agent key generated for 'costanti-4a6579' (requested by any)
2021/04/21 10:22:27 ossec-remoted: WARNING: (1408): Invalid ID 023 for the source ip: ' 192.168.1.12 ' (name 'unknown').
2021/04/21 10:22:28 wazuh-modulesd:syscollector: INFO: Starting evaluation.
2021/04/21 10:22:34 ossec-remoted: WARNING: (1408): Invalid ID 023 for the source ip: ' 192.168.1.12 ' (name 'unknown').
2021/04/21 10:22:34 ossec-remoted: INFO: (1409): Authentication file changed. Updating.
2021/04/21 10:22:34 ossec-remoted: INFO: (1410): Reading authentication keys file.
Javier Balmaceda
Apr 21, 2021, 9:40:27 AM4/21/21
to Wazuh mailing list
Great, it is a common mistake that the protocol (UDP/TCP) or the port was different between the manager and the agents and in that case Wazuh 3.8 I think that by default the protocol is UDP and in Wazuh 3.12 the default is TCP.
You talked about an agent version 3.8, what about the manager version? is the same?
For the logs I can see that you have a key issues. It seems that you registered two agents with the same IP that caused the first key to be deleted, so when you tried to reconnect the agent, this log appear:
2021/04/21 10:22:34 ossec-remoted: WARNING: (1408): Invalid ID 023 for the source ip: ' 192.168.1.12 ' (name 'unknown').
To fix the problem, stop the agent, authenticate it again, and start it again.
This problem occurs because the wazuh version is older than 4.0. Since Wazuh 4.0, a new feature named enrollment was implemented. This feature is designed to automatically register agents.
If the agent detects that there is no keys it will automatically ask one to the manager. Similar to this, if the communication with the manager fails repeated times, the agent will consider the keys as obsolete and will ask for a new one to the manager.Enrollment references:
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/client.html#enrollment
This problem occurs because the wazuh version is older than 4.0. Since Wazuh 4.0, a new feature named enrollment was implemented. This feature is designed to automatically register agents.
If the agent detects that there is no keys it will automatically ask one to the manager. Similar to this, if the communication with the manager fails repeated times, the agent will consider the keys as obsolete and will ask for a new one to the manager.Enrollment references:
https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/client.html#enrollment
Damned Damned
Apr 22, 2021, 4:18:19 AM4/22/21
to Wazuh mailing list
thanks, but that is not the problem.
i think there is a bug with xp and some versions of the agent.
the manager versione is 3.12
So, with agent version 3.12 and 4.1 is all ok..unfortunately that agents on xp are not stable and after some days (or hours) the agent goes down without a visible reason.
I had this stability problem also with server 2003, but in this case the 3.7 agent version goes up and it's very reliable.
With Xp (tried on more pc) with the versions 3.7, 3.8, 3.9 the agent register on the manager, so the communication on the port 1515 is ok, but it can't connect through the 1514 port, so we start again with my original problem.
Javier Balmaceda
Apr 22, 2021, 10:19:30 AM4/22/21
to Wazuh mailing list
Let me recommend that you start a problem thread here about this.
I can also recommend that you remove everything and restart one of the new versions of Wazuh (4.x), as part of the Wazuh team, we work day by day to improve stability and eliminate problems so that the new version is more stable and better than previous.
Reply all
Reply to author
Forward
0 new messages