Multiple Agent | Default Agent ID 000 | Agent Name | Syslog Integration
222 views
Skip to first unread message
John Carry
Jul 5, 2023, 6:31:44 AM7/5/23
to Wazuh mailing list
Dear Wazuh Team,
Hopefully you are doing great, we have earlier raised our concerns on ticket "Default Agent ID 000 | Agent Name | Syslog Integration".
The use-case that we want to achieve is that we have multiple agent-less integration via syslog and they are enrolled to wazuh with agent ID =000 and agent name as localhost.
The use-case that we want to achieve is that we have multiple agent-less integration via syslog and they are enrolled to wazuh with agent ID =000 and agent name as localhost.
We were suggested the method from wazuh earlier to change those agent name by sqite3 using field agent id as below:
Open the global.db file using sqlite3
cd /var/ossec/queue/db/
sqlite3 global.db
-Change the name of the agent in agent table
update agent set name='<new_name>' where id=<agent's_id>;
Open the global.db file using sqlite3
cd /var/ossec/queue/db/
sqlite3 global.db
-Change the name of the agent in agent table
update agent set name='<new_name>' where id=<agent's_id>;
but the problem we are observing is that we have multiple agent-less integrations where multiple agents have same agent ID and its impossible to modify agent name by using above method.
you are requested to share a method where we can change the agent names by using a unique field like location etc.
John Carry
Jul 5, 2023, 6:45:38 AM7/5/23
to Wazuh mailing list
As you can see we have two agent Firewall and Endpoint security and both have same agent name and ID.
John Carry
Jul 5, 2023, 6:51:34 AM7/5/23
to Wazuh mailing list
Sebastian Falcone
Jul 5, 2023, 9:38:41 AM7/5/23
to Wazuh mailing list
Hello John, is not possible to have multiple agents with the same id, as it's the primary key of the database
All events from agent-less devices are registered as ID 000 because it's the wazuh server id (see documentation)
All events from agent-less devices are registered as ID 000 because it's the wazuh server id (see documentation)
John Carry
Jul 5, 2023, 10:44:46 AM7/5/23
to Wazuh mailing list
Hello Falcone,
You are right, but I am talking about the agentless events...
Is it possible to change the wazuh server ID from 000 to some custom ID because we have multiple agentless assets and all of them have same ID as 000 which is confusing to identify.
Sebastian Falcone
Jul 5, 2023, 3:39:51 PM7/5/23
to Wazuh mailing list
Unfortunately is not possible, but also all the events from those agentless assets will continue to have the same ID
You can follow this guide which guides you on how to visualize these events
You can follow this guide which guides you on how to visualize these events
John Carry
Jul 6, 2023, 1:57:32 AM7/6/23
to Wazuh mailing list
Hello Falcone,
Thanks for your confirmation, how-ever I have followed your provided steps to change the agent name where agent id is 0 but the change doesn't seems effective.
Sebastian Falcone
Jul 7, 2023, 9:57:59 AM7/7/23
to Wazuh mailing list
Hello John, I am looking into this
It is not as easy as changing a field on the DB because other services (filebeat) use these fields to index the data so you will need to re-index it.
On the other hand, the article I've shared is about visualizing the data not renaming the agent
It is not as easy as changing a field on the DB because other services (filebeat) use these fields to index the data so you will need to re-index it.
On the other hand, the article I've shared is about visualizing the data not renaming the agent
Sebastian Falcone
Jul 7, 2023, 10:48:32 AM7/7/23
to Wazuh mailing list
John, we currently have an issue with multiple agentless devices (see more information)
On the other hand if its possible to install agents on those endpoints, I will suggest the addition of labels. Renaming agents is not supported
On the other hand if its possible to install agents on those endpoints, I will suggest the addition of labels. Renaming agents is not supported
Reply all
Reply to author
Forward
0 new messages