The wazuh agent is running, but the server is not in the wazuh manager
500 views
Skip to first unread message
Juan Ferdinan
Apr 9, 2023, 10:59:03 PM4/9/23
to Wazuh mailing list
Hi Wazuh Teams
I tried adding a new server for monitoring and the wazuh agent is running too, I tried to telnet <wazuh manager ip> port 1514 and it works, but the server hasn't been successfully added to the wazuh manager, is there a process I missed or is there a specific port that need to be opened again besides 1514?
Thanks & Regards
Juan
Tomas Sarquis
Apr 10, 2023, 4:05:48 AM4/10/23
to Wazuh mailing list
Hi Juan Ferdinan
Let me understand your problem: You've deployed a Wazuh Manager (wazuh-server + wazuh-indexer + wazuh-dashboard) and also a Wazuh Agent who is indeed being enrolled on the manager and being monitored.
The problem is that the Manager himself is not enrolled, right? That should happen automatically after installing it.
Is that the problem? What do you mean by "the server hasn't been successfully added to the wazuh manager"?
Juan Ferdinan
Apr 10, 2023, 5:15:45 AM4/10/23
to Wazuh mailing list
Hi Tomas
Sorry if my explanation is not clear
So like this, my wazuh manager server is running normally, then I want to install the wazuh agent on servers A and B following the guide in this link https://documentation.wazuh.com/current/installation-guide/wazuh-agent/index. html so that it can be monitored using the wazuh manager. Server A successfully installed the wazuh agent and integrated it into the wazuh manager, but when I wanted to do the same thing on server B there was a problem, first, the wazuh agent installation process was successful, second, the wazuh agent service was running and third, server B was not integrated into wow my manager. Is there a process that I missed?
Best Regards
Juan
Tomas Sarquis
Apr 10, 2023, 5:22:18 AM4/10/23
to Wazuh mailing list
Okay Juan, it's better now, thanks!
So, you've followed the very same steps to enroll the first and the second agent? In that case, there should be no problem UNLESS both agents have the same hostname.
Anyway, we can debug this by:
- Restarting the problematic agent: systemctl restart wazuh-agent.service (for Linux-based OS)
- Wait some minutes and see if it's enrolling or not.
- Wait some minutes and see if it's enrolling or not.
- If not, check the logfile: cat <AGENT_INSTALL_DIR>/logs/ossec.log (by default, AGENT_INSTALL_DIR is /var/ossec).
Look for a warning/error message to troubleshoot this. You can as well post the log here (you should hide sensitive information though).
Juan Ferdinan
Apr 10, 2023, 5:41:10 AM4/10/23
to Wazuh mailing list
Hi Tomas
1. So, you've followed the very same steps to enroll the first and the second agent? Yes
2. UNLESS both agents have the same hostname? No
3. Restarting the problematic agent: systemctl restart wazuh-agent.service (for Linux-based OS)
4. check the logfile: cat <AGENT_INSTALL_DIR>/logs/ossec.log (by default, AGENT_INSTALL_DIR is /var/ossec)
2023/04/10 13:56:54 wazuh-agentd: INFO: Requesting a key from server: xx.xx.xx.xx
2023/04/10 13:56:54 wazuh-agentd: INFO: No authentication password provided
2023/04/10 13:56:54 wazuh-agentd: INFO: Using agent name as: hostname_xxx
2023/04/10 13:56:54 wazuh-agentd: INFO: Waiting for server reply
2023/04/10 13:56:54 wazuh-agentd: ERROR: Duplicate agent name: hostname_xxx (from manager)
2023/04/10 13:56:54 wazuh-agentd: ERROR: Unable to add agent (from manager)
2023/04/10 13:56:54 wazuh-agentd: INFO: No authentication password provided
2023/04/10 13:56:54 wazuh-agentd: INFO: Using agent name as: hostname_xxx
2023/04/10 13:56:54 wazuh-agentd: INFO: Waiting for server reply
2023/04/10 13:56:54 wazuh-agentd: ERROR: Duplicate agent name: hostname_xxx (from manager)
2023/04/10 13:56:54 wazuh-agentd: ERROR: Unable to add agent (from manager)
I think I know the cause, is it because there is already the same hostname on my wazuh manager? Then how do I fix it without having to change the hostname on the server?
Best Regards
Juan
Tomas Sarquis
Apr 10, 2023, 5:52:07 AM4/10/23
to Wazuh mailing list
Nice work Juan.
The problem is that you're trying to add an agent with the same hostname as one of your already enrolled agents. The hostname hostname_xxx already exists on your manager's agents. Have in mind that the manager himself is treated as an agent.
This can be verified by listing all the enrolled agents and checking if there's any agent with the same hostname as your "Server B".
The list can be viewed either by entering the Wazuh Dashboard or by running (on manager) the command <MANAGER_INSTALL_DIR>/bin/agent-control -l .
Tomas Sarquis
Apr 10, 2023, 5:59:49 AM4/10/23
to Wazuh mailing list
I forgot to give you the solution if that's the case.
You can set (override), in your agent, the agent name by editing the enrollment section in the ossec.conf file.
<enrollment>
<agent_name>YOUR_NEW_AGENT_NAME</agent_name>
</enrollment>
<agent_name>YOUR_NEW_AGENT_NAME</agent_name>
</enrollment>
Juan Ferdinan
Apr 11, 2023, 8:14:16 AM4/11/23
to Wazuh mailing list
Dear Tomas
thank you for the solution you provided, currently server B is integrated with the wazuh manager and can be monitored
Best Regards
Juan
Reply all
Reply to author
Forward
0 new messages