New agent registration error - Urgent help needed !!!
111 views
Skip to first unread message
Hari ft
Mar 7, 2025, 6:59:37 AM3/7/25
to Wazuh | Mailing List
Dear Team.
I'm not able to register new agents on my Wazuh server. Please find the Wazuh server details below.
Wazuh server - 4.11
Single server configuration (Wazuh indexer, Wazuh manager and Dashboard in one server)
Server is having 4 core 32 gb ram , and hosted in azure
JVM settings - 20 gb
single node with no replica shards
30 days hot, then cold and 180 days deletion for indices
now 290 active agents and 88 in-active agents
the error generated in wazuh agent log is below
2025/03/07 17:08:40 wazuh-agentd: ERROR: SSL read (unable to receive message)
2025/03/07 17:08:40 wazuh-agentd: ERROR: If Agent verification is enabled, agent key and certificates may be incorrect!
2025/03/07 17:08:55 wazuh-agentd: INFO: Requesting a key from server: 172.16.0.41
2025/03/07 17:08:55 wazuh-agentd: INFO: No authentication password provided
2025/03/07 17:08:55 wazuh-agentd: INFO: Using agent name as: CHAV-CI-NGXLB1
2025/03/07 17:08:55 wazuh-agentd: INFO: Waiting for server reply
2025/03/07 17:08:40 wazuh-agentd: ERROR: If Agent verification is enabled, agent key and certificates may be incorrect!
2025/03/07 17:08:55 wazuh-agentd: INFO: Requesting a key from server: 172.16.0.41
2025/03/07 17:08:55 wazuh-agentd: INFO: No authentication password provided
2025/03/07 17:08:55 wazuh-agentd: INFO: Using agent name as: CHAV-CI-NGXLB1
2025/03/07 17:08:55 wazuh-agentd: INFO: Waiting for server reply
Urgent help needed
if more details needed, please ask
Samson Olugbenga Idowu
Mar 7, 2025, 10:06:20 AM3/7/25
to Wazuh | Mailing List
Hello Hari,
From your Wazuh agent logs I can see that the registration key has not been entered by the Wazuh server.
From your Wazuh agent logs I can see that the registration key has not been entered by the Wazuh server.
To fix this, please ensure that ports 1514, 1515, and 55000 are open on the agent endpoint, then restart the Wazuh agent using: sudo systemctl restart wazuh-agent
Regards,
Samson.
Samson.
Hari ft
Mar 8, 2025, 11:10:22 AM3/8/25
to Wazuh | Mailing List
Dear Team,
I have done all basic troubleshooting from our side.
The mentioned ports are working fine.
tried restarting the agent, Wazuh-indexer, dashboard, Wazuh-manager, and the whole Wazuh server. And also restarted the server that contains the Wazuh agent as well.
Nothing fixed the issue. Earlier we were able to register a new agent, but not now.
Nothing special in Wazuh server log as well
Nothing special in Wazuh server log as well
Hari ft
Mar 11, 2025, 4:01:20 AM3/11/25
to Wazuh | Mailing List
Dear Team,
I have tried to add the agent manually using /var/ossec/bin/manage_agents, that worked. And no specific error in the agent side after that.
sudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent
I have tried to add the agent manually using /var/ossec/bin/manage_agents, that worked. And no specific error in the agent side after that.
I'll list all the steps below
i have installed agent using
i have installed agent using
wget https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.11.0-1_arm64.deb && sudo WAZUH_MANAGER='172.16.0.41' WAZUH_AGENT_GROUP='test' dpkg -i ./wazuh-agent_4.11.0-1_arm64.deb
sudo systemctl daemon-reloadsudo systemctl enable wazuh-agent
sudo systemctl start wazuh-agent
the log says, tail /var/ossec/logs/ossec.log -n 500
2025/03/11 06:25:00 wazuh-execd: INFO: Started (pid: 3838171).
2025/03/11 06:25:01 wazuh-agentd: INFO: (1410): Reading authentication keys file.
2025/03/11 06:25:01 wazuh-agentd: INFO: Using notify time: 10 and max time to reconnect: 60
2025/03/11 06:25:01 wazuh-agentd: INFO: Version detected -> Linux |test-MUM-ERP-SRV1 |6.5.0-1023-aws |#23~22.04.1-Ubuntu SMP Fri Jun 21 22:58:06 UTC 2024 |aarch64 [Ubuntu|ubuntu: 22.04.4 LTS (Jammy Jellyfish)] - Wazuh v4.11.0
2025/03/11 06:25:01 wazuh-agentd: INFO: (1410): Reading authentication keys file.
2025/03/11 06:25:01 wazuh-agentd: INFO: Using notify time: 10 and max time to reconnect: 60
2025/03/11 06:25:01 wazuh-agentd: INFO: Version detected -> Linux |test-MUM-ERP-SRV1 |6.5.0-1023-aws |#23~22.04.1-Ubuntu SMP Fri Jun 21 22:58:06 UTC 2024 |aarch64 [Ubuntu|ubuntu: 22.04.4 LTS (Jammy Jellyfish)] - Wazuh v4.11.0
2025/03/11 06:25:01 wazuh-agentd: INFO: Started (pid: 3838231).
2025/03/11 06:25:01 wazuh-agentd: INFO: Requesting a key from server: 172.16.0.41
2025/03/11 06:25:01 wazuh-agentd: INFO: No authentication password provided
2025/03/11 06:25:01 wazuh-agentd: INFO: Using agent name as: test-MUM-ERP-SRV1
2025/03/11 06:25:01 wazuh-agentd: INFO: Waiting for server reply
2025/03/11 06:25:01 wazuh-agentd: ERROR: SSL read (unable to receive message)
2025/03/11 06:25:01 wazuh-agentd: ERROR: If Agent verification is enabled, agent key and certificates may be incorrect!
2025/03/11 06:25:01 wazuh-agentd: INFO: Requesting a key from server: 172.16.0.41
2025/03/11 06:25:01 wazuh-agentd: INFO: No authentication password provided
2025/03/11 06:25:01 wazuh-agentd: INFO: Using agent name as: test-MUM-ERP-SRV1
2025/03/11 06:25:01 wazuh-agentd: INFO: Waiting for server reply
2025/03/11 06:25:01 wazuh-agentd: ERROR: SSL read (unable to receive message)
2025/03/11 06:25:01 wazuh-agentd: ERROR: If Agent verification is enabled, agent key and certificates may be incorrect!
after this no agent visible in the wazuh portal, so i have added the agent using /var/ossec/bin/manage_agents and extracted the key. then inserted it on the client server using /var/ossec/bin/manage_agents.
this action added the agent and it went live.
on that time in the ossec log file of wazuh server i saw these errors,
2025/03/11 12:51:05 wazuh-remoted: WARNING: Agent key already in use: agent ID '770'
2025/03/11 12:51:15 wazuh-remoted: WARNING: Agent key already in use: agent ID '770'
2025/03/11 12:51:25 wazuh-remoted: WARNING: Agent key already in use: agent ID '770'
2025/03/11 12:51:35 wazuh-remoted: WARNING: Agent key already in use: agent ID '770'
2025/03/11 12:51:45 wazuh-remoted: WARNING: Agent key already in use: agent ID '770'
2025/03/11 12:51:55 wazuh-remoted: WARNING: Agent key already in use: agent ID '770'
2025/03/11 12:52:05 wazuh-remoted: WARNING: Agent key already in use: agent ID '770'
2025/03/11 12:52:15 wazuh-remoted: WARNING: Agent key already in use: agent ID '770'
2025/03/11 12:52:25 wazuh-remoted: WARNING: Agent key already in use: agent ID '770'
2025/03/11 12:54:24 wazuh-maild: ERROR: (1766): DATA not accepted by server
2025/03/11 12:54:24 wazuh-maild: ERROR: (1263): Error Sending email to 127.0.0.1 (smtp server)
2025/03/11 12:59:32 wazuh-remoted: WARNING: Agent key already in use: agent ID '568'
2025/03/11 13:03:11 wazuh-remoted: WARNING: Agent key already in use: agent ID '770'
2025/03/11 13:03:54 wazuh-remoted: WARNING: Agent key already in use: agent ID '568'
2025/03/11 13:04:00 wazuh-maild: ERROR: (1766): DATA not accepted by server
2025/03/11 13:04:00 wazuh-maild: ERROR: (1263): Error Sending email to 127.0.0.1 (smtp server)
2025/03/11 13:06:32 wazuh-remoted: WARNING: Agent key already in use: agent ID '050'
2025/03/11 13:06:42 wazuh-remoted: WARNING: Agent key already in use: agent ID '050'
2025/03/11 13:06:52 wazuh-remoted: WARNING: Agent key already in use: agent ID '050'
2025/03/11 13:07:02 wazuh-remoted: WARNING: Agent key already in use: agent ID '050'
2025/03/11 13:07:13 wazuh-remoted: WARNING: Agent key already in use: agent ID '050'
2025/03/11 13:07:23 wazuh-remoted: WARNING: Agent key already in use: agent ID '050'
2025/03/11 13:07:33 wazuh-remoted: WARNING: Agent key already in use: agent ID '050'
2025/03/11 13:07:35 wazuh-maild: ERROR: (1766): DATA not accepted by server
2025/03/11 13:07:35 wazuh-maild: ERROR: (1263): Error Sending email to 127.0.0.1 (smtp server)
2025/03/11 13:12:40 wazuh-maild: ERROR: (1766): DATA not accepted by server
2025/03/11 13:12:40 wazuh-maild: ERROR: (1263): Error Sending email to 127.0.0.1 (smtp server)
2025/03/11 13:13:40 wazuh-maild: ERROR: (1766): DATA not accepted by server
2025/03/11 13:13:40 wazuh-maild: ERROR: (1263): Error Sending email to 127.0.0.1 (smtp server)
2025/03/11 13:15:02 wazuh-remoted: WARNING: Agent key already in use: agent ID '698'
2025/03/11 13:16:27 wazuh-remoted: WARNING: Agent key already in use: agent ID '568'
2025/03/11 13:16:49 wazuh-remoted: WARNING: Agent key already in use: agent ID '142'
2025/03/11 13:16:59 wazuh-remoted: WARNING: Agent key already in use: agent ID '142'
2025/03/11 13:17:09 wazuh-remoted: WARNING: Agent key already in use: agent ID '142'
2025/03/11 13:17:19 wazuh-remoted: WARNING: Agent key already in use: agent ID '142'
2025/03/11 12:51:15 wazuh-remoted: WARNING: Agent key already in use: agent ID '770'
2025/03/11 12:51:25 wazuh-remoted: WARNING: Agent key already in use: agent ID '770'
2025/03/11 12:51:35 wazuh-remoted: WARNING: Agent key already in use: agent ID '770'
2025/03/11 12:51:45 wazuh-remoted: WARNING: Agent key already in use: agent ID '770'
2025/03/11 12:51:55 wazuh-remoted: WARNING: Agent key already in use: agent ID '770'
2025/03/11 12:52:05 wazuh-remoted: WARNING: Agent key already in use: agent ID '770'
2025/03/11 12:52:15 wazuh-remoted: WARNING: Agent key already in use: agent ID '770'
2025/03/11 12:52:25 wazuh-remoted: WARNING: Agent key already in use: agent ID '770'
2025/03/11 12:54:24 wazuh-maild: ERROR: (1766): DATA not accepted by server
2025/03/11 12:54:24 wazuh-maild: ERROR: (1263): Error Sending email to 127.0.0.1 (smtp server)
2025/03/11 12:59:32 wazuh-remoted: WARNING: Agent key already in use: agent ID '568'
2025/03/11 13:03:11 wazuh-remoted: WARNING: Agent key already in use: agent ID '770'
2025/03/11 13:03:54 wazuh-remoted: WARNING: Agent key already in use: agent ID '568'
2025/03/11 13:04:00 wazuh-maild: ERROR: (1766): DATA not accepted by server
2025/03/11 13:04:00 wazuh-maild: ERROR: (1263): Error Sending email to 127.0.0.1 (smtp server)
2025/03/11 13:06:32 wazuh-remoted: WARNING: Agent key already in use: agent ID '050'
2025/03/11 13:06:42 wazuh-remoted: WARNING: Agent key already in use: agent ID '050'
2025/03/11 13:06:52 wazuh-remoted: WARNING: Agent key already in use: agent ID '050'
2025/03/11 13:07:02 wazuh-remoted: WARNING: Agent key already in use: agent ID '050'
2025/03/11 13:07:13 wazuh-remoted: WARNING: Agent key already in use: agent ID '050'
2025/03/11 13:07:23 wazuh-remoted: WARNING: Agent key already in use: agent ID '050'
2025/03/11 13:07:33 wazuh-remoted: WARNING: Agent key already in use: agent ID '050'
2025/03/11 13:07:35 wazuh-maild: ERROR: (1766): DATA not accepted by server
2025/03/11 13:07:35 wazuh-maild: ERROR: (1263): Error Sending email to 127.0.0.1 (smtp server)
2025/03/11 13:12:40 wazuh-maild: ERROR: (1766): DATA not accepted by server
2025/03/11 13:12:40 wazuh-maild: ERROR: (1263): Error Sending email to 127.0.0.1 (smtp server)
2025/03/11 13:13:40 wazuh-maild: ERROR: (1766): DATA not accepted by server
2025/03/11 13:13:40 wazuh-maild: ERROR: (1263): Error Sending email to 127.0.0.1 (smtp server)
2025/03/11 13:15:02 wazuh-remoted: WARNING: Agent key already in use: agent ID '698'
2025/03/11 13:16:27 wazuh-remoted: WARNING: Agent key already in use: agent ID '568'
2025/03/11 13:16:49 wazuh-remoted: WARNING: Agent key already in use: agent ID '142'
2025/03/11 13:16:59 wazuh-remoted: WARNING: Agent key already in use: agent ID '142'
2025/03/11 13:17:09 wazuh-remoted: WARNING: Agent key already in use: agent ID '142'
2025/03/11 13:17:19 wazuh-remoted: WARNING: Agent key already in use: agent ID '142'
all these agents are still live and uploading events and data, but still i'm not able to add agents using command like
wget https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.11.0-1_amd64.deb && sudo WAZUH_MANAGER='172.16.0.41' WAZUH_AGENT_GROUP='test' dpkg -i ./wazuh-agent_4.11.0-1_amd64.deb
any one please help
wget https://packages.wazuh.com/4.x/apt/pool/main/w/wazuh-agent/wazuh-agent_4.11.0-1_amd64.deb && sudo WAZUH_MANAGER='172.16.0.41' WAZUH_AGENT_GROUP='test' dpkg -i ./wazuh-agent_4.11.0-1_amd64.deb
any one please help
Samson Olugbenga Idowu
Mar 25, 2025, 4:25:24 PM3/25/25
to Wazuh | Mailing List
Hello,
Try using the enrollment through the Wazuh server API.
This will allow you request the client key from the Wazuh server and import the client key to the Wazuh agent.
Regards,
Samson.
Try using the enrollment through the Wazuh server API.
This will allow you request the client key from the Wazuh server and import the client key to the Wazuh agent.
Regards,
Samson.
Reply all
Reply to author
Forward
0 new messages